The worm started spreading around the Internet last week, less than 48 hours after the first public description of the flaw was released. That's the fastest development to date of a worm from a vulnerability, according to a report published late last week by the Cooperative Association for Internet Data Analysis (CAIDA) and the University of California at San Diego.
"The fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicised indicates that the security model in which end users apply patches to plug security holes is not viable," the report stated.
Witty took advantage of a flaw in Internet Security Systems software security products such as RealSecure and BlackIce. While ISS has said that only 2 percent of its users were vulnerable to the worm, as many as 12,000 computers may have been infected in less than an hour, according to the report.
If other worms can be produced as quickly, companies will likely have to start relying less on plugging holes in the security of their software and more on other methods of reducing the threat of vulnerabilities, said Colleen Shannon, senior security researcher at CAIDA and one of the report's authors.
"Two days is not enough time to get a large group of people to do anything," she said, adding that "it requires so much skill on the side of the end user" to stay up-to-date on patches that most users don't patch often.
The report also found evidence that the worm was released in a way that would it allow it to speed its attack on vulnerable servers.
The Witty worm started spreading early on Saturday morning. In about 45 minutes, the worm had infected the majority of vulnerable servers -- about 12,000 -- on the Internet, according to the report. Within 10 seconds, 110 compromised hosts appeared, which led CAIDA to believe that those servers were used to actively spread the worm, a tactic known as "preseeding."
"The worm had to have been preseeded," Shannon said. "It is not possible (given the data) for it not to be."
The Witty worm burned out quickly, due to its malicious nature. The worm slowly corrupted the information on a system's hard drive by writing 65 kilobytes of data to a random place on the drive. As a result, nearly half the systems infected by the worm crashed within 12 hours.
Compared with the Microsoft SQL Slammer worm, which infected 70,000 to 100,000 computers, the Witty worm attacked a smaller population, according to CAIDA. The worm also attacked computers that were specifically in place to protect against such threats.
The implications of this evolution should not be ignored, the report said.
"With minimal skill, a malevolent individual could break into thousands of machines and use them for almost any purpose with little evidence of the perpetrator left on most of the compromised hosts," it stated.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
With windows it is always more bloat, and a lot of that seems to be duplicated in various places. I've noticed that you will have freed space on...
50 minutes ago by ator1940 on Can you believe it - 2765 kB will be freed?
Buzz My Stat : New search for http://www.zdnet.co.uk Take a look: http://www.buzzmystat.com/site/zdnet.co.uk
5 hours ago on Twitter by BuzzMyStat
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
10 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
11 hours ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
23 hours ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
1 day ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
1 day ago on Twitter by BVE2011 70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
1 day ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
1 day ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
1 day ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
2 days ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
2 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
2 days ago by J.A. Watson on Welcome to the new ZDNet UK community!
Ok. Now I'm getting annoyed. Previously I could just click on just about any item or comment I saw and get a reply box. How do I manage that...
2 days ago by Tezzer on ZDNet UK: faster, smarter, still IT all the way hey Roger. Think I have spotted a bug as when I click on my name it takes me to the same page as if I had clicked on "Edit Profile". i.e...
2 days ago by Andrew Donoghue on ZDNet UK - Now cleaner than an Archbishop's conscience
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
2 days ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
2 days ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
2 days ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
2 days ago on Twitter by riptariFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
