[Am-info] 'Witty' Worm Wrecks Computers - MickySoft ONLY!!

Fred Miller fmiller@lightlink.com
Sun, 21 Mar 2004 11:40:41 -0500 

http://story.news.yahoo.com/news?tmpl=story&cid=1804&ncid=738&e=6&u=/
washpost/20040321/tc_washpost/a11310_2004mar20

'Witty' Worm Wrecks Computers
  
Sat Mar 20, 7:16 PM ET

Add Technology - washingtonpost.com to My Yahoo!

By Brian Krebs, washingtonpost.com Staff Writer 

A quickly spreading Internet worm destroyed or damaged tens of thousands of 
personal computers worldwide Saturday morning by exploiting a security flaw 
in a firewall program designed to protect PCs from online threats, computer 
experts said.

The "Witty" worm writes random data onto the hard drives of computers equipped 
with the Black Ice and Real Secure Internet firewall products, causing the 
drives to fail and making it impossible to restart the PCs. Unlike many 
recent worms that arrive as e-mail attachments, it spreads automatically to 
vulnerable computers without any action on the part of the user.

At least 50,000 computers have been infected so far, according to Reston, 
Va.-based computer security firm iDefense and the Bethesda, Md.-based SANS 
Institute.

The firewalls were developed by Atlanta-based Internet Security Systems. Chris 
Rouland, vice president of the company's X-Force research and development 
division, said that as many as 32,000 corporate computers could be infected. 
The company does not know how many home users are infected. ISS released a 
patch and a detailed writeup of the affected products.

Most infected computers will have to be rebuilt from scratch unless their 
owners instead decide to buy new ones, said Ken Dunham, a computer security 
expert at iDefense.

"The thing looks like it will corrupt or crash most drives enough so that 
reinstallation is going to be required," he said. "This is a very destructive 
worm."

Officials at the Department of Homeland Security, which is in charge of the 
government's cybersecurity efforts, were unavailable for comment.

Internet worms, viruses and other malignant software often install software or 
open "back doors" that allow hackers to control infected computers. That 
often gives them access to private data that people keep on their computers, 
and allows them to use those computers to send out e-mail spam that cannot be 
traced back to its real owner. The Witty worm is different and in some 
respects more destructive because it renders the computer useless.

Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, 
said that the worm does not create files on infected computers so most 
antivirus software will not detect it.

Security vulnerability research firm eEye Digital Security identified the flaw 
last Wednesday. The Aliso Viejo, Calif.-based company discovered that it 
could trick some versions of Black Ice and Real Secure into processing 
Internet traffic that would allow attackers to transfer dangerous data to 
vulnerable computers.

The Witty worm gets its moniker from a message buried within its code that 
says: "insert witty message here." That comes just before the code that 
overwrites the infected hard drives.

Joe Stewart, a senior security researcher at Chicago-based security services 
company Lurhq, said he expects the worm to die out over the next few hours as 
vulnerable computers quickly become useless hosts.

"With all these hard drive problems, the infection rates are going to shrink 
pretty quickly as all these affected machines grind themselves to a halt," 
Stewart said.

-- 
"...Linux, MS-DOS, and Windows XP (also known as the Good, the Bad, and
the Ugly)."