Witty Extinction

The "Witty" worm appeared on March 19th, and within a few short days it completed its mission and effectively disappeared. It received minimal coverage by the major news media outlets and for many people it has already been largely forgotten, a mere blip on the radar among so many blips of new viruses and virus variants that appear each week. If the Witty worm didn't affect you, as is the case for most people, you probably don't care. But you should. The Witty worm set a dangerous precedent on the Internet because it introduced a number of evil new "firsts" in the ever-changing world of modern worms and viruses.

CAIDA, the Cooperative Association for Internet Data Analysis, recently released an analysis of the Witty worm by Colleen Shannon and David Moore, that should be an eye-opener for many people. It shows new techniques used by the malicious creators of this worm, a new level of sophistication and helps disprove some basic assumptions that many people have made about malicious code.

The evil goes beyond what many people believed was a basic tenet of modern malicious worms: don't destroy the hosts you compromise, or else you'll lose the ability to propagate. At 637 bytes, Witty's payload was larger than the 376 byte Slammer worm but it's still very small as compared to, say, the 12KB virus bombs that I discussed in my last column. Instead of immediately destroying the host, Witty sent out 20,000 packets of its payload (plus some random padding) as fast as possible, and then it started to eat away at its host. Mission accomplished.

Read Full Story