Malware Recon Editors: Elias Levy, [email protected] Iván Arce, [email protected] The Spread of the Witty Worm n Friday, 19 March 2004, at approximately 8:45 the network telescope contains ap- proximately 1/256th of all IPv4 ad- p.m. Pacific Standard Time (PST), an Internet dresses, we receive roughly one out of every 256 packets sent by an In- worm began to spread, targeting a buffer over- ternet worm with an unbiased ran- dom number generator. flow vulnerability in several Internet Security Because we are uniquely situ- O ated to receive traffic from every Systems (ISS) products, including its RealSecure Network, worm-infected host, we provide a global view of the spread of many COLLEEN RealSecure Server Sensor, RealSe- • It spread through a population al- Internet worms. SHANNON AND cure Desktop, and BlackICE. The most an order of magnitude DAVID MOORE worm took advantage of a security smaller than that of previous ISS vulnerability Cooperative flaw in these firewall applications worms, demonstrating worms’ vi- Several ISS firewall products contain a Association that eEye Digital Security discovered ability as an automated mechanism protocol analysis module (PAM) to for Internet earlier in March. Once the Witty to rapidly compromise machines monitor application traffic. The PAM Data Analysis worm—so called because its payload on the Internet, even in niches routine in version 3.6.16 of iss- (CAIDA) contained the phrase, “(^.^) insert without a software monopoly. pam1.dll analyzed ICQ server traffic witty message here (^,^)”—infects a and assumes that incoming packets on computer, it deletes a randomly cho- In this article, we share a global port 4000 are ICQv5 server responses sen section of the hard drive, which, view of the worm’s spread, with par- and that this code contains a series of over time, renders the machine un- ticular attention to these worrisome buffer overflow vulnerabilities. eEye usable. (See the “Further informa- features. discovered this vulnerability on 8 tion” sidebar on p. 50 for resources.) March 2004 and announced it with While the Witty worm is only Witty worm ISS 10 days later. ISS released an alert, the latest in a string of self-propa- background warning users of a possibly exploitable gating remote exploits, it distin- In this section, we detail the techni- security hole and providing updated guishes itself through several inter- cal aspects of the code and monitor- software versions that were not vul- esting features: ing of the Witty worm. nerable to the buffer overflow attack. • It was the first widely propagated Network telescope Witty worm details Internet worm to carry a destruc- Because Internet worm victims Once Witty infects a host, the host tive payload. span diverse geographic and topo- sends 20,000 packets by generating • It started in an organized manner logical locations, the overall impact packets with a random destination IP with an order of magnitude more of a worm is difficult to measure address, a random size between 796 ground-zero hosts than any previ- from a single viewpoint. The Uni- and 1,307 bytes, and a destination ous worm. versity of California, San Diego port. The packets’ small size ensures • It represents the shortest known in- (UCSD) Network Telescope (see fast transmission; as well, they are terval between vulnerability disclo- the sidebar) consists of a large piece unlikely to be too big, for any net- sure and worm release—it began of globally announced IPv4 address work segment that they traverse—if spreading the day after the ISS vul- space that we have instrumented to they were too big, they would be nerability was publicized. monitor network security events. broken into smaller pieces in the net- • It spread through a host population The telescope contains almost no work, which could slow the spread in which every compromised host legitimate hosts, so inbound traffic of the worm. Because the Witty was proactive in securing its com- to nonexistent machines is always packets sizes are random, they are puters and networks. anomalous in some way. Because more difficult to filter than fixed 46 PUBLISHED BY THE IEEE COMPUTER SOCIETY I 1540-7993/04/$20.00 © 2004 IEEE I IEEE SECURITY & PRIVACY Malware Recon sized packets and complicate simple Witty worm global view 800 blocking measures that limit or pre- 14,000 700 12,000 vent the worm’s spread. If they had 10,000 8,000 been a fixed size, it would have been 600 6,000 4,000 easier to quickly block Witty traffic 500 2,000 to limit or prevent the worm’s 0 400 05:00 05:30 06:00 06:30 spread. The worm payload of 637 03/20 bytes is padded with data from sys- 300 tem memory to fill the random size, 200 Cumulative Unique IP addresses Per 5-minute and a packet is sent out from source 100 110 hosts in first 10 seconds (not natural worm growth) bucket port 4000. After Witty sends the 0 20,000 packets, it seeks out a random 04:45:00 04:46:00 04:47:00 04:48:00 04:49:00 04:50:00 point on the hard disk and writes 03/20 65kbytes of data from the beginning Time (UTC) of iss-pam1.dll to the disk. After Figure 1. The Witty worm's spread. After the first minute, Witty followed an expected closing the disk, Witty repeats this sigmoid curve. The inset shows the first two hours of Witty’s spread. The number of process until the machine is rebooted active machines per five minutes (green line) stabilized after 45 minutes, indicating or until it permanently crashes. that almost all the vulnerable machines had been compromised. After that point, dynamic addressing (for example, Dynamic Host Configuration Protocol) caused the Witty worm spread cumulative IP address total (the red line) to continue to rise. We estimate the total The perpetrators of previous Inter- number of hosts infected by the Witty worm to be 12,000 at most. net worms, including Code Red, Nimda, and SQL Slammer seeded a few hosts, which then proceeded to vertical line shows preselected hosts vulnerable population of the Witty spread to the rest of the vulnerable coming online and then a transition worm was only about 12,000 com- population. The spread was slow to much slower growth thereafter. puters. Although researchers1–3 have early on—but then accelerated dra- After the sharp rise in initial coor- long predicted that a fast-probing matically as the number of infected dinated activity, Witty followed a worm could infect a small population machines spewing worm packets to normal exponential growth curve for very quickly, Witty is the first worm the rest of the Internet rose. Eventu- a pathogen spreading in a fixed popu- to demonstrate this capability. Witty ally, as the victim population became lation, reaching its peak after approxi- took 30 minutes longer than SQL saturated, its spread slowed because mately 45 minutes, at which point the Slammer to infect its vulnerable pop- there were few vulnerable machines majority of vulnerable hosts had been ulation, but both worms spread far left to compromise. Plotted on a infected. After this point, the churn faster than human intervention could graph, this worm growth appears as a caused by dynamic addressing—a stop them. In the past, users of soft- sigmoid, an s-shaped exponential single computer changing its IP ad- ware that is not ubiquitously de- growth curve. dress over time, typically via Dy- ployed have considered themselves At 8:45:18 p.m. PST on 19 namic Host Configuration Protocol relatively safe from most network- March 2004, the network telescope (DHCP), or bridging between in- based pathogens. Witty demonstrates received its first Witty worm packet. ternal and external networks that that a remotely accessible bug in any In contrast with previous worms' can let multiple computers share one minimally popular piece of software spread dynamics, we observed 110 IP address, often using Network Ad- can be successfully exploited by an hosts infected in the first 10 seconds, dress Translation (NAT)—causes automated attack. and 160 at the end of 30 seconds. Be- the IP address count to inflate with- Witty’s destructive payload, in cause only about 12,000 computers out any additional Witty infections. combination with efforts to filter its were susceptible to witty out of a At the peak of the infection, Witty traffic and patch infected machines, global IP address pool of about 4.3 hosts flooded the Internet with more led to rapid decay in the number of million, the chances of a single in- than 90 Gbits per second of traffic, infected hosts (see Figure 2 ). Twelve stance of the worm infecting 110 sending more than 11 million packets hours after the worm began to machines so quickly are vanishingly per second. spread, half of the Witty hosts were small— worse than 10-607. This rapid Witty infected only about 1/10th already inactive. onset indicates that the worm used as many hosts as the next smallest either a hitlist or previously compro- widespread Internet worm. While Witty worm victims mised vulnerable hosts to start the SQL Slammer infected between The vulnerable host population pool worm’s spread. In Figure 1, the initial 75,000 and 100,000 computers, the for the Witty worm was quite differ- www.computer.org/security/ I IEEE SECURITY & PRIVACY 47 Malware Recon Witty worm global view infected hosts transmitted at speeds 7,000 between 96 kbps (11.2 pps) and 512 6,000 kbps (60 pps). The average speed of Per 5-minute bucket an infected host was 3 Mbps (357 5,000 pps), although during the peak of the 4,000 worm’s spread, the average speed reached 8 Mbps (970 pps).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages5 Page
-
File Size-