Fwd: The witty worm

Fwd: The witty worm

[SBlaze]

Got this in...thought I would forward it on to the nerfilter list in the
interest of security.

According to the link.. "Witty is a network worm that spreads through direct
network connections, targeting machines that are running BlackIce security
software."  

It exploits ICQ apparently... "Witty uses a vulnerability in ICQ instant
messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM)."

It might be a good idea to start LOG lines for a source of port 4000 for
unusual traffic(for iptable secured gateways). This would be effective in Even
beter; block or limit these for awhile?

Good Luck to everyone.

--- Gadi Evron <ge@egotistical.reprehensible.net> wrote:
> From Gadi Evron Sat Mar 20 09:25:22 2004
> Date: Sat, 20 Mar 2004 19:25:22 +0200
> From: Gadi Evron <ge@egotistical.reprehensible.net>
> To: bugtraq@securityfocus.com
> CC: full-disclosure@lists.netsys.com
> Subject: The witty worm
> 
> Information can be found at: http://www.f-secure.com/v-descs/witty.shtml
> 
> According to that link the worm sends itself to 20K random IP's,
> 
> It's also on a repeat though.
> 
> To block it you need to block packets coming from UDP source port 4000.
> 

> I'd suggest blocking local port 4000, as well. This thing spreads fast 
> and many networks probably send it out now too.
> 
> Example Cisco rule which shows how fast this thing spreads (from a 
> network ran by a friend of mine, Scott McHenry):
> 
> deny udp any eq 4000 any (65 matches)
> <20 seconds>
> deny udp any eq 4000 any (77 matches)
> 
> 	Gadi Evron.
> 


=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

Re: Fwd: The witty worm

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1446 bytes --]


Good morning,

On Sat, Mar 20, 2004 at 04:34:55PM -0800, SBlaze told us:
> Got this in...thought I would forward it on to the nerfilter list in the
> interest of security.
> 
> According to the link.. "Witty is a network worm that spreads through direct
> network connections, targeting machines that are running BlackIce security
> software."  
> 
> It exploits ICQ apparently... "Witty uses a vulnerability in ICQ instant
> messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM)."

Just for clarification, it does not exploit ICQ but the ICQ protocol 
parsing routines of the blackice firewall (seems to be one of those 
personal firewalls I think).

> 
> It might be a good idea to start LOG lines for a source of port 4000 for
> unusual traffic(for iptable secured gateways). This would be effective in Even
> beter; block or limit these for awhile?

Well I think on a gateway/firewall you wouldn't have blackice running.
And in any kind of seriously corporate environment, I think chat systems
like ICQ should always be filtered and therefore stopped at the
(netfilter :) firewall. Of course you need to secure your internal LAN,
too, but have a personal firewall on each & every desktop??

> 
> Good Luck to everyone.
> 

Sven

-- 
Linux zion 2.6.4 #2 Thu Mar 11 20:52:05 CET 2004 i686 athlon i386 GNU/Linux
 01:59:28  up 9 days,  3:03,  1 user,  load average: 0.00, 0.02, 0.02

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Fwd: The witty worm

[SBlaze]

--- Sven Schuster <schuster.sven@gmx.de> wrote:
> 
> Good morning,
> 
> On Sat, Mar 20, 2004 at 04:34:55PM -0800, SBlaze told us:
> > Got this in...thought I would forward it on to the nerfilter list in the
> > interest of security.
> > 
> > According to the link.. "Witty is a network worm that spreads through
> direct
> > network connections, targeting machines that are running BlackIce security
> > software."  
> > 
> > It exploits ICQ apparently... "Witty uses a vulnerability in ICQ instant
> > messaging protocol parsing routines of the ISS Protocol Analysis Module
> (PAM)."
> 
> Just for clarification, it does not exploit ICQ but the ICQ protocol 
> parsing routines of the blackice firewall (seems to be one of those 
> personal firewalls I think).
> 
Alert those web sites to this..as you can see I quoted them.
> > 
> > It might be a good idea to start LOG lines for a source of port 4000 for
> > unusual traffic(for iptable secured gateways). This would be effective in
> Even
> > beter; block or limit these for awhile?
> 
> Well I think on a gateway/firewall you wouldn't have blackice running.
> And in any kind of seriously corporate environment, I think chat systems
> like ICQ should always be filtered and therefore stopped at the
> (netfilter :) firewall. Of course you need to secure your internal LAN,
> too, but have a personal firewall on each & every desktop??
> 
No but internal LAN machines do transmit through the gateway...therefore if you
have machines already infected...you could quarentene it to your internal
LAN..till you get that cleaned up. Places like public libraries, EDUs, and
other various forms of public networks will have Personal Firewalls and almost
definatly various forms of IM software(ie ICQ) and as such could reak havoc.
Just saying this warning is not practical... is just well not practical.

However next time I think I will keep info to myself and trust people to
protect their own networks.



=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

Re: Fwd: The witty worm

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1039 bytes --]


Good morning,

On Sat, Mar 20, 2004 at 05:29:49PM -0800, SBlaze told us:
> No but internal LAN machines do transmit through the gateway...therefore if you
> have machines already infected...you could quarentene it to your internal
> LAN..till you get that cleaned up. Places like public libraries, EDUs, and
> other various forms of public networks will have Personal Firewalls and almost
> definatly various forms of IM software(ie ICQ) and as such could reak havoc.
> Just saying this warning is not practical... is just well not practical.
> 
> However next time I think I will keep info to myself and trust people to
> protect their own networks.

Didn't mean to do any harm to you or your opinion, I just told my own
opinion. So, I think you should go on sending mails about topics like 
this to the list for discussion.

Again, just my 0.02 cent...

Sven

-- 
Linux zion 2.6.4 #2 Thu Mar 11 20:52:05 CET 2004 i686 athlon i386 GNU/Linux
 10:59:22  up 9 days, 12:03,  2 users,  load average: 0.07, 0.37, 0.55

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Fwd: The witty worm

[Chris Brenton]

On Sat, 2004-03-20 at 19:34, SBlaze wrote:
>
> Got this in...thought I would forward it on to the nerfilter list in the
> interest of security.

Although if your not patched yet your hard drive is probably already
trashed. :(

> It exploits ICQ apparently... "Witty uses a vulnerability in ICQ instant
> messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM)."

Actually, its BlackICE that has the problem, not ICQ. If you have
BlackICE but not ICQ you can still get hosed. 

HTH,
C