The worm is the first of its type that uses a vulnerable firewall as the way in, and the first of its type that destroys data. It also represents the fastest turnaround between a vulnerability being disclosed and a worm being released, ever.
Named Witty, the worm arrives as a UDP message of between 600 and 1,000 bytes that exploits a vulnerability in BlackICE’s protocol analysis module (PAM) ICQ message handler, which was disclosed on March 18.
When it has infected a PC, it generates 20,000 random IP addresses that it tries to infect, then overwrites 64K of the local hard disk with gibberish – destroying whatever data is there – then generates another 20,000 addresses and continues the loop.
Dan Ingevaldson, director of research on ISS’s X-Force vulnerability research team, said that despite the short period between vulnerability and exploit, most customers had patched and only a small percentage of the installed base were hit.
Ingevaldson said there are 1.6 million deployed BlackICE and RealSecure agents and that the firm recorded about 12,000 infections. Most enterprise customers have automatic patching systems in place, he said.
This was written by somebody who knows what they’re doing, Ingevaldson said. This is designed to go after ISS products and cause damage, to make a point. We don’t like them and they don’t like us, they would rather we weren’t around.
He said that despite the fact that the PAM code, a fundamental part of the software that inspects traffic for attacks, is common to all of ISS’s products, only software running on Windows machines is vulnerable. Its new Proventia appliances do not run Windows.
The speed at which the worm was written following the publication of vulnerability details, less than two days, is unprecedented. In August, the Blaster worm exploited a Windows vulnerability 26 days after disclosure, and that was considered fast.
We are now concerned about this worm being used for future variants that use the same code base, Ingevaldson said. The data-corruption aspect could be applied in worms that exploit vulnerabilities found in third-party software in future, he said.
It’s not the first time that a critical vulnerability has been found in firewall software. Only one vendor claims to have a product in which a vulnerability has never been found. But this is the first time an automated worm has targeted such a vulnerability.
The ICQ handling flaw is one of two PAM vulnerabilities found by third party researchers and patched in recent weeks.
The worm highlights the problems developers in all fields have securing their software, and of alerting users of the need to patch without giving out enough information for a criminal to quickly write exploit code.
The nature of the worm meant it killed itself off fairly quickly, and infections were believed to be over by yesterday.
This article is based on material originally published by ComputerWire
