Post by эך|χэ on May 21, 2004 10:17:30 GMT -5
Internet Security systems Security Alert
March 20, 2004
BlackICE Witty Worm Propagation
Synopsis
br]
ISS X-Force has learned of a worm that is spreading via the ICQ parsing vulnerability in ISS products that was announced on March 18th. The worm targets unpatched versions of the BlackICE PC Protection product. If a vulnerable system is infected, the Witty worm attempts to propagate by scanning random IP addresses. The Witty worm progressively writes junk data to physical hard drives after transmitting 20,000 packets, causing data damage.
Impactbr]
The Witty worm uses hard-coded addresses and only has the ability to infect certain builds of the Protocol Analysis Module (PAM). The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload. The junk data written to disk may impact system stability and cause a "blue screen" to occur upon reboot.
The Witty worm only infects specific builds of PAM listed below, and can
only infect Win32 systems.
Affected Versionsbr]
BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf
Note: No Proventia products are affected by the Witty worm. The newest updates for all products are not vulnerable to exploitation.
Descriptionbr]
The Witty worm exploits a stack-based overflow in ICQ response parsing in the Protocol Analysis Module (PAM) of ISS products. It is a memory-resident worm only, and contains no file payload. Witty propagates via UDP, sending UDP packets with a random destination and destination port. The source port of Witty traffic is 4000, and the source address is not spoofed.
The worm will attempt to propagate immediately by sending copies of itself out across the wire to random targets. After sending a predefined number of packets, Witty attempts to open a randomly determined physical drive and write 64k of data to a random location. This cycle repeats for every 20,000 packets sent.
Recommendationsbr]
ISS Product updates that address this vulnerability have been available since March 9, 2004. These updates are accessible via the ISS Download Centerbr]
www.iss.net/download/
ISS X-Force recommends that networks block UDP packets with a source port of 4000 at the network gateway to block inbound worm propagation. Data on infected systems may be damaged. ISS X-Force recommends that systems that are infected are removed from the network, and powered down. ISS X-Force further recommends that data recovery techniques are employed to assess damage and to recover data.
March 20, 2004
BlackICE Witty Worm Propagation
Synopsis
br]ISS X-Force has learned of a worm that is spreading via the ICQ parsing vulnerability in ISS products that was announced on March 18th. The worm targets unpatched versions of the BlackICE PC Protection product. If a vulnerable system is infected, the Witty worm attempts to propagate by scanning random IP addresses. The Witty worm progressively writes junk data to physical hard drives after transmitting 20,000 packets, causing data damage.
Impact
br]The Witty worm uses hard-coded addresses and only has the ability to infect certain builds of the Protocol Analysis Module (PAM). The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload. The junk data written to disk may impact system stability and cause a "blue screen" to occur upon reboot.
The Witty worm only infects specific builds of PAM listed below, and can
only infect Win32 systems.
Affected Versions
br]BlackICE™ Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf
Note: No Proventia products are affected by the Witty worm. The newest updates for all products are not vulnerable to exploitation.
Description
br]The Witty worm exploits a stack-based overflow in ICQ response parsing in the Protocol Analysis Module (PAM) of ISS products. It is a memory-resident worm only, and contains no file payload. Witty propagates via UDP, sending UDP packets with a random destination and destination port. The source port of Witty traffic is 4000, and the source address is not spoofed.
The worm will attempt to propagate immediately by sending copies of itself out across the wire to random targets. After sending a predefined number of packets, Witty attempts to open a randomly determined physical drive and write 64k of data to a random location. This cycle repeats for every 20,000 packets sent.
Recommendations
br]ISS Product updates that address this vulnerability have been available since March 9, 2004. These updates are accessible via the ISS Download Center
br]www.iss.net/download/
ISS X-Force recommends that networks block UDP packets with a source port of 4000 at the network gateway to block inbound worm propagation. Data on infected systems may be damaged. ISS X-Force recommends that systems that are infected are removed from the network, and powered down. ISS X-Force further recommends that data recovery techniques are employed to assess damage and to recover data.
