« On a more serious note... | Main | Installing and Setting up Nagios 1.2 on Mac OS X Server 10.3.5 »
For a long time, the Mac community has believed that because the relative size of the Mac population is small, that this lack of size is a defense against an attack. The logic goes something like this: Since the overall Mac population is so small compared to the Windows population, Macs are not that interesting to virus writers.
Well, as the Witty worm showed, a small population is no defense against a devastating attack.
On March 8th, 2004, eEye Digital Security discovered a vulnerability in ISS's BlackICE/RealSecure products. On March 9th, ISS released a patch for the vulnerability.
On March 18th, eEye published a high-level description of the vulnerability. 36 hours later, Witty was released into the wild.
Within 45 minutes, every vulnerable machine was infected, about 12,000 machines in total.
Witty is a scary story for a number of reason.
First, it was destructive. Not only did it create copies of itself by generating 20,000 packets with random IP addresses and sending those packets out to infect more hosts, but it then found a random point on the hard drive, and overwrote whatever data was there with 65K of data from the iss-pam1.dll to that point. Once that was done, the process was repeated until a reboot, or the machine crashed. As a side effect, this had a self-limiting effect on the number of times the worm could reproduce further, although this was small comfort to those who were infected and lost data.
However, there are some other factors here that make Witty a particularly ominous example of viral code. First, instead of starting from a relatively small number of hosts, Witty spread outwards almost simultaneously from 100 to 110 hosts. Considering the packet count, and allowing for at least two rounds per host, that means within seconds of its release, there were over 2,000,000 packets probing other hosts for the vulnerability. This number is exacerbated by Witty's size:
Witty was also bug-free. That means that someone tested it. It also means that the core worm engine was probably done, and just waiting for the right vulnerability to be used well in advance of the BlackICE vulnerability announcement.
Witty was not some dork with a virus kit from a h@xx0r site spreading the love of Anna Kournikova. It was written by someone who knew what they were doing, was patient enough to wait for the right opening, and, importantly, didn't care about the vulnerable population size.
Witty only attacked computers running unpatched versions of BlackICE firewalls. It was released ten days after a fix for the vulnerability was issued. It only infected 12,000 hosts, but it did so in 45 minutes, or 4.45 hosts per second. If there were enough hosts, and assuming perfect antivirus signature update and use 48 hours after release, that's 768,960 computers infected and probably dead within two days.
It's illogical to assume that Witty was a fluke, no matter how comforting that thought may be.
Witty showed that:
- Not all virus writers are goofy kids doing the modern-day version of vandalizing mailboxes
- Not all internet virii are annoying, or only concerned with denial of service
- There is no patch management system in the world fast enough to prevent this level of attack
- A small population is no defense against attack
Even on a Mac
Categories: Mac Matters
Posted by John C. Welch at 23:29 | Permalink
©2003-until I'm fucking dead and then some. you steal my shit, and I will fuck with you like you were a lonely shepherd's slowest sheep.
Comments
Warning for Notes users: The commenting system uses HTML.I know this will be scary for some of you, especially Notes fans. However, open standards, rah-rah.
If you want to use less-than or greater-than signs, or other similar characters that HTML reserves,
you'll simply have to learn to do it the HTML way. Luckily, HTML is kind of popular, no matter what
your re-educators have told you, and you can easily find help on the intertubes.
