New worm targets company's firewall vulnerability
- By William Jackson
- Mar 22, 2004
A fast-spreading worm is targeting a vulnerability announced last week in firewalls from Internet Security Systems Inc. of Atlanta.
Witty.A exploits a buffer overflow in multiple versions of the ISS BlackICE firewall. The worm can corrupt hard drives, causing data loss and crashing infected machines. The vulnerability, which also affects other ISS firewalls, was disclosed Thursday by ISS when it also made available updated versions fixing most of the products.
Administrators are advised to disable affected software, or disconnect systems running the products from their networks and install updated versions. Traffic to and from UDP port 4000 also should be monitored and, if feasible, blocked.
More information on the vulnerability and affected products, along with downloadable updates, are available at www.iss.net.
By early Saturday, traffic produced by the new worm exploiting the overflow was discovered by the SANS Institute's Internet Storm Center. By this morning, security companies reported as many as 50,000 infections.
The worm resides in memory and spreads by attempting to send itself to 20,000 randomly generated IP addresses over UDP port 4000. It also attempts to overwrite random sectors of a randomly selected physical hard drive with data from memory, crashing some machines.
Because it does not write itself to the disk, the worm can be removed by rebooting the infected machine. But it is troublesome because it spreads without user interaction and because it appeared so quickly after the vulnerability was announced.
'Rapid exploitation of new vulnerabilities is a growing trend,' said Ken Dunham, director of malicious code for iDefense Inc. of Reston, Va. 'Anyone using BlackICE software should be concerned about this worm.'
William Jackson is a Maryland-based freelance writer.