analysis of the Witty worm

Vin McLellan vin at theworld.com
Tue Jun 14 11:47:43 EDT 2005 

Every once in a while really smart people say really stupid things.

The gratuitous allegations, in one tiny section of this otherwise slick and 
fascinating paper, that the author of the Witty worm was a "ISS insider" is 
an example of this.

The idea was that only an "insider" could have known, pre-attack, that a 
certain US military installation and a university -- two small PC 
communities pre-infected and used to launch the worm's round-the-world 
epidemic in '04  -- were ISS customers running flawed ISS products. The 
fact that this "secret knowledge" was known to the attacker was used to 
justify the accusation against ISS employees and associates, and (more 
blatantly) in a 5/24 SecurityFocus article on this paper, and subsequent 
silly comments by Nick Weaver on the SecurityFocus website.

One might as well gratuitously announce that there is probably a rapist 
among Paxon and Weaver's colleagues at UC Berkeley's ICSI, or that an 
arsonist is probably working in Steve's Columbia department.  Such comments 
are outrageous, irresponsible, and probably (under both US and Canadian 
law) libelous.

I don't know if ISS asked that the original paper be edited or removed from 
circulation, but I would be surprised if they didn't sic their lawyers on 
SecurityFocus at least.  They'd have to be saints to refrain.  I suspect 
that I was not the only one to write a strong letter to SecurityFocus 
(published in Canada by Symantec, an ISS competitor, mind you) suggesting 
that the article was irresponsible and libelous, and that an apology was 
due to ISS.

SecurityFocus immediately deleted the readers' comments on the article, and 
did some fast edits. (I think they rewrote the ending to insert a 
mealy-mouthed declaration that evidence of a direct ISS connection, despite 
the profound and brilliant comments of Kumark, Paxson, & Weaver, remained 
"elusive.")

Damn right. There are innumerable ways in which vulnerable ISS customers 
could have been identified, from social engineering to, say, just watching 
the email bounces on the various ISS customer support mailing lists, which 
are widely mirrored.

The technical naive of cops and journalists has been a source of humor on 
this list and other tech-savvy forums for years. Here the shoe is on the 
other foot. The accusation against ISS, on such flimsy grounds -- in this 
paper, the SF article, and in Mr. Weaver's subsequent public comments -- 
was doubtless met with similar groans and exasperated scorn among 
professional investigators and journalists.

_Vin

Steve Bellovin wrote:

>Readers of this list may be interested in an analysis of the Witty
>worm's spread by Kumark, Paxson, and Weaver.  An article summarizing
>the paper is at 
>http://www.zdnet.co.uk/print/?TYPE=story&AT=39200183-39020375t-10000025c
>A tentative conclusion is that the worm was probably written by an
>insider at ISS....
>
>The paper itself (there's a link in the article) has several more items
>of interest to this list.  Especially interesting is the effective
>cryptanalysis of the PRNG used by the worm.  Implicit in many of the
>analyses, though not a focus of the paper, is the amount of information
>that the authors could gather about network configurations at different
>sites: as we all know, traffic analysis is a powerful technique.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

When Jerrold Leichter couldn't find it online, Steve offered:

>>It's on Vern's web page:
>>http://www.icir.org/vern/papers/witty-draft.pdf or
>>http://www.icir.org/vern/papers/witty-draft.ps



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list