Many Internet worms use pseudo-random numbers to scan the IP
address-space. In this project, we reverse engineered the state of the
pseudo-random number generator (pRNG) which the Witty worm
used to generate packets. By combining our knowledge of Witty's code
with the pRNG state, we performed a detailed recreation of the worm's
spread. We were able to discover several characteristics of the infected
systems, including their uptime, network access bandwidth, and number of
disks. Additionally, we were able to find specific details about the
worm author's deliberate targeting of a US Military base, and determine
the identity of Patient 0, the system used to launch the worm.
Abstract of Technical Report
Network ``telescopes'' that record packets sent to
unused blocks of Internet address space have emerged as an important
tool for observing Internet-scale events such as the spread of worms and
the backscatter from flooding attacks that use spoofed source
addresses. Current telescope analyses produce detailed tabulations
of packet rates, victim population, and evolution over time. While
such cataloging is a crucial first step in studying the telescope
observations, incorporating an understanding of the underlying processes
generating the observations allows us to construct detailed inferences
about the broader "universe" in which the Internet-scale activity
occurs, greatly enriching and deepening the analysis in the process.
In this work we apply such an analysis to the
propagation of the Witty worm,
a malicious and well-engineered worm that when released in March 2004
infected more than 12,000 hosts worldwide in 75 minutes. We show
that by carefully exploiting the structure of the worm, especially its
pseudo-random number generation, from limited and imperfect telescope
data we can with high fidelity: extract the individual rate at which
each infectee injected packets into the network priorto loss; correct distortions
in the telescope data due to the worm's volume overwhelming the monitor;
reveal the worm's inability to fully reach all of its potential victims;
determine the number of disks attached to each infected machine; compute
when each infectee was last booted, to sub-second accuracy; explore the
"who infected whom" infection tree; uncover that the worm specifically
targeted hosts at a US military base; and pinpoint Patient Zero, the initial point of
infection, i.e., the IP address of the system the attacker used to
unleash Witty.
Technical Report
Exploiting
Underlying Structure for Detailed Reconstruction of an Internet Scale
Event. Abhishek Kumar, Vern Paxson, Nicholas Weaver. (ps) (pdf)
Nicholas Weaver states the following: Although mostly complete, in the
"Reflections on Witty" analysis I misinterpreted the turn-on as a botnet
rather than a hitlist. The use of a hitlist, rather than a botnet, makes
me more suspicious that the author was an insider as the author had to
know in advance a group of vulnerable ISS customers.
This work was supported by the National Science Foundation under the
following grants: Collaborative Cybertrust NSF-0433702, ITR/ANI-0205519,
NRT-0335290, and ANI-0238315, for which we are grateful. We thank
Colleen Shannon and David Moore at CAIDA, and Paul Barford and Vinod
Yegneswaran at the University of Wisconsin for providing access to the
telescope traces and answering numerous questions about them, and our
CCIED colleagues and Ellen Zegura for valuable feedback. We would also
like to thank Clark Gaylord for verifying that our hypothesis about the
LAN topology mentioned in section VI.D was correct.
Support for the Witty Worm Dataset and the UCSD Network Telescope are
provided by Cisco Systems, Limelight Networks, the US Department of
Homeland Security, the National Science Foundation, and CAIDA, DARPA,
Digital Envoy, and CAIDA Members.
You are number to access this page since May
24, 2005.