The report, which was published by Abishek Kumar, a student at the Georgia Institute of Technology (Georgia Tech), claims to use a novel method to retrace the spread of the worm—which targeted vulnerable products from Internet Security Systems Inc.—by locating a machine in Europe that was the first computer infected by the worm. The techniques that the researchers developed could help with future worm studies, the authors say.
The study was lead by Kumar, who at the time was working as a summer intern at the International Computer Science Institute (ICSI) at the University of California at Berkeley. Kumar and two ICSI researchers used network "telescopes" to analyze Wittys spread.
Telescopes collect traffic sent to unused portions of the Internets machine address space that inadvertently collect traffic generated by fast-moving Internet worms.
Telescopes have been used in the past to estimate the number of systems infected by worms and the rate at which worms can scan for vulnerable computers.
In their analysis of Witty, the researchers discovered that they could develop an even more accurate picture of a worms spread by analyzing the machines sending traffic to telescopes, according to the report.
The success of the experiment surprised the researchers, Nicholas Weaver, an ICSI scientist, said in an e-mail.
According to the paper, the authors began by disassembling the worms code and reverse-engineering the component called a PRNG (pseudo-random number generator) used to generate a list of computers to attack.
Once they cracked Wittys PRNG, researchers were able to use network telescope data from Wittys spread to recreate the state of the PRNG on each Witty-infected machine, providing a very detailed picture of Wittys spread from a single infected machine to more than 12,000 hosts in just over an hour in March 2004.
Despite infecting a small number of hosts, Witty was better-written than the earlier SQL Slammer worm and could have rocketed around the world as fast as Slammer, if it had targeted a more widespread platform than ISS products, Weaver said.
Researchers also captured heretofore inaccessible data, such as the network uptime of infected hosts, the number of disks they contained and their network connections, Weaver said.
"It is very difficult to create a survey of end hosts and their characteristics. That we were able to create such a survey, as a side effect of how the worm was constructed, was unique," he said.
The detailed picture of the worms spread allowed the researchers to spot an infected computer connected to the Internet through a European ISP, which they believe is the first host infected by the worm and used to launch Witty. The researchers passed on the address of that machine to law enforcement, according to the report.
That machine was running a slightly different version of Witty, causing it to stick out from other infected systems, he said.
Another controversial finding of the report is that a set of 135 hosts at a U.S. military installation were infected near the beginning of the worms spread and were critical to its spread. Researchers postulated that the Witty author specifically targeted the systems because he or she knew that they were vulnerable to the exploit Witty used to infect systems.
An ISS employee may have had advance knowledge of the vulnerable hosts and tipped off the worm author, and Witty even could have been the creation of somebody working for ISS, the report said.
An ISS spokesman declined to comment on the allegation.
Even if the research doesnt lead to the capture of the Witty author, researchers hope that the analysis strategy they developed could be used to study other Internet worms, and the Internet itself.
"The ability to take an incident [such as a worm] and discern information about the larger Internet is very fascinating and something we would like to explore in the future," Weaver said.