Witty made a dramatic entrance Saturday morning, quickly infecting more than 6,000 computers, which then began scanning the Internet for other machines to attack. But within 24 hours, the number of Witty-infected PCs scanning the Internet had dropped to around 2,000. That number dropped even further, to around 1,000 machines by Monday morning, according to data compiled by The SANS Institute, based in Bethesda, Md.
Unlike most worms, which exist for the lone purpose of spreading themselves, Witty is capable of corrupting the hard drives of infected machines, preventing normal operation of the PC and eventually causing it to crash. The worm attacks via random UDP ports; however, it always comes from UDP source port 4000, according to various analyses of the code by security experts. Infected machines will begin sending out large amounts of UDP traffic as the worm attempts to infect other machines.
Rebooting an infected machine appears to remove the worm, experts said on the weekend.
The main reason for the drop-off seems to be that Witty gradually corrupts the hard drives of infected machines, eventually causing them to crash and preventing them from scanning any longer. At the peak of the outbreak Saturday, SANS was seeing as many as 300,000 Witty-related packets per hour. Witty exploits a flaw in a component of Internet Security Systems Inc.s BlackIce protection software. The vulnerable component also is found in several other ISS products, but the Atlanta-based company said they are not susceptible to the worm.
Once it infects a given machine, the worm generates a random IP address and sends its payload to that PC. It repeats this process 20,000 times, then turns its attention back to the local machine its on. Witty opens a random drive on the PC and writes 65 kb of data to a random location.
An analysis by Lurhq Corp. said that any infected system will have its OS ruined, along with most of the files on the physical drives, depending on how long the worm is on the machine.
As a result of the worms appearance, the Internet Storm Center operated by The SANS Institute has raised its threat level to yellow.
Experts recommend that users with machines running vulnerable versions of BlackIce unplug the PCs from the Internet because of the highly malicious properties of the worm and the fact that it would be necessary to block all incoming UDP traffic to prevent infection. BlackIce Version 3.6 ccf and ecf are known to be vulnerable. The flaw that Witty attacks is found in all of ISS current products; however, it is not known whether other ISS products are vulnerable to the worm. ISS, based in Atlanta, said Saturday that its Proventia appliances are not affected by Witty.
"This worm has been found to be highly malicious, slowly destroying the systems it infects. Because of this activity, at some point this worm will cease to exist—unfortunately it will take all the affected systems with it. Rather than simply executing a format C: or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread," according to an analysis of Witty posted by Lurhq Corp., a managed security services company based in Chicago.
Some network operators reported Saturday seeing as many as 200 connection attempts per minute from Witty.
Editors Note: This story was updated to include more recent information and comments from security experts.