Witty (computer worm): Difference between revisions
No edit summary |
m Added non-breaking space to non-template file size, frequency, bitrate, and bandwidth values (via WP:JWB) |
||
| (32 intermediate revisions by 26 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|2004 computer worm}} |
|||
{{Portal|Computer security|Portal.svg}} |
|||
The '''Witty worm''' |
The '''Witty worm''' was a [[computer worm]] that attacked the [[firewall (networking)|firewall]] and other [[computer security]] products written by a particular company, the [[Internet Security Systems|Internet Security Systems (ISS)]] now IBM Internet Security Systems. It was the first worm to take advantage of vulnerabilities in the very pieces of [[computer software|software]] designed to enhance [[network security]], and carried a destructive payload, unlike previous worms. It is so named because the phrase "(^.^) insert witty message here (^.^)" appears in the worm's payload. |
||
The Witty worm incident was unique in that the worm spread very rapidly after announcement of the ISS vulnerability (a day later), and infected a much smaller and presumably harder-to-infect (because the administrators had taken security measures) host population than previous worms. |
The Witty worm incident was unique in that the worm spread very rapidly after announcement of the ISS vulnerability (a day later), and infected a much smaller and presumably harder-to-infect (because the administrators had taken security measures) host population than previous worms. |
||
==Propagation== |
==Propagation== |
||
On |
On March 19, 2004, the 'Witty' worm began infecting hosts connected to the [[Internet]] (and running the vulnerable ISS software) without any seed population.<ref name="source">[http://blog.erratasec.com/2014/03/witty-worm-no-seed-population-involved.html Errata Security Author Article]</ref> Within a half-hour it infected 12,000 computers and was generating 90 Gbit/s ([[gigabit]]s per second) of [[User Datagram Protocol|UDP]] traffic. |
||
==Effect of worm== |
==Effect of worm== |
||
| Line 13: | Line 13: | ||
==References== |
==References== |
||
*Shannon, Colleen and David Moore (2004). [http://www.caida.org/analysis/security/witty/ "The Spread of the Witty Worm"]. (Last updated June 21, 2005; Retrieved |
*Shannon, Colleen and David Moore (2004). [http://www.caida.org/analysis/security/witty/ "The Spread of the Witty Worm"]. (Last updated June 21, 2005; Retrieved November 14, 2005.) |
||
*Abhishek Kumar, Vern Paxson and Nicholas Weaver (2005). [http://www.cc.gatech.edu/~akumar/witty.html "Outwitting the Witty worm"]. (Last updated May 24, 2005; Retrieved |
*Abhishek Kumar, Vern Paxson and Nicholas Weaver (2005). [https://web.archive.org/web/20050618001819/http://www.cc.gatech.edu/~akumar/witty.html "Outwitting the Witty worm"]. (Last updated May 24, 2005; Retrieved February 2, 2006.) |
||
{{Reflist}} |
|||
==External links== |
==External links== |
||
* [http://www.eeye.com/html/Research/Advisories/AD20040318.html ISS vulnerability announcement] |
* [https://web.archive.org/web/20040321163910/http://www.eeye.com/html/Research/Advisories/AD20040318.html ISS vulnerability announcement (from Internet Archive)] |
||
| ⚫ | |||
* [http://www.lurhq.com/witty.html Witty Worm Analysis] |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
{{DEFAULTSORT:Witty (Computer Worm)}} |
|||
[[de:Witty-Wurm]] |
|||
[[Category:Exploit-based worms]] |
[[Category:Exploit-based worms]] |
||
[[Category:Hacking in the 2000s]] |
|||
Latest revision as of 01:34, 26 April 2024
The Witty worm was a computer worm that attacked the firewall and other computer security products written by a particular company, the Internet Security Systems (ISS) now IBM Internet Security Systems. It was the first worm to take advantage of vulnerabilities in the very pieces of software designed to enhance network security, and carried a destructive payload, unlike previous worms. It is so named because the phrase "(^.^) insert witty message here (^.^)" appears in the worm's payload.
The Witty worm incident was unique in that the worm spread very rapidly after announcement of the ISS vulnerability (a day later), and infected a much smaller and presumably harder-to-infect (because the administrators had taken security measures) host population than previous worms.
Propagation
[edit]On March 19, 2004, the 'Witty' worm began infecting hosts connected to the Internet (and running the vulnerable ISS software) without any seed population.[1] Within a half-hour it infected 12,000 computers and was generating 90 Gbit/s (gigabits per second) of UDP traffic.
Effect of worm
[edit]Once Witty infects a computer by exploiting a vulnerability in the ISS software packages (RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE), it attempts to infect other computers using the same vulnerability.
Witty launches these attacks as fast as possible, attacking a pseudo-random subset of IP addresses as quickly as allowed by the computer's Internet connection. It repeats these attacks in groups of 20,000, alternately launching attacks and overwriting sections of the computer's hard disk(s).
References
[edit]- Shannon, Colleen and David Moore (2004). "The Spread of the Witty Worm". (Last updated June 21, 2005; Retrieved November 14, 2005.)
- Abhishek Kumar, Vern Paxson and Nicholas Weaver (2005). "Outwitting the Witty worm". (Last updated May 24, 2005; Retrieved February 2, 2006.)
External links
[edit]- ISS vulnerability announcement (from Internet Archive)
- Analysis of the worm propagation by CAIDA (Cooperative Association for Internet Data Analysis)
- Slashdot article