'Witty worm' burns briefly but brightly

A worm exploiting holes in one company's internet security software quickly compromised tens of thousands of servers this past weekend, before crashing the infected computers.

The worm, dubbed Witty, exploits a flaw found last Wednesday in software and devices created by network protection firm Internet Security Systems. Using a manner of infection similar to the fast-spreading Slammer worm, the Witty program compromised more than 20,000 machines in less than an hour. The worm also overwrote data on the infected computer, quickly crashing systems, said Johannes Ullrich, chief technology officer for the Internet Storm Center.

"Because it crashes the machines eventually, it died off really fast," Ullrich said. He estimated almost 30,000 computers had been infected by the worm, and most of them had crashed because of file corruption within 30 minutes of being infected.

The worm breached systems through a security hole in ISS's firewall products, such as its BlackICE and RealSecure software. While the flaw affects the company's Proventia network devices, the manner in which the worm is constructed prevents it from infecting the devices.

ISS estimated that the worm could only affect about two per cent of its customer base. Subscribers to the company's maintenance service had already received the update a week prior to the release of the worm, ISS stated on its website.

Dan Ingevaldson, director of ISS's vulnerability research and development group, said: "We have been doing our own research and we came up with 12,000 internet addresses [that seem to be infected] at last check. It is impossible to know how widespread it is. Whenever you count IP addresses you may be double counting or triple counting machines."

An unknown author created the worm about two days after news of the flaw became public, in what may be the fastest turnaround of malicious code writing to date. Like Slammer, the Witty worm spread through single packets of data sent on the Internet using a protocol known as the user datagram protocol, or UDP.

Robert Lemos writes for News.com