, SecurityFocus 2005-05-24
The Witty worm, which infected more than 12,000 servers a year ago, came from a single computer in Europe that used a U.S. military base's vulnerable systems to kick-start the epidemic, an analysis reveals.
The researchers combined records from the initial spread of the Witty worm along with an analysis of the random number generator used by the program to pick its targets and discovered that the worm almost certainly spread initially from a computer owned by a customer of a European Internet Service Provider. The analysis also found that about 10 percent of the Internet's addresses would not have been generated, thus infected, by the Witty worm and that 110 computers at a U.S. military base were likely among a "hit list" of systems that were targeted explicitly by the worm.
"We hope that the principle of exploiting a worm's structure will be more broadly applicable to forensics of future worms," said Vern Paxson, senior researcher with the International Computer Science Institute and one of the three researchers who co-authored the analysis of the Witty worm. ICSI is an independent institute based near the University of California at Berkeley.
Paxson, along with another researcher at ICSI and a computer science graduate student at the Georgia Institute of Technology, published the results in a paper this week, including new details of the worm's spread.
The Witty worm started spreading in March 2004, infecting unpatched computer systems and appliances running security gateway software from network protection firm Internet Security Systems. The worm appeared before an exploit for the vulnerability had been made public, a departure from the normal evolution of Internet worms.
"Worms typically follow the public posting of exploit code, but Witty didn't follow that model," said Craig Schmugar, virus research manager with security firm McAfee.
Internet Security Systems declined to comment on whether the company had investigated the worm or the techniques it used.
The program spread quickly, compromising every vulnerable host within its scanning range -- more than 12,000 systems -- in less than 75 minutes, placing the worm in a class of super-fast infectors know as flash worms. The worm's speed rivaled that of another flash worm, the Microsoft SQL Slammer worm, which spread to tens of thousands of systems in an equivalent period of time. Both worms spread using the user datagram protocol (UDP), which allows computers to transfer data without establishing a connection, making it much faster than the more common transmission control protocol (TCP).
In addition, Witty was a very destructive worm. The program tried to delete a random block on one of the infected system's disks after sending 20,000 copies of itself out to potential targets. After successfully deleting enough blocks, the worm would typically crash the host computer.
While the Witty worm did not infect as many computers as MSBlast (the Blaster worm) or SQL Slammer, the incident stands out because the program attacked a security product, appeared before publication of code to exploit the vulnerability, and had a very destructive payload, said Mike Poor, an incident handler with the SANS Internet Storm Center, a network-threat monitoring group, who had studied the impact of Witty.
"Those three things made it stand out -- those things together made it a significant event," he said.
The characteristics also made the worm interesting to Abhishek Kumar, a PhD candidate in computer science at the Georgia Institute of Technology and a co-author of the analysis of the Witty worm. He spent the summer of 2004 at ICSI for an internship and agreed to work on an analysis of the worm.
The amount of information that was gleaned from the analysis of the worm and the captured network data surprised the researchers, Kumar said.
"I did not expect to find such precise details," he said.
The research first reverse engineered the Witty's worm's function for generating new Internet addresses to attack and then modeled the behavior of that function, known as a pseudo-random number generator. The researchers combined that model with the actual data captured by specialized computers monitoring two large unused portions of the Internet address space. Known as network telescopes, such sensors can pick up the effects of large scale Internet attacks. The researchers used a one-hour and a 75-minute snapshot recorded by network telescopes at the University of Wisconsin and the Cooperative Association for Internet Data Analysis (CAIDA), respectively, to analyze the worm's spread.
The analysis of the pseudo-random number generator found that the worm would not generate addresses for about 10 percent of the Internet and would generate the same address twice for another 10 percent of possible Internet addresses. The researchers used their analysis of the generator to plot the orbits -- the sequences of numbers each worm would create -- and found a single address from which copies of the worm propagated but which did not fall on any orbit.
The system at that source address also generated a sequence of pseudo-random numbers different from all the other copies of the worm. Moreover, that source address -- a server whose Internet address belonged to a European ISP -- had started spreading the worm at the beginning of the incident. Based on the evident, the researchers concluded that the system was Patient Zero, the attacker's staging point for the worm. The address of the server has been forwarded onto law enforcement, according to the researchers.
The FBI could not immediately comment on whether it had investigated the ISP.
Further analysis also succeeded in determining the specific initial numbers used by nearly 800 of the worms to start their sequences of pseudo-random numbers. Since the numbers are fairly random and generated from the system clock, discovering their actual values essentially identified the systems and also gave insight into the systems' uptime.
In fact, a group of more than 100 systems belonged to the same class B network and appeared right at the beginning of the Witty worm incident. That class B network belongs to a military base, said the researchers, though they declined to name the facility.
Finding the presumed Patient Zero and evidence that a military base's systems were targeted explicitly by the worm are interesting, but probably not likely to yield any further leads on who created the worm, said Nicholas Weaver, a researcher at UC Berkeley's ICSI and the third co-author of the analysis.
"If it's someone who either accidentally or deliberately released it from his own system, knowing Patient Zero is key to determining who wrote the worm," he said. Yet, that scenario is not very likely, given the evident expertise of the person who created the program.
"If the attacker is savvy, discovering Patient Zero can be almost useless for law enforcement purposes," he said.
Based on how quickly the code was put together, some experts, including Weaver himself, have theorized that an insider -- either someone who works for or has contacts within ISS or the company that found the vulnerability used by the worm, eEye Digital Security -- is the most likely creator of the worm. Moreover, an attacker not connected with the companies would not have known to create a hit list for a relatively uncommon flaw that could be exploited through UDP, Weaver said.
"Thus the attacker had to already know who several ISS customers were and their location on the Internet, including the military base which was part of the initial target set," he said. "It is this last point, the knowledge needed to construct the hit list, that most suggests the attacker either has or had a relationship with ISS. But it does not prove that the attacker was an insider."
And, despite the depth of the analysis published this week, evidence of that connection remains elusive.