(Note: we will not start new diaries this weekend. Instead, we will keep amending this diary)
"Witty" worm attacks BlackICE firewall
At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge
in UDP traffic from source port 4000. This traffic is caused by a new
worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser.
Given that this worm generates large amounts of traffic, and the wide
spread use of BlackIce, we will keep the InfoCon level at 'YELLOW',
likely until Monday morning.
While "witty" packets with other source ports are seen, they will not
trigger the vulnerability. Likely, these packets are due to infected
hosts behind NAT devices.
Infected hosts will send large amounts of UDP traffic, typically
saturating a local network connection. The BlackIce task bar icon will
no longer allow the user to shut down BlackIce. It will display a
message reading "Operation could not be completed. Access is denied".
Eventually, the system will crash. Infected systems are reported to
show corrupted hard disks.
The worm will not write itself to disk. As a result, Virus scanners
may not detect it.
Snort rule by ISC Handler Pedro Bueno:
(note: you may want to remove the source port restriction)
Snort.org has posted additional rules to "detect the worms and should any other exploits based off of the same vulnerability."
A reboot will remove the worm from the system. However, the worm
causes random hard disk corruption and the system may no longer
function. The ISS XForce has directions that _may_ help recovering some less severely Corrupted systems. These directions are available at http://xforce.iss.net/xforce/alerts/id/167 .
Disconnect systems running BlackIce as soon as possible!
Block all UDP packets with a source port of 4000
Blocking UDP packets with a source port of 4000 may disrupt
some network services. We do no know of any major services
(other then old versions of ICQ) that require UDP 4000)
This worm will corrupt hard disks and leave systems
These versions of BlackIce and RealSecure have been identified
BlackICE? Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecureŽ Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf
Other ISS products may be vulnerable as well. Please refer to ISS
for details (see end of this post for links).
* Internet Security Systems Information
ISS Witty Worm Announcement: http://www.iss.net/support/wittyworm.php
ISS XForce Security Alert: http://xforce.iss.net/xforce/alerts/id/167
ISS XForce Security Alert: http://xforce.iss.net/xforce/alerts/id/166
ISS Software Updates (Enterprise): http://www.iss.net/download/
BlackIce Updates (Consumer): http://blackice.iss.net/update_center/index.php
* Third Party Information
Matt Murphy's Analysis: http://www.netsecure.shawbiz.ca/witty-analysis.html
Lurhq Analysis: http://www.lurhq.com/witty.html
eEye Security Advisory: http://www.eeye.com/html/Research/Advisories/AD20040318.html
F-Secure Analysis: http://www.f-secure.com/v-descs/witty.shtml
Symantec Analysis: http://securityresponse.symantec.com/avcenter/venc/data/w32.witty.worm.html
Snort Rules: http://www.snort.org
SecurityFocus Vulnerabilty Information: http://www.securityfocus.com/bid/9913
Secunia Advisory: http://secunia.com/advisories/11073/
USCert Security Update: http://www.uscert.gov/current/current_activity.html#witty
USCert Vulnerability Update: http://www.kb.cert.org/vuls/id/947254
Johannes Ullrich, jullrich_AT_sans.org - SANS Institute.
Scott Fendley, scottf _AT_ uark.edu - University of Arkansas-Fayetteville
Mar 25th 2004
1 decade ago