Witty Worm Sneaks Through ISS Firewalls

A fast-spreading worm let loose on the Internet Saturday, crawled through a vulnerability in Internet Security Systems' BlackICE firewall, has infected between 10,000 and 50,000 systems worldwide, and can trash infected hard drives.

The worm--dubbed "Witty," for a comment embedded in its code--exploits a stack overflow vulnerability within BlackICE that was disclosed just two days before the worm first appeared.

Unlike most other worms, Witty doesn't need human interaction to spread. Rather than rely on users to open a file attachment--the typical way worms propagate--Witty simply scans for vulnerable systems, then uses UDP port 4000 to infect the machine. This auto-spread strategy was last used to wreak havoc by 2003's MSBlast worm.

Witty is particularly dangerous, said experts, because after it executes, it opens a random drive on the PC and writes 65KB of data to a random location on the disk. It repeats that process until the system is rebooted or the computer crashes.

"This worm is highly malicious, slowly destroying the systems it infects," said security firm Lurhq, in an alert posted on its Web site. "Rather than simply executing a 'format C:' or similar destructive command, the worm slowly corrupts the file system while it continues to spread. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine."

Internet Security Systems said its analysis indicated that only about two percent of its customers could be open to Witty's attack, but other analysts have tagged the number of infected machines at significant levels.

"It's unlikely that many computers will be patched against this vulnerability at this time," said Ken Dunham, the director of malicious code research at iDefense, in an e-mailed statement. "Early data suggests about 10,000 infected computers worldwide." Others have put forward the number of 50,000 infected machines.

Experts such as Dunham urged ISS customers to disable the firewall until it has been patched, and, where feasible, block traffic on UDP port 4000. ISS recommended that infected systems be disconnected from the network to stop the worm's spread.

Updates to BlackICE that plug the vulnerability be downloaded from the ISS Web site.

This story courtesy of TechWeb News