Real Nasty Virus Alert
I was just notified by MailStreet, my Hosted Exchange provider, that there is
a horrible new virus going around. I haven't heard of a virus this bad before.
It brought down an entire Exchange 2003 server cluster this morning, and 50
other servers in their datacenter. I'll let the Washington
Post fill you in on the details:
The "Witty" worm writes random data onto the hard drives of computers
equipped with the Black Ice and Real Secure Internet firewall products,
causing the drives to fail and making it impossible to restart the PCs. Unlike
many recent worms that arrive as e-mail attachments, it spreads automatically
to vulnerable computers without any action on the part of the user.
At least 50,000 compters have been infected so far, according to Reston,
Va.-based computer security firm iDefense and the Bethesda, Md.-based SANS
Institute.
The firewalls were developed by Atlanta-based Internet Security Systems.
Chris Rouland, vice president of the company's X-Force research and
development division, said that as many as 32,000 corporate computers could be
infected. The company does not know how many home users are infected. ISS released a patch and a
detailed writeup of the affected products.
Most infected computers will have to be rebuilt from scratch unless their
owners instead decide to buy new ones, said Ken Dunham, a computer security
expert at iDefense. "The thing looks like it will corrupt or crash most drives
enough so that reinstallation is going to be required," he said. "This is a
very destructive worm."
Officials at the Department of Homeland Security, which is in charge of the
government's cybersecurity efforts, were unavailable for comment.
Internet worms, viruses and other malignant software often install software
or open "back doors" that allow hackers to control infected computers. That
often gives them access to private data that people keep on their computers,
and allows them to use those computers to send out e-mail spam that cannot be
traced back to its real owner. The Witty worm is different and in some
respects more destructive because it renders the computer useless.
Johannes Ullrich, chief technology officer for the SANS Internet Storm
Center, said that the worm does not create files on infected computers so most
antivirus software will not detect it.
Security vulnerability research firm eEye Digital Security identified the
flaw last Wednesday. The Aliso Viejo, Calif.-based company discovered that it
could trick some versions of Black Ice and Real Secure into processing
Internet traffic that would allow attackers to transfer dangerous data to
vulnerable computers.
The Witty worm gets its moniker from a message buried within its code that
says: "insert witty message here." That comes just before the code that
overwrites the infected hard drives.
Joe Stewart, a senior security researcher at Chicago-based security
services company Lurhq, said he expects the worm to die out over the next few
hours as vulnerable computers quickly become useless hosts.
"With all these hard drive problems, the infection rates are going to
shrink pretty quickly as all these affected machines grind themselves to a
halt," Stewart said.
If you have these programs on your
system, I cannot overstate the need to patch immediately. Unless of
course, you don't mind buying a new hard drive.
Here's a link to ISS'
website where you can download the patch.