Educause Security Discussion mailing list archives

MALICIOUS Witty worm -- port block recommendations

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Sun, 21 Mar 2004 16:41:24 -0500

Dear all,

The newly discovered Witty[1] worm attacks Windows client and server systems running ISS BlackICE and RealSecure
firewall products. The worm is malicious - it slowly destroys information on the host's hard drive while replicating.
Infected systems will have to be rebuilt from scratch, with a very high probability of data loss. The worm payload is
contained in a single UDP packet with a source port of 4000 and a random destination port. Vulnerable versions and
patch information can be found at the ISS site[2].

Only systems running ISS BlackICE and RealSecure are affected, therefore exposure will vary according to use of these
products at your institution. A substantial amount of infection has been reported at institutions of higher-ed.

A method to slow down infection is through blocking of source port UDP 4000 inbound and outbound at your border and
within your network if possible. Blocking source UDP 4000 can cause hit-and-miss problems due to its use as an
ephemeral port for DNS and other services. It's possible these services will recover through a retry to the next
ephemeral.

Port blocking won't prevent the spread of infection if the worm has a hold within your network. Blocking within your
network will at best segment some subnets that haven't been infected yet. Port blocking can reduce the rate of spread
of this infection. Strategies for port blocking need to be considered at each institution according their vulnerability
and potential as a source for this infection to the Internet at large.

The worm began gaining strength on Saturday. There are many vulnerable desktop systems that were turned off by their
owners over the weekend. Efforts should be undertaken to PREVENT THE OWNERS FROM arriving Monday morning, TURNING ON
THEIR MACHINE, only to have the machine immediately infected with Witty, and exposed to corruption and data loss.

Regards,

Doug Pearson
REN-ISAC
http://www.ren-isac.net

[1] http://www.lurhq.com/witty.html
[2] http://xforce.iss.net/xforce/alerts/id/167

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

MALICIOUS Witty worm -- port block recommendations Doug Pearson (Mar 21)
- <Possible follow-ups>
- Re: MALICIOUS Witty worm -- port block recommendations Gary Flynn (Mar 21)