Witty Worm
March 8, 2008 – 3:09 PMA new worm has been discovered exploiting the ISS/PAM ICQ module vulnerability. The worm payload is contained in a single 1025-byte UDP packet with a fixed source port of 4000 and a random destination port. Only the first 470 bytes of the payload are the working code of the worm; the remainder appears to be the contents of the memory immediately past where the worm code overflows the stack. The ISS PAM module will inspect the packet regardless of whether there is a service listening on the destination port. If the packet is inspected by a vulnerable version of BlackICE or RealSecure, the packet payload will be executed. This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist – unfortunately it will take all the affected systems with it. Rather than simply executing a “format C:” or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread.
BlackICE versions 3.5 and below are not affected by the worm or the vulnerability. Version 3.6ccf may be the only BlackICE version on which the worm functions but this is not guaranteed since we are unable to verify that each prior version does not use the affected dll. The worm will not affect version 3.6ccg, the latest version as of this writing.
The affected versions of RealSecure are unclear at this time. It is safe to say that the worm code is fully dependent on version 3.6.16 of the iss-pam1.dll, so any ISS product using that version of the DLL will probably be affected.
The dependence on the DLL version lies in the way the worm obtains the addresses for the Windows API calls. It relies on the the imported functions from the iss-pam1.dll file being at a specific address. When the DLL is recompiled between shipped revisions, these offsets are subject to change. A change in the offsets will cause the worm to call the wrong function or execute invalid code. Systems vulnerable to the exploit but not running the specific version of the DLL the worm relies on may experience crashes of the BlackICE or RealSecure software.
The worm’s functionality is as follows:
- 1) Generates a random IP address
2) Sends the worm payload
3) Repeats steps 1-2 20,000 times
4) Opens a random PHYSICALDRIVE from 0-7, which allows raw hard disk access
5) Seeks to a random point on the disk
6) Writes 65K of data from the beginning of the vulnerable DLL to the disk
7) Closes the disk
8) Starts the process over from step 1
The act of writing directly to the drive will cause certain filesystem corruption. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine. Snort Signature
The following signature will detect the worm traffic:
alert udp any 4000 -> any any (msg:”ISS PAM/Witty Worm Shellcode”; content:”|65 74 51 68 73 6f 63 6b 54 53|”; depth:246; classtype:misc-attack; reference:www.lurhq.com/witty.html; sid:1000078; rev:1;)