![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif){kind=small}
cymrullewes found this article about the Witty worm, which turns out to be a quite vicious and well-crafted little bugger. (See CAIDA's nice detailed analysis.) Exploiting a specific vulnerability in the ICQ Protocol Analysis Module in BlackIce Defender and RealSecure (both ISS products), Witty hit the net within 24 hours of disclosure of that vulnerability, targeted solely systems protected by those two firewalls, and reached saturation within 45 minutes leaving a trail of effectively destroyed machines behind it.
The dangerous part about Witty is perhaps less its fast turnaround time or its clever construction, but the paradigm shift that it demonstrates in worms. Up until now, the prevailing wisdom was that a successful worm did not destroy its host, because as long as the host remained up, the worm could continue to infect new systems. Witty, on the other hand, says that it's OK to go ahead and destroy your host, provided you reproduce first -- which Witty does, sending out 20,000 copies of itself before it begins trashing its host's hard disk. All the major AV vendors got patches out against the worm -- but it was too little, too late. By the time the updates could be distributed, Witty had already hit saturation. This points up a study by HP Bristol that shows that the whole strategy of defending against a fast-spreading worm via signature distribution is fundamentally flawed, because the worm can spread faster than updates can be distributed.
The informal rules just changed, and the game just got a lot nastier.
![[profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fruitylips