The Spread of the Witty Worm

Malware Recon Editors: Elias Levy, [email protected] Iván Arce, [email protected] The Spread of the Witty Worm

n Friday, 19 March 2004, at approximately 8:45 the network telescope contains approximately 1/256th of all IPv4 ad- p.m. Pacific Standard Time (PST), an Internet dresses, we receive roughly one out of every 256 packets sent by an In- worm began to spread, targeting a buffer over- ternet worm with an unbiased random number generator. flow vulnerability in several Internet Security Because we are uniquely situ- O ated to receive traffic from every Systems (ISS) products, including its RealSecure Network, worm-infected host, we provide a global view of the spread of many COLLEEN RealSecure Server Sensor, RealSe- • It spread through a population al- Internet worms. SHANNON AND cure Desktop, and BlackICE. The most an order of magnitude DAVID MOORE worm took advantage of a security smaller than that of previous ISS vulnerability Cooperative flaw in these firewall applications worms, demonstrating worms’ vi- Several ISS firewall products contain a Association that eEye Digital Security discovered ability as an automated mechanism protocol analysis module (PAM) to for Internet earlier in March. Once the Witty to rapidly compromise machines monitor application traffic. The PAM Data Analysis worm—so called because its payload on the Internet, even in niches routine in version 3.6.16 of iss- (CAIDA) contained the phrase, “(^.^) insert without a software monopoly. pam1.dll analyzed ICQ server traffic witty message here (^,^)”—infects a and assumes that incoming packets on computer, it deletes a randomly cho- In this article, we share a global port 4000 are ICQv5 server responses sen section of the hard drive, which, view of the worm’s spread, with par- and that this code contains a series of over time, renders the machine un- ticular attention to these worrisome buffer overflow vulnerabilities. eEye usable. (See the “Further informa- features. discovered this vulnerability on 8 tion” sidebar on p. 50 for resources.) March 2004 and announced it with While the Witty worm is only Witty worm ISS 10 days later. ISS released an alert, the latest in a string of self-propa- background warning users of a possibly exploitable gating remote exploits, it distin- In this section, we detail the techni- security hole and providing updated guishes itself through several inter- cal aspects of the code and monitor- software versions that were not vul- esting features: ing of the Witty worm. nerable to the buffer overflow attack.

• It was the first widely propagated Network telescope Witty worm details Internet worm to carry a destruc- Because Internet worm victims Once Witty infects a host, the host tive payload. span diverse geographic and topo- sends 20,000 packets by generating • It started in an organized manner logical locations, the overall impact packets with a random destination IP with an order of magnitude more of a worm is difficult to measure address, a random size between 796 ground-zero hosts than any previ- from a single viewpoint. The Uni- and 1,307 bytes, and a destination ous worm. versity of California, San Diego port. The packets’ small size ensures • It represents the shortest known in- (UCSD) Network Telescope (see fast transmission; as well, they are terval between vulnerability disclo- the sidebar) consists of a large piece unlikely to be too big, for any net- sure and worm release—it began of globally announced IPv4 address work segment that they traverse—if spreading the day after the ISS vul- space that we have instrumented to they were too big, they would be nerability was publicized. monitor network security events. broken into smaller pieces in the net- • It spread through a host population The telescope contains almost no work, which could slow the spread in which every compromised host legitimate hosts, so inbound traffic of the worm. Because the Witty was proactive in securing its com- to nonexistent machines is always packets sizes are random, they are puters and networks. anomalous in some way. Because more difficult to filter than fixed

sized packets and complicate simple Witty worm global view 800 blocking measures that limit or pre- 14,000 700 12,000 vent the worm’s spread. If they had 10,000 8,000 been a fixed size, it would have been 600 6,000 4,000 easier to quickly block Witty traffic 500 2,000 to limit or prevent the worm’s 0 400 05:00 05:30 06:00 06:30 spread. The worm payload of 637 03/20 bytes is padded with data from sys- 300 tem memory to fill the random size, 200 Cumulative Unique IP addresses Per 5-minute and a packet is sent out from source 100 110 hosts in first 10 seconds (not natural worm growth) bucket port 4000. After Witty sends the 0 20,000 packets, it seeks out a random 04:45:00 04:46:00 04:47:00 04:48:00 04:49:00 04:50:00 point on the hard disk and writes 03/20 65kbytes of data from the beginning Time (UTC) of iss-pam1.dll to the disk. After Figure 1. The Witty worm's spread. After the first minute, Witty followed an expected closing the disk, Witty repeats this sigmoid curve. The inset shows the first two hours of Witty’s spread. The number of process until the machine is rebooted active machines per five minutes (green line) stabilized after 45 minutes, indicating or until it permanently crashes. that almost all the vulnerable machines had been compromised. After that point, dynamic addressing (for example, Dynamic Host Configuration Protocol) caused the Witty worm spread cumulative IP address total (the red line) to continue to rise. We estimate the total The perpetrators of previous Inter- number of hosts infected by the Witty worm to be 12,000 at most. net worms, including Code Red, Nimda, and SQL Slammer seeded a few hosts, which then proceeded to vertical line shows preselected hosts vulnerable population of the Witty spread to the rest of the vulnerable coming online and then a transition worm was only about 12,000 com- population. The spread was slow to much slower growth thereafter. puters. Although researchers1–3 have early on—but then accelerated dra- After the sharp rise in initial coor- long predicted that a fast-probing matically as the number of infected dinated activity, Witty followed a worm could infect a small population machines spewing worm packets to normal exponential growth curve for very quickly, Witty is the first worm the rest of the Internet rose. Eventu- a pathogen spreading in a fixed popu- to demonstrate this capability. Witty ally, as the victim population became lation, reaching its peak after approxi- took 30 minutes longer than SQL saturated, its spread slowed because mately 45 minutes, at which point the Slammer to infect its vulnerable pop- there were few vulnerable machines majority of vulnerable hosts had been ulation, but both worms spread far left to compromise. Plotted on a infected. After this point, the churn faster than human intervention could graph, this worm growth appears as a caused by dynamic addressing—a stop them. In the past, users of soft- sigmoid, an s-shaped exponential single computer changing its IP ad- ware that is not ubiquitously de- growth curve. dress over time, typically via Dy- ployed have considered themselves At 8:45:18 p.m. PST on 19 namic Host Configuration Protocol relatively safe from most network- March 2004, the network telescope (DHCP), or bridging between in- based pathogens. Witty demonstrates received its first Witty worm packet. ternal and external networks that that a remotely accessible bug in any In contrast with previous worms' can let multiple computers share one minimally popular piece of software spread dynamics, we observed 110 IP address, often using Network Ad- can be successfully exploited by an hosts infected in the first 10 seconds, dress Translation (NAT)—causes automated attack. and 160 at the end of 30 seconds. Be- the IP address count to inflate with- Witty’s destructive payload, in cause only about 12,000 computers out any additional Witty infections. combination with efforts to filter its were susceptible to witty out of a At the peak of the infection, Witty traffic and patch infected machines, global IP address pool of about 4.3 hosts flooded the Internet with more led to rapid decay in the number of million, the chances of a single in- than 90 Gbits per second of traffic, infected hosts (see Figure 2 ). Twelve stance of the worm infecting 110 sending more than 11 million packets hours after the worm began to machines so quickly are vanishingly per second. spread, half of the Witty hosts were small— worse than 10-607. This rapid Witty infected only about 1/10th already inactive. onset indicates that the worm used as many hosts as the next smallest either a hitlist or previously compro- widespread Internet worm. While Witty worm victims mised vulnerable hosts to start the SQL Slammer infected between The vulnerable host population pool worm’s spread. In Figure 1, the initial 75,000 and 100,000 computers, the for the Witty worm was quite differ-

www.computer.org/security/ IEEE SECURITY & PRIVACY 47 Malware Recon

Witty worm global view infected hosts transmitted at speeds 7,000 between 96 kbps (11.2 pps) and 512 6,000 kbps (60 pps). The average speed of Per 5-minute bucket an infected host was 3 Mbps (357 5,000 pps), although during the peak of the 4,000 worm’s spread, the average speed reached 8 Mbps (970 pps). We also 3,000 observed 38 machines transmitting Unique IP addresses 2,000 Witty packets at rates over 80 Mbps 1,000 continuously for more than an hour. Some of the most rapidly trans- 0 12:00 00:00 12:00 00:00 12:00 mitting IP addresses might actually 03/20 03/21 03/22 be a larger collection of hosts behind Time (UTC) a Network Address Translation (NAT) device of some kind. By in- Figure 2. The number of unique hosts infected with the Witty worm over time. Infected fecting firewall devices, Witty Witty hosts were deactivated much more quickly than with previous worms. Although proved particularly adept at thwart- prompt network filtering and active cleanup of compromised hosts played an important ing security measures and success- role, we believe that the rapid decay in the number of hosts actively spreading Witty fully infecting hosts on internal net- was primarily due to the destructive payload crashing infected machines. works. We also observed more than 300 hosts in the first few hours transmitting Witty from source Witty worm global view ports other than 4000. Because the Approximate bit rate: 56k 128k 384k 1.5M 10M 100M 100 defining characteristic for successful 90 Witty infection is a source port 4000 80 packet, presumably these machines 70 are NAT boxes rewriting the source 60 port of packets originating at down- 50 stream infected hosts. Sixty-seven of

(percent) 40 those NAT boxes also sent Witty 30 packets with the correct source port Unique IP addresses 20 Sat, 20 Mar 18:01 - 19:01 UTC 4000, so while some NATs might 10 have artificially inflated the a single 0 infected host’s transmission speeds, 0.1 1 10 100 1,000 10,000 100,000 others might have artificially de- Packets per second (average per IP address) flated them by spreading traffic Figure 3. The scanning rate in packets-per-second of hosts the Witty worm infected. across other ports. The connection bandwidths that correspond to the packet rates are marked along the Witty worm hosts showed a wide top of the graph. Fifty-three percent of infected hosts had connection speeds between range of infection durations (see Fig- 128 kbps (15 pps) and 512 kbps (60 pps). The maximum packet rate observed from ure 4). Several factors influence our one host was 23,500 pps sustained for at least one hour. measurements of infection duration:

• Dynamic addressing significantly ent from that of previous virulent were running firewall software. The affects the amount of time an IP ad- worms. Previous worms have lagged Witty worm also started to spread dress remains active. As with the several weeks behind publication of the day after information about the SQL Slammer worm, the flood of details about the remote-exploit exploit—and the software upgrades packets from an infected host can bug, and large portions of the victim to fix it—were available. reset its upstream connection (par- populations appeared not to know Like SQL Slammer, the Witty ticularly with dial-up hosts), caus- what software was running on their worm was bandwidth limited—each ing the host to disconnect and re- machines, let alone take steps to infected host sent packets as fast as its connect from a different IP address. make sure that software had up-to- Internet connection could transmit • End users might be unaware that a date security patches. In contrast, them. As Figure 3 shows, Witty in- worm is causing their computer or Witty infected a host population that fected a relatively well-connected Internet connection to be slow, and was proactive about security—they pool of hosts. Sixty-one percent of they might reboot their computers

48 IEEE SECURITY & PRIVACY JULY/AUGUST 2004 Malware Recon

in the hope that this will fix the Witty worm global view problem. If the random disk writes 100 90 IP addresses starting have not damaged anything critical within first 10 seconds 80 to the boot process, each host could IP addresses starting 70 within first minute receive a different dynamic address 60 IP addresses starting after the reboot. For these dynami- 50 after first minute cally addressed hosts, the observa- (percent) 40 tion of the infection duration re- 30 Unique IP addresses flects the duration for which each 20 host maintained its Dynamic Host 10 Configuration Protocol (DHCP) 0 1 15 30 1 2 4 8 10 1 2 lease, rather than the true duration min. min. min. hr. hr. hr. hr. hr. day day of infection on that host. Duration (per IP address) • Traffic filtering also artificially lim- its our view of a host’s infection Figure 4. The infection duration for Witty’s hosts. Unlike previous widespread Internet duration, but at least in this case, worms, the worm payload’s malicious disk writes (which crashed infected computers) we accurately record the duration curtailed Witty hosts’ infection duration. In-network filtering and active host cleanup for which the victim spread the also played important roles in limiting the Witty worm’s spread. worm to other vulnerable hosts. • Witty carried a destructive payload that would eventually crash the in- chines without any action on the vic- Table 1. Geographic distribution fected machine. Thus even with- tim’s part. The practical implications of Witty worm victims by country. out a dynamic address or any of this are staggering: with minimal human intervention, Witty would skill, a malevolent individual could COUNTRY PERCENT eventually (and often permanently) break into thousands of machines and deactivate each infected host. use them for almost any purpose with United States 26.28 little evidence of the perpetrator left United Kingdom 7.27 Because US-based ISS is a much on most of the compromised hosts. Canada 3.46 smaller company than Microsoft, While many of these Witty fea- China 3.36 with less extensive overseas opera- tures are novel in a high-profile worm, France 2.94 tions, the majority of Witty worm the same virulence combined with Japan 2.17 infections occurred in the US. Table greater potential for host damage has Australia 1.83 1 shows the breakdown of infected been a feature of bot networks (bot- Germany 1.82 machines by country. The hostnames nets) for years. Any vulnerability or Netherlands 1.36 of 33 percent of all infected machines backdoor that a worm can exploit can Korea 1.21 inhabited the .com domain, while also be exploited by a vastly stealthier the .net domain contained 20 per- botnet. While all of the worms seen cent of all infected computers, and thus far have carried a single payload, cates that the security model in the .edu domain sourced 1 percent of bot functionality can be easily which end users apply patches to all Witty infections. changed over time. Thus, while plug security holes is not viable. worms are a serious threat to Internet It is both impractical and unwise to users, botnets’ capabilities and stealth expect every individual with a com- he Witty worm incorporates sev- make them a more sinister menace. puter connected to the Internet to be a T eral dangerous characteristics. It The line separating worms from bot security expert. Yet the current mech- was the first widely spreading Inter- software is already blurry; over time anism for dealing with security holes net worm to actively damage in- we can expect to see increasing stealth expects end users to constantly moni- fected machines. As noted earlier, it and flexibility in Internet worms. tor security alert Web sites to learn started from a large set of machines si- Witty was the first widespread about security flaws and then immedi- multaneously, indicating the use of a Internet worm to attack a security ately download and install patches. hitlist or a large number of compro- product. While technically the use of Patch installation is often difficult, in- mised machines. Witty demon- a buffer overflow exploit is com- volving a series of complex steps that strated that any minimally deployed monplace, the fact that all victims must be applied in a precise order. piece of software with a remotely ex- were compromised via their firewall The patch model for Internet se- ploitable bug can be a vector for software the day after a vulnerability curity has failed spectacularly. To wide-scale compromise of host ma- in that software was publicized indi- remedy this, there have been many

www.computer.org/security/ IEEE SECURITY & PRIVACY 49 Malware Recon

Further information

or more information about the UCSD Network Telescope and symantec.com/avcenter/venc/data/w32.witty.worm.html. Fother Internet worms, see www.caida.org/analysis/security/ • An analysis of the Witty worm functionality—LURHQ Threat Intel- witty/#Info. Animations of the spread of the worm in the US and ligence Group, Witty Worm Analysis, www.lurhq.com/ throughout the world are also available at www.caida.org/analysis/ witty.html. security/witty/#Animations. • A dissassembly of Witty worm code via BugTraq—K. Kortchinsky, Additional resources include: Black Ice Worm Disassembly; www.caida.org/analysis/security/ witty/BlackIceWorm.html. • The original publication of the ISS buffer overﬂow vulnerability (a • More information about the design and implementation of the joint release with ISS)—eEye’s Internet Security Systems Pam ICQ UCSD network telescope—David Moore et al., Network Telescopes: Server Response Processing Vulnerability, www.eeye.com/html/ Observing Small or Distant Security Events, www.caida.org/outreach/ Research/Advisories/AD20040318.html. presentations/2002/usenix_sec/. • The ISS version of the initial release of the vulnerability in their prod- • Dan Geer's Workshop on Economics and Information Security pre- ucts (a joint release with eEye)—Internet Security Systems, Vulnera- sentation including data motivating the case for end-user liability— bility in ICQ Parsing in ISS Products, http://xforce.iss.net/ www.dtc.umn.edu/weis2004/weis-geer.pdf. xforce/alerts/id/166. • Educated Guesswork blog summary of Geer's remarks about end- • Symantec’s threat analysis and mitigation information for the Witty user liability—www.rtfm.com/movabletype/archives/2004_05. Worm—Symantec, W32.Witty.Worm, http://securityresponse. html#000907.

suggestions for ways to try to shoe- scale, robust, and reliable infrastruc- 2 S. Staniford, V. Paxson, and N. horn end users into becoming secu- ture that can mitigate current secu- Weaver, “How to 0wn the Inter- rity experts, including making them rity problems without relying on net in Your Spare Time,” Proc. 11th financially liable for the consequences end-user intervention. Usenix Security Symp. (Security’02), of their computers being hijacked by Usenix Assoc., 2002; www.icir. malware or miscreants. (see the “Fur- Acknowledgments org/vern/papers/cdc-usenix ther information” sidebar) The network telescope and associated security -sec02/. Notwithstanding the fundamen- efforts are a joint project of the University of 3. D. Moore et al., “Internet Quaran- tal inequities involved in encourag- California, San Diego (UCSD) Computer tine: Requirements for Containing ing people to sign on to the Internet Science and Engineering Department and Self-Propagating Code,” Proc. 22nd with a single click, and then requir- the Cooperative Association for Internet IEEE Infocom, 2003, IEEE CS Press, ing them to fix flaws in software Data Analysis (CAIDA). We thank Brian 2003; www.cs.ucsd.edu/users/ marketed to them as secure with Kantor, Jim Madden, and Pat Wilson of savage/papers/Infocom03.pdf. technical skills they do not possess, UCSD for technical support of the Network many users do choose to protect Telescope project; Mike Gannis, Nicholas Colleen Shannon is a senior security themselves at their own expense by Weaver, Wendy Garvin, Team Cymru, and researcher at the Cooperative Association purchasing antivirus and firewall Stefan Savage for feedback on this document; for Internet Data Analysis (CAIDA) at the software. Making this choice is the and the Cisco Product Security Incident Re- San Diego Supercomputer Center (SDSC) at the University of California, San Diego gold-standard for end-user behav- sponse Team(PSIRT), Wendy Garvin, (UCSD). She is currently working toward ior—they recognize both that secu- Team Cymru, Nicholas Weaver, and Vern her BS in biology from UCSD. Her research rity is important and that they do not Paxson for discussion as events unfolded. interests focus on network security, includ- possess the skills necessary to effect it The Cisco Systems University Research ing wide-area traffic measurement, data collection and distribution, network appli- themselves. When end users partici- Program, the US National Science Founda- cation identification, and risk analysis. pating in the best security practice tion, DARPA, the US Department of Contact her at [email protected] that can be reasonably expected get Homeland Security, and CAIDA members infected with a virulent and damag- provided support for this work. David Moore is the assistant director of ing worm, we must reconsider the CAIDA and a PhD candidate in the UCSD Computer Science Department. He notion that end-user behavior can References received a BS in computer science and a solve or even effectively mitigate the 1. D. Moore et al., “Inside the Slam- BA in mathematics from UCSD. His malicious software problem and turn mer Worm,” IEEE Security & Pri- research interests include high-speed net- our attention toward both prevent- vacy, vol. 1, no. 4, 2003, pp. 33–39; work monitoring, denial-of-service attacks and infrastructure security, and ing software vulnerabilities in the www.computer.org/security/v1n4/ Internet traffic characterization. Contact first place and developing large- j4wea.htm. him at [email protected].

50 IEEE SECURITY & PRIVACY JULY/AUGUST 2004