WeekEnd Feature: Tiny minds?

by Ian Thompson, CCSP Staff Editor
April 17, 2004

How safe do you think your systems are? There have been a couple of recent developments over the last few weeks that highlight the concept of multi-layered, multi-vendor solutions quite nicely.

There have also been a couple of other snippets to be going on with...

ISS that good enough?
'Witty' is a word that generally doesn't apply to virus writers. Annoying, derivative, beguiling even, but not really witty. Perhaps the nearest to witty that they get is the messages included within their coded creations. Not.

Sorry, sarcasm is supposed to be the lowest form...

Anyway, the recent 'Witty' virus was both technically clever, whilst also being worryingly destructive. It also targeted a specific flaw in a single software package line - ISS BlackIce Defender and RealSecure.

It is a racing certainty that software will have bugs in it. A modern computer system relies on the interaction between very complex code structures, the biggest of which is Windows (with about 50 million or so lines in XP). It is often a wonder that anything works, what with all of the interactions that are possible.

Small is beautiful
Witty is a tiny piece of code - 637 bytes - which isn't the smallest example of malicious software (that honour goes to 'Slammer'). According to security analysts, there were about 12,000 susceptible systems protected by ISS software, which isn't '61 large number when compared to the millions of Windows PCs out there.

However, there are a few other key points to note.

ISS had only issued the patch for the vulnerability the day previous to the Witty attack. This showed the speed at which this tiny terror was developed (although who's to say if the coders hadn't known about the issue earlier).

By all accounts, the attack was launched from a bot network, allowing for a very much quicker initial deployment. There are literally thousands of bot slaves running at their unseen masters' beck and call, so this is perhaps not an unusual point - it's just the first time it seems to have been used for anything other than DDOSing or spam relaying.

Witty is destructive to the host system. Its actions involved quickly sending out 20,000 copies of itself, then to slowly fill the hard drive of the host PC until it could no longer function properly, if at all.

Witty didn't use any trick systems, just the regular SMTP system and a bit of random padding to avoid detection by simple checksum-matching by some security titles.

It's not unusual...
So, Witty was quick to act on a security flaw (even ahead of the most diligent end user); deliberately went after a security product that had been chosen by those wishing to protect their systems (and who are therefore grouped in with those deemed '20'security conscious'); it was very quick to reach its 12,000 targets (about 45 minutes, according to one source); and, of course, it destroyed its host (and therefore itself).

This whole thing was over in a matter of days, and because the attack was launched over a weekend it barely made anyone notice. Except for the 12,000, of course...

For a worm, that is unusual.

You've got mail!
As if that's not all, details of how to knock out email servers made the headlines again. This time, it looks like the sort of thing that most of us can try from home. Ready? Let's begin.

Firstly, write your email. See? I said it was easy.

Then attach a small file - 20KB or so should do it, but before you go and just stick a blank Word document on it, remember to anonomise it first (most Office files include some identifiable material in them). Doddle, providing you can find a tool out there.

Then find an open email server that's set to return undeliverable mail, including attachment, back to where it originated. Getting a bit more tricky, but there are free tools to query a server to find out what version software it uses, and what capabilities it has.

Finally, forge the email so that it looks as if it's come from the intended target. Don't forget to include about a thousand badly-formed email addresses in the CC or BCC. That I'll leave to you to discover.

Sending the email triggers the unwittingly co-opted mail server to return the entire message for each of the fake addresses to the 'originating' server. The tiny original message is multiplied on return and the target server collapses under the multi-megabyte load.

Apparently, there are about a third of all major companies that are vulnerable.

I felt the earth - move - underneath my feet.
Finally, get ready for the next flip of the earth's magnetic field. This occurs at random intervals, but by measuring the preserved magnetic field in sedimentary rock, there are a few things of note.

We're due one soon. Not the most revelatory piece of sleuthing, I grant you, but it has been around 780,000 years. Thing is, the study also showed it takes an enormously long time to 'flip', at an average of 7,000 years. If it started now, you'd not likely see the end of it.

So, motors will still spin correctly, electricity will still travel the right way, and the Internet will still let spam and smut through by the shed-load. Unless it suffers an email bombing, or uses unpatched security software, of course...

cheers, Ian_T


by Ian Thompson ComputerCops Staff Editor

Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.

Copyright © Ian Thompson All Rights Reserved 2004.