Fog Creek Software
g
Discussion Board

Witty

- Witty was the first widely propagated Internet worm to carry a destructive payload.
- Witty was started in an organized manner with an order of magnitude more ground-zero hosts than any previous worm.
- Witty represents the shortest known interval between vulnerability disclosure and worm release -- it began to spread the day after the ISS vulnerability was publicized.
- Witty spread through a host population in which every compromised host was doing something proactive to secure their computers and networks.
- Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly.

So now all you PFY's are thinking: Hell, here's pops with another oldtimer story, wake me when there's a commercial break.
Actually, Witty did the rounds on 19/03/2004. So why did you never hear about its dubious record setting? BECAUSE IT WAS NOT TARGETTING MICROSOFT PRODUCTS.

Anyways, consider it another wakeup call.
http://www.caida.org/analysis/security/witty/

By way of http://blogs.msdn.com/michael_howard/archive/2004/05/10/129269.aspx

Just me (Sir to you)
Tuesday, May 11, 2004

Um, I did hear about it. Whats your point?

Eric Debois
Tuesday, May 11, 2004

Sorry all. Eric did hear about it. I'm sorry to have wasted your time.

Just me (Sir to you)
Tuesday, May 11, 2004

"So why did you never hear about its dubious record setting? BECAUSE IT WAS NOT TARGETTING MICROSOFT PRODUCTS."

I very clearly remember hearing about this. This was discussed here, on Slashdot, and on virtually every news sites (particularly because of the irony of the fact that one's firewall was the reason they got exploited). Mind you the _scale_ of the reporting was less given that it infected (or could infect) only about 12,000 users.

I'm not sure if you're trying to use this as some sort of Microsoft defense, but I would counter and say that what you have referenced is yet another pathetic example of a trivial, undefensible buffer overflow that a lazy vendor with too little process unleashed onto the vulnerable public.

Dennis Forbes
Tuesday, May 11, 2004

I diddnt meant it like that. Seriously.. whats your angle here? Just a FYI?

Eric Debois
Tuesday, May 11, 2004

So did quite a lot of others.

http://slashdot.org/articles/04/03/26/0140254.shtml

KayJay
Tuesday, May 11, 2004

"whats your angle here?"

The angle is "Oh, poor poor Microsoft, so unfairly tarnished. So victimized. Look, someone else has shitty buffer overflows!"

.
Tuesday, May 11, 2004

"So why did you never hear about its dubious record setting?"

Actually, I'll bet that there were plenty of people that read about it.

IMHO, the reasons why it didn't grab the headlines big time (e.g., like Sasser):
1. It was a dumb virus. Or, if you prefer, it had no regard for its own survival. If you kill you host in a few seconds/minutes, you'll have a low chance to infect someone else.

2. "Because it wasn't targetting MS products". Yep, you're right. This means its potential infection universe is small, when compared with all the Windows running out there.

If you point is, indeed, that "there an anti-MS conspiracy", sorry, but I'm not buying it. They're #1, so it's natural that whenever they sneeze, they get more attention than the chaps who developed an organic computer that may, in a few years, go around your body scanning for cancer cells. Or the guys that came up with a way to create perfect diamonds using cheap technology.

Or many other useful discoveries/inventions, that play second fiddle to idiotic headlines. But then, isn't it the way human nature works?

Paulo Caetano
Tuesday, May 11, 2004

Seems I'm the only one asleep at the wheel here. Turns out I can't even keep up with JoS topics anymore, but please, don't make me read Slashdot.

No, this is not intended to be a MS defense (would be a pretty poor defense if it was), but I thought there where several interesting angles to this.
- I for one assumed that for worms to work in a general IP fishing game you would need a higher density in the general population. In hindsight, and doing the math, I was so obviously wrong. Slammer also didn't need that high a % to succeed. Trowing it out to many more generation 0 hosts speeds up the slow start of the exponential curve considerably. Me stupid.
- Even though it was reported in many places, I still mamaged to scan over this, and hey, I don't consider myself not well informed in security issues (maybe I should reconsider that position). There is only so much one can keep up with. Since I do not use the product, I didn't read in the details. When my attention was drawn to it, it turned out quite interesting stuff. Had it been an MS product, I'm confident it would have gotten more front-page and popular media coverage, making it impossible to casually mis.
- 1 day patch to exploit. If that does not show the need for a security permanence at medium to large shops (and no, many do nt have this), and the need to have a nightly autoinstall patching setup for home use, I do not know what will.
- another good illustration that "security through praying the bad guy won't turn his head", unfortunatly the common mantra preached by those that are hoping for a one action solution (preferably out of a box), is complete bollocks.

Just me (Sir to you)
Tuesday, May 11, 2004

The IT media covered it, but the mainstream media didn't. Which they don't unless they can have a wonderfully exciting headline along the lines of "You're PC at home is doomed". 

On a personal level I'd heard of it (wearing my sysadmin hat) but hadn't paid it the attention it deserved as it was unlikely to affect any machine I'm responsible for.  Selfish I know.

a cynic writes...
Tuesday, May 11, 2004


I think his point is obvious.

There are many people who suggest that only MS has security flaws in their products. These same people will suggest that other platforms are virus free largely because they aren't made by MS.

It's not a defense of MS, but rather an argument to the morons who claim only MS is capable of such stupidity.

Whatever
Tuesday, May 11, 2004

Thanks !  I didn't know about it and I thought it was fascinating.

SecureWonk
Tuesday, May 11, 2004

Just you, Sir,

Read Slashdot. It evolves like any other human endeavour. And you would not be disappointed with its evolution. There still are those "M$" crap, but now-a-days they tend to be hidden, especially when you read at +2.

KayJay
Tuesday, May 11, 2004

It is fascinating how quickly this worm spread, and it really is a, to use a tired cliche, wake up call to the need for improved security throughout our industry. A lot of the ideas encapsulated in .NET (and of course I have to give a nod to Java, or VMs in general) represent a greap leap in that direction.

Dennis Forbes
Tuesday, May 11, 2004



There was also another *HUGE* difference between Witty and most IIS/Windows worms...


The vulnerable population for Witty was approximately 12000 hosts.  The vulnerable population for the next XP worm will be in the hundreds of thousands or even millions.

I still see Nimda, CodeRed, Slammer, and numerous other worms (some dating from 2001) hit my firewall everyday...

I think the overwhelming threat is not necessarily Windows.  I think it's incompetent/barely competent admins who think that since they can write a bit of asp and vb, they can administer/secure an IIS box.

I can write asp, vb, java, and numerous other languages, but I'd never claim to be able to administer/secure an IIS box....

KC
Tuesday, May 11, 2004

"I think the overwhelming threat is not necessarily Windows.  I think it's incompetent/barely competent admins who think that since they can write a bit of asp and vb, they can administer/secure an IIS box."

Fair enough, but in response consider the following facts:

-One of Microsoft's selling points (and it's a reasonable one) is that you can get by with cheaper admins, and this is often a synonym for "less skilled". Many of the systems are advertised as "self-administrating", under the guise that you set it up ad forget it.

-A lot of the problem with untrained users relates to overly vulnerable defaults. For instance many services run under unnecessarily privileged accounts. To give a comparison, postgresql on Linux won't even _let_ you run it as root (it forces you to setup a unprivileged account), and by default it listens only for connections from the localhost. If you somehow connected from the localhost, a buffer overflow exploit at most will let you munge the postgresql data files: You couldn't overwrite random sectors, delete system files, or many other activities.

Compare this to most Windows services which often have incredibly generous defaults (such as installing every ISAPI handler imaginable, listening on the public IP for any caller -- indeed there's a hilarious paradox that the workstation version of IIS doesn't even let you restrict who can access the site by IP, nor do most other Microsoft apps --, and run under the highly privileged system account. These issues _vastly_ increase the risks.

Microsoft has made great strides in improving the default setups, but for example I recently installed the VB.NET Resource Kit (I wanted the graphing component) and was surprized to later find 9 mapped virtual directories in IIS - for all I know these are awash with system access routines, but there they are silently revealed to the world at large. While it would require an extra step, I don't think it would be all that onerous that when someone actually wants to try out a sample (the vast majority would never get that far), they can map each directory on a need basis. This is a fundamental philosophy thing.

As mentioned the VM model of .NET may be a long way towards the solution.

Dennis Forbes
Tuesday, May 11, 2004

"If that does not show the need for a security permanence at medium to large shops (and no, many do nt have this), and the need to have a nightly autoinstall patching setup for home use, I do not know what will."

The problem with nightly autoinstall patching is that sometimes (too often) fixing one problem can have unintended consequences. 

Security is not a black and white problem.  The fact that there was only one day between release and exploit doesn't mean that problems associated with implementing a patch magically disappear. 

There is a tradeoff between having effective change management and being able to respond instantly to change.  Extremes tend to be dangerous :)

Phibian
Tuesday, May 11, 2004

Every exploit contains a security lesson.  I think one lesson, which that Shamir fellow pointed out after Gate's RSA speech, is that security is not a "feature".  Especially an add-on feature.

Tacking on a "black-ice" product to secure an OS means that now you have more products to worry about.  More code == more vulerabilities.

Security means simpler is better.  Firewalls that perform minimal tasks with minimal code.

As stated in the "blog" page: The reason you didn't hear much about this virus is that it did not attack high value targets.  Windows boxes with add-on internal firewalls are just users trying to get by.

hoser
Tuesday, May 11, 2004

«Tacking on a "black-ice" product to secure an OS means that now you have more products to worry about. More code == more vulerabilities.»

Maybe I'm missing something here, but "More code == more vulerabilities" seems pretty much universal, regardless of the product. I.e., it's true for MS internal firewall, ZoneAlarm, "black-ice", "green-ice", and "yellow-ice-with-red-dots-and-purple-blotches".

Paulo Caetano
Tuesday, May 11, 2004

Phibian,

I agree 100% of course. However, we should take into account that the old "hey here is a patch, lets evaluate this and if all goes well we will roll it out in 6 weeks time" is shot to hell. I'm not saying apply some patches blindly, but you have to have an operations scenario that deals with patch-to-worm times measured in the "hours" range.

Furthermore, in the "home" setting, there is no pre-evaluation,no elaborate mitigation planning, since there is no skill present that can do the eval. It is simply a matter of "fingers crossed, push the button" anyway.

What is extremely important in those cases is high fidelity roll back. If things do go wrong, recovery should be swift and perfect.

And of course, prevention is better than cure.

Just me (Sir to you)
Tuesday, May 11, 2004

""More code == more vulerabilities" seems pretty much universal, regardless of the product."

I don't agree. It disregards the fact that a bunch of complex code can be made unaccessible through a small layer of much simpeler code.
Yes, the new code will have its own vulnerabilities, and it won't fix the vulnerabilities that were already there, but it might make them unexploitable.

Just me (Sir to you)
Tuesday, May 11, 2004

>> ""More code == more vulerabilities" seems
>> pretty much universal, regardless of the
>> product."

> I don't agree. It disregards the fact that
> a bunch of complex code can be made
> unaccessible through a small layer of much
> simpeler code.
> Yes, the new code will have its own
> vulnerabilities, and it won't fix the
> vulnerabilities that were already there,
> but it might make them unexploitable.

If I understood it correctly, what you're saying is that there are some cases where "More code == more vulerabilities" doesn't apply. That doesn't make it less universal. Like any good rule, it has exceptions - of course, if you don't like exceptions, you can always use return codes ;)

In the same vein, I wasn't implying that "More code == more vulerabilities" is deterministic. You can add more code without adding more vulnerabilities.

I interpreted hoser's point as: a product with minimal funcionality (PMF) will have less potential problems (security and others). My point was that as soon as this PMF get more functionality, its potential for problems will increase on par with another product with the same funcionality (imagining we had a scale for measuring this sort of thing).

You may say - "OK, just don't add the extra functionality". The fact is even MS realized this doesn't work - they are adding more funcionality to their firewall.

Paulo Caetano
Tuesday, May 11, 2004

Paulo, with that I agree. and this is where e.g. in theory the open unix systems are stronger: you could, in theory, build a setup with just the parts you need. I stress in theory, since in practice very few shops would have the knowhow to do so if there is not an out-of-the-box solution, and in many cases the configuration management would be uneconomical to do so.

Just me (Sir to you)
Wednesday, May 12, 2004

"Paulo, with that I agree. and this is where e.g. in theory the open unix systems are stronger: you could, in theory, build a setup with just the parts you need. I stress in theory, since in practice very few shops would have the knowhow to do so if there is not an out-of-the-box solution, and in many cases the configuration management would be uneconomical to do so"

Just for the record, I wasn't advocating *nix superiority. I agree that it doesn't really exist - it has its strengthes, and weaknesses, like any other system. My opinion is that the day Linux becomes the most profitable virus/worm target, we'll see an increase in the exploits against it.

I ditched MS, and changed to Linux based on 2 points:

1. I'm not in the most profitable virus/worm target market anymore.

2. I don't trust MS; especially not with their announcements for the future: DRM technology, whiz-bang file system to end all file systems, etc.

#2 had much more weight in my decision than #1, i.e., it's not that I consider Linux indestructible, it's just that, so far, Mandrake has done nothing to lose my trust. If/when it happens, I'll switch again.

For now, my experience with Mandrake 9.2 has been very good, and I'm considering paying for (instead of just downloading) Mandrake 10.

Paulo Caetano
Wednesday, May 12, 2004

*  Recent Topics

*  Fog Creek Home