Here is what SANS reported this morning:
Note: we will not start new diaries this weekend. Instead, we will keep amending this diary)
"Witty" worm attacks BlackICE firewall
Summary
=======
At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge in UDP traffic from source port 4000. This traffic is caused by a new worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser.
Given that this worm generates large amounts of traffic, and the wide spread use of BlackIce, we will keep the InfoCon level at 'YELLOW', likely until Monday morning.
While "witty" packets with other source ports are seen, they will not trigger the vulnerability. Likely, these packets are due to infected hosts behind NAT devices.
Detection
=========
Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection. The BlackIce task bar icon will no longer allow the user to shut down BlackIce. It will display a message reading "Operation could not be completed. Access is denied".
Eventually, the system will crash. Infected systems are reported to show corrupted hard disks.
The worm will not write itself to disk. As a result, Virus scanners may not detect it.
Snort rule:
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e73657274207769747479206d6573736167652068657265|";re\v:1
(note: you may want to remove the source port restriction)
Removal
=======
A reboot will remove the worm from the system. However, the worm causes random hard disk corruption and the system may no longer function.
Prevention
==========
Disconnect systems running BlackIce as soon as possible!
Block all UDP packets with a source port of 4000
Blocking UDP packets with a source port of 4000 may disrupt some network services. We do no know of any major services (other then old versions of ICQ) that require UDP 4000)
This worm will corrupt hard disks and leave systems unusable.
These versions of BlackIce and RealSecure have been identified as vulnerable:
BlackICE Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf
Note: we will not start new diaries this weekend. Instead, we will keep amending this diary)
"Witty" worm attacks BlackICE firewall
Summary
=======
At around 12:00 AM EST (05:00 UTC) on Saturday, we detected an upsurge in UDP traffic from source port 4000. This traffic is caused by a new worm ("Witty") which exploits a vulnerability in BlackIce's ICQ parser.
Given that this worm generates large amounts of traffic, and the wide spread use of BlackIce, we will keep the InfoCon level at 'YELLOW', likely until Monday morning.
While "witty" packets with other source ports are seen, they will not trigger the vulnerability. Likely, these packets are due to infected hosts behind NAT devices.
Detection
=========
Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection. The BlackIce task bar icon will no longer allow the user to shut down BlackIce. It will display a message reading "Operation could not be completed. Access is denied".
Eventually, the system will crash. Infected systems are reported to show corrupted hard disks.
The worm will not write itself to disk. As a result, Virus scanners may not detect it.
Snort rule:
alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e73657274207769747479206d6573736167652068657265|";re\v:1
(note: you may want to remove the source port restriction)
Removal
=======
A reboot will remove the worm from the system. However, the worm causes random hard disk corruption and the system may no longer function.
Prevention
==========
Disconnect systems running BlackIce as soon as possible!
Block all UDP packets with a source port of 4000
Blocking UDP packets with a source port of 4000 may disrupt some network services. We do no know of any major services (other then old versions of ICQ) that require UDP 4000)
This worm will corrupt hard disks and leave systems unusable.
These versions of BlackIce and RealSecure have been identified as vulnerable:
BlackICE Agent for Server 3.6 ebz, ecd, ece, ecf
BlackICE PC Protection 3.6 cbz, ccd, ccf
BlackICE Server Protection 3.6 cbz, ccd, ccf
RealSecure® Network 7.0, XPU 22.4 and 22.10
RealSecure Server Sensor 7.0 XPU 22.4 and 22.10
RealSecure Desktop 7.0 ebf, ebj, ebk, ebl
RealSecure Desktop 3.6 ebz, ecd, ece, ecf
RealSecure Guard 3.6 ebz, ecd, ece, ecf
RealSecure Sentry 3.6 ebz, ecd, ece, ecf
