Re: Blackice "Witty" Worm: source port 4000 UDP

Author	All Replies
justin Australian join:1999-05-28 New York, NY kudos:7 Host: IPv6 Business Connectiv.. Console/Handheld g.. Home/Office setup .. Photos of Broadban..	reply to Link Logger Re: Blackice "Witty" Worm: source port 4000 UDP it had been a mystery to me why so few virii have been destructive to date. In the good old days, "boot sector" viruses that were transmitted by disks, were more often destructive. But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived. The ongoing value of a zombified PC on a cable connection is of significant value (for sending SPAM) vs the value of it dead, hence the few viruses that kill the host. Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS.
	to forum · permalink · 2004-03-21 11:21:15 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by justin: But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived. Same idea, I would speculate, with malware that acts in an overt way versus malware that acts more covertly. Exploit-based malware that scans like mad (high packet rates and broad IP address space "coverage") draws more attention to multiple aspects of the scanning (not just the ports, but also things like the "exploit"). And it will likely provoke a higher/escalated response to address the scanning -- usually involving an escalation of traffic filtering and patching. (Blaster being an example, I believe.) E-mail based malware is a more complicated situation, I believe (more factors). In this case, I don't think the author of this thing cares as much about the level of response -- other than striking at a time which allows for a perhaps two-day headstart -- since the "average" response time is still so long that a good portion of the infected systems will have crashed before someone gets to them. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2004-03-21 11:59:32 ·

jeisenberg New Year's Eve join:2001-07-06 Windsor, ON	reply to justin said by justin: Perhaps the witty virus is authored by someone who does not have any financial interest direct or indirect in using infected machines. Or perhaps just a disgruntled employee of ISS. I agree that a disgruntled employee is a good place to start for the author of the worm. Another source might be an overzealous employee of a competitor, trying to drive sales toward their own product. Whatever the motivation, it would be naive to believe that copycat virii / worms are not just around the corner. And I'd expect to see random source ports to begin shortly as well, further disguising and confounding attempts to head off this threat.
	to forum · permalink · 2004-03-21 12:05:25 ·
Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3	That is one of the things that made this worm unique, in that the source port is usually dynamic and the destination port is static (but this was reversed in the Witty worm), now certainly this is somewhat unique to ISS products and I would think that it was meant as a security measure to vary the ports used between installations, but if it coded it can be cracked, just takes some time (cracking code is like trying to figure out where a train goes when your standing on the tracks, just takes some time). Given that this worm is clearly malicious/criminal and has 'real' damage associated directly to it, if they ever catch who is responsible I can see real jail time and such in their future, not to mention pretty well endless civil suits. I would also hope that eEye and ISS worked together in harmony on this. A week might not be long enough to patch 6000 laptops considering some might be used by remote users (for example traveling sales dudes who have been out of town for longer then a week). This exploit didn't take very long to hit the streets so either they were working on it independently (most likely), or they were totally tipped off by eEye announcement which would be bad as then we might have to rethink delays between patch releases and announcements of vuls. Blake -- Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel
	to forum · permalink · 2004-03-21 12:28:27 ·
Mike Premium,Mod join:2000-09-17 Pittsburgh, PA kudos:1 Reviews: ·Verizon FiOS Host: W.O.W. FairPoint World of Warcraft Site Tools Verizon Wireless 1 edit	reply to justin Using the philosophy base of George Carlin, except on airport security... »www.humorcafe.com/humor/gems/geo···rlin.htm said by main quote: As far as I'm concerned, all of this airport security--the cameras, the questions, the screening, the searches--is just one more way of reducing your liberty and reminding you that they can fuck with you any time they want, as long as you're willing to put up with it. Which means, of course, any time they want. Because that's the way Americans are now. They're always willing to trade away a little of their freedom for the feeling, the illusion--of security. The anti-viruses, the people who don't patch, nor switch OSes yet who always complain when some super virus turns their computer to digital poop. Why? They have a weak defense system and they deserve it. Screw em. You can defend something for so long before you have to fall back or get your ass handed to you in a doggy bag. I'm going to state the obvious by saying nothing is unbreakable. Except, something is a larger target and that what appears to be getting hit the hardest. When you fix your OS, then you can fix mine. PS, I'm in Windows XP right now since I want to play BF 1942 after this post so this IS my problem. I don't want my nazi killing machine to be a doorstop anytime soon and I want all the idiots I shoot at to be there without a worry in their mind that the next virus is going to school them. I need things to shoot damn it! These little wimpy viruses so far are basically, "let's see how many people we can infect" like scouts. You run the numbers and compare to see how savvy people adapt to these new waves. Then when the numbers are in their range... Then BLAM! Virus writers can basically screw with millions of people anytime they want. There is no set public schedule to this at all, or at least none that I've seen. Give us $40 and we'll protect your computer. False sense of security. Bull crap, how many people have an expired version of some AV (or fully patched AV) that didn't really work and they're screwed? It's a false sense of security. There will always be that idiot running outlook, msie, or some other piece of crap windows software with more holes than a Krispy Kreme factory that will keep the spread of this stuff going strong. Like I tell people. Let someone get pissed off enough to write some super virus that will destroy 70% of the machines that are connected to the internet with some super-windows virus. I wonder how many of those 70% of people whine and those 70% reinstall the same system and have it killed nearly immediately because they reconnected a less patched version of the OS just because that's what came on the CD. I also wonder what the profit for Microsoft is going be? After all the old versions of MS software are ripped in half, people will most likely go right back to the mothership for a brand new "more secure" target on their back because the old one was shot the hell apart. I've heard this before, Windows 2000 is bug free. I guess that means Windows XP, 2003, or whatever the next monstrosity that comes out is even better is that sequential order. /fixed engrish, added something
	to forum · permalink · 2004-03-21 12:39:20 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by Mike: These little wimpy viruses so far are basically, "let's see how many people we can infect" like scouts. You run the numbers and compare to see how savvy people adapt to these new waves. Then when the numbers are in their range... Then BLAM! Virus writers can basically screw with millions of people anytime they want. There is no set public schedule to this at all, or at least none that I've seen. Why simply "screw with millions of people" when you can make lots of money (albeit illegal) by using their computers? That's what malware writers are doing today. In my opinion, it's not a game anymore, it's become big business in a very short time, and the way that these miscreants act has to be governed in part by the operating model of business they are currently in. If they are willing to change that operating model, then they could screw up millions of systems just like that. But that doesn't make any business sense to me, because then they have to drastically change the way they do business. Much more than they do now -- gradual adaptation is still necessary, but it's much less time/expense consuming than (for example) radically altering attack mechanics. Philip Sloss -- Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2004-03-21 13:13:33 ·

Broadband Tech > Security > Security > Blackice "Witty" Worm: source port 4000 UDP