News Archive

CAIDA Researchers Track the Wicked Witty Worm

Published 04/08/2004

On March 19, at 8:45:18 pm PST, a new worm began to spread on the Internet, and investigators at the San Diego Supercomputer Center (SDSC) tracked the progress of the infestation as it happened. But Colleen Shannon and David Moore, senior security researchers on the Internet Telescope project of the Cooperative Association for Internet Data Analysis (CAIDA), quickly noticed that the so-called Witty Worm was different from its predecessors.

"Witty is fast, dangerous, and smart," Shannon said. "It's the first widespread Internet worm to carry a destructive payload, and it actually preys on security products rather than on operating system or server software. And whoever turned this thing loose knew what they were doing — it was released only one day after the vulnerability was was made known to the security community, and it had ten times as many 'ground-zero' infection sites as any previous worm."

"The Witty worm shows increasing sophistication and malice on the part of these cyber-attackers," said Carl Landwehr, program officer for the National Science Foundation's Cyber Trust program. "Understanding the nature of these attacks and how to deal with them depends on the kind of concrete observations and analysis CAIDA provides in this report. Cyberspace is vast and today there are only a few tools like CAIDA's Network Telescope available to study it."

Previous Internet worms tracked by CAIDA, including Code-Red, Nimda, and SQL Slammer, infected at most a handful hosts that spread it to the rest of the vulnerable population. An initially slow infection rate accelerates dramatically as the number of infected machines spewing worm messages to the rest of the Internet grows. Eventually, when the target population becomes saturated, the spread of the worm slows because there are few vulnerable machines left to compromise.

"CAIDA's analysis shows that 110 hosts were infected within the first ten seconds, spreading to 160 at the end of 30 seconds," said Moore, the Assistant Director of CAIDA. "The perpetrators either targeted a hitlist of vulnerable hosts, or they pre-loaded the Witty worm on more than 100 already-compromised systems and triggered them all at once."

The CAIDA researchers have released a technical summary of their results, complete with animations and graphs of the spread of the infection, the number of infectious messages, and the locations of infected computers, at http://www.caida.org/analysis/security/witty/.

The Witty worm targets a flaw in several Internet Security Systems (ISS) products for Microsoft Windows computers, including RealSecure Network, RealSecure Desktop, and BlackICE, that was discovered on March 8 and announced on March 18 by eEye Digital Security. Once the Witty worm infects a computer, it deletes randomly chosen sections of the hard drive, eventually rendering the machine unusable. Security specialists gave the worm its name because its code contains the phrase "(^.^) insert witty message here (^.^)."

After the initial burst, the spread of the Witty worm followed a normal growth curve and reached its peak after about 45 minutes when nearly all of the vulnerable hosts — Windows computers running ISS security software — had been infected. At the peak of the infection, Witty hosts flooded the Internet with more than 90 gigabits per second of traffic, more than 11 million packets per second.

"Relatively speaking, not that many computers were vulnerable," Shannon said. "SQL Slammer infected between 75,000 and 100,000 computers. The vulnerable population for the Witty worm was only about 12,000 computers, but it nailed just about all of them."

"A number of people had predicted that a fast-probing worm could infect a small, sparse population very quickly," Shannon said, "but Witty is the first worm to actually do this. Many users of relatively uncommon software packages have considered themselves safe from most network-based pathogens. Witty shows that a vulnerability in any minimally popular piece of software can be exploited by an automated attack."

The number of infected hosts declined rapidly. 12 hours after the worm began to spread, half of the Witty hosts were already inactive. The CAIDA researchers attribute this to a combination of Witty's lethal effect on infected computers and on coordinated efforts to filter Witty traffic and patch infected machines.

"Witty demonstrated that even a rarely deployed piece of software, if it has an exploitable bug, can be a vector for wide-scale compromise of host machines," Moore said. "The practical implications of this are staggering — with minimal skill, a malicious individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts."

Shannon and Moore tracked the Witty worm with the Network Telescope, which makes use of a large piece of ordinarily unused Internet address space. Attempts to infect random addresses in this space or to reply to hoaxed messages with forged addresses in this space indicate the activity of of malicious software on the net. The Network Telescope and associated security efforts are a joint project of CAIDA and the UCSD Computer Science and Engineering Department.

"The Network Telescope has become an essential tool for security research," Shannon said. "It sees a sample of what is happening everywhere, so it's good for getting a view of big events. As more and better in-network tools are developed and deployed, we're moving towards having the Network Telescope work in combination with them to build an even more comprehensive picture of what's going on."

About SDSC and CAIDA

The mission of the San Diego Supercomputer Center (SDSC) is to innovate, develop, and deploy technology to advance science. SDSC is involved in an extensive set of collaborations and activities at the intersection of technology and science whose purpose is to enable and facilitate the next generation of scientific advances. Founded in 1985 and primarily funded by the National Science Foundation (NSF), SDSC is an organized research unit of the University of California, San Diego. With a staff of more than 400 scientists, software developers, and support personnel, SDSC is an international leader in data management, network research, grid computing, biosciences, geosciences, and visualization. For more information, see http://www.sdsc.edu/.

CAIDA is a program at SDSC that creates tools and technologies for Internet measurement, traffic analysis, and network topology visualization for use by network engineers and researchers. CAIDA also sponsors education and outreach efforts. For more information, see http://www.caida.org/. The Network Telescope is described in detail in the paper "Inferring Internet Denial-of-Service Activity," available at http://www.caida.org/outreach/papers/2001/BackScatter/.

Support for this work was provided by grants from Cisco Systems, the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), the Department of Homeland Security (DHS), and CAIDA members.

Technical Contact: Colleen Shannon, CAIDA, 858-822-0881, cshannon@caida.org


Graphics and animations at http://www.caida.org/analysis/security/witty/

Related Links

back to top