Witty Worm Analysis

• URL: http://www.secureworks.com/research/threats/witty
• Date: March 20, 2004
• Author: Joe Stewart

A new worm has been discovered exploiting the ISS/PAM ICQ module vulnerability. The worm payload is contained in a single UDP packet with a fixed source port of 4000 and a variable destination port. The destination port and packet size varies depending on the destination IP address. Only the first 470 bytes of the payload are the working code of the worm; the remainder appears to be the contents of the memory immediately past where the worm code overflows the stack.

There are reports that the worm has also been seen coming from source ports other than 4000. This is probably due to the packet passing through a NAT device which changes the source port in the translation. These packets will not be able to spread the worm unless their destination port happens to be 4000. The likelihood that they will hit an IP address where the destination port calculation equals 4000 and that the destination host will be running the specific version of the vulnerable DLL is fairly small, so these packets are effectively harmless. Aside from those stray NAT packets, the ISS PAM module will inspect the worm packet regardless of whether there is a service listening on the destination port. If the packet is inspected by a vulnerable version of BlackICE or RealSecure, the packet payload will be executed.

This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist - unfortunately it will take all the affected systems with it. Rather than simply executing a "format C:" or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread.

BlackICE versions 3.5 and below are not affected by the worm or the vulnerability. Version 3.6ccf may be the only BlackICE version on which the worm functions but this is not guaranteed since we are unable to verify that each prior version does not use the affected dll. The worm will not affect version 3.6ccg, the latest version as of this writing. If you are running version 3.6.16 build 1.10.104.47 of iss-pam1.dll you are vulnerable to the worm. If you are running any prior version of the iss-pam1.dll you are vulnerable to the exploit but probably not this worm. It is important to upgrade in any case, since the worm could easily be rewritten to work on other versions prior to 3.6ccf.

The affected versions of RealSecure are unclear at this time. It is safe to say that the worm code is fully dependent on version 3.6.16 build 1.10.104.47 of the iss-pam1.dll, so any ISS product using that version of the DLL will probably be affected.

The dependence on the DLL version lies in the way the worm obtains the addresses for the Windows API calls. It relies on the the imported functions from the iss-pam1.dll file being at a specific address. When the DLL is recompiled between shipped revisions, these offsets are subject to change. A change in the offsets will cause the worm to call the wrong function or execute invalid code. Systems vulnerable to the exploit but not running the specific version of the DLL the worm relies on may experience crashes of the BlackICE or RealSecure software.

Finding the DLL Version

You can check the version of the vulnerable DLL by right-clicking on the BlackICE tray icon and selecting "View BlackICE Alerts". In the alert dialog, choose Help->About BlackICE. If the version shown is 3.6.16, locate the DLL file in Windows Explorer, right-click on it and choose "Properties". In the Version tab, look for the file version. The worm-affected DLL is 1.10.104.47. The latest version which is not vulnerable at the time of this writing is 1.10.104.68.

The worm's functionality is as follows:

1. Generates a random IP address
2. Sends the worm payload
3. Repeats steps 1-2 20,000 times
4. Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5. Seeks to a random point on the disk
6. Writes 65K of data from the beginning of the vulnerable DLL to the disk
7. Closes the disk
8. Starts the process over from step 1

The act of writing directly to the drive will cause certain filesystem corruption. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine.

Snort Signature

The following signature will detect the worm traffic:

alert udp any 4000 -> any any (msg:"ISS PAM/Witty Worm Shellcode"; content:"|65 74 51 68 73 6f 63 6b 54 53|"; depth:246; classtype:misc-attack; reference:url,www.secureworks.com/research/threats/witty; sid:1000078; rev:1;)