analysis of the Witty worm
Vin McLellan
vin at theworld.com
Tue Jun 14 11:47:43 EDT 2005
Every once in a while really smart people say really stupid things.
The gratuitous allegations, in one tiny section of this otherwise slick and
fascinating paper, that the author of the Witty worm was a "ISS insider" is
an example of this.
The idea was that only an "insider" could have known, pre-attack, that a
certain US military installation and a university -- two small PC
communities pre-infected and used to launch the worm's round-the-world
epidemic in '04 -- were ISS customers running flawed ISS products. The
fact that this "secret knowledge" was known to the attacker was used to
justify the accusation against ISS employees and associates, and (more
blatantly) in a 5/24 SecurityFocus article on this paper, and subsequent
silly comments by Nick Weaver on the SecurityFocus website.
One might as well gratuitously announce that there is probably a rapist
among Paxon and Weaver's colleagues at UC Berkeley's ICSI, or that an
arsonist is probably working in Steve's Columbia department. Such comments
are outrageous, irresponsible, and probably (under both US and Canadian
law) libelous.
I don't know if ISS asked that the original paper be edited or removed from
circulation, but I would be surprised if they didn't sic their lawyers on
SecurityFocus at least. They'd have to be saints to refrain. I suspect
that I was not the only one to write a strong letter to SecurityFocus
(published in Canada by Symantec, an ISS competitor, mind you) suggesting
that the article was irresponsible and libelous, and that an apology was
due to ISS.
SecurityFocus immediately deleted the readers' comments on the article, and
did some fast edits. (I think they rewrote the ending to insert a
mealy-mouthed declaration that evidence of a direct ISS connection, despite
the profound and brilliant comments of Kumark, Paxson, & Weaver, remained
"elusive.")
Damn right. There are innumerable ways in which vulnerable ISS customers
could have been identified, from social engineering to, say, just watching
the email bounces on the various ISS customer support mailing lists, which
are widely mirrored.
The technical naive of cops and journalists has been a source of humor on
this list and other tech-savvy forums for years. Here the shoe is on the
other foot. The accusation against ISS, on such flimsy grounds -- in this
paper, the SF article, and in Mr. Weaver's subsequent public comments --
was doubtless met with similar groans and exasperated scorn among
professional investigators and journalists.
_Vin
Steve Bellovin wrote:
>Readers of this list may be interested in an analysis of the Witty
>worm's spread by Kumark, Paxson, and Weaver. An article summarizing
>the paper is at
>http://www.zdnet.co.uk/print/?TYPE=story&AT=39200183-39020375t-10000025c
>A tentative conclusion is that the worm was probably written by an
>insider at ISS....
>
>The paper itself (there's a link in the article) has several more items
>of interest to this list. Especially interesting is the effective
>cryptanalysis of the PRNG used by the worm. Implicit in many of the
>analyses, though not a focus of the paper, is the amount of information
>that the authors could gather about network configurations at different
>sites: as we all know, traffic analysis is a powerful technique.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
When Jerrold Leichter couldn't find it online, Steve offered:
>>It's on Vern's web page:
>>http://www.icir.org/vern/papers/witty-draft.pdf or
>>http://www.icir.org/vern/papers/witty-draft.ps
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list