Worm burrows into BlackIce security product

A worm that exploited a hole in some of Internet Security Systems' intrusion protection products seems to be dying down after...

A worm that exploited a hole in some of Internet Security Systems' intrusion protection products seems to be dying down after affecting thousands of IP addresses since Saturday.

The so-called Witty worm, affecting some versions of ISS' BlackIce and RealSecure intrusion protection products, is "highly malicious" because it slowly destroys the system it infects, according to an alert from managed security provider Lurhq.

"Rather than simply executing a 'format C:' or similar destructive command, the worm slowly corrupts the filesystem while it continues to spread," the alert said.

The spread of the worm appeared to be slowing down yesterday, said Joe Stewart, senior security researcher at Lurhq. "It was only a big deal for the people who had the ISS products' specific versions. It was not a threat for Windows users in general."

ISS estimated the worm infected about 12,000 IP addresses, although the exact number is difficult to determine, said Dan Ingevaldson, director of X-Force research and development at ISS.

Early reports had the worm infecting up to 50,000 IP addresses, but Ingevaldson said ISS scans did not find evidence of the worm being that widespread.

"We saw a spike in the first days of the infection, and it's been going down since then," Ingevaldson said.

The worm, which exploited an ICQ parsing vulnerability, affected non-updated versions of ISS'  BlackIce and RealSecure products. A complete list of affected versions is available at ISS' alert site: http://xforce.iss.net/xforce/alerts/id/167. An ISS update that fixes the vulnerability has been available since 9 March.

Stewart said the timing of the worm was significant. A vulnerability alert for the ISS products was released on 18 March, and the worm began spreading two days later. The writer of the worm either knew of the vulnerability before the announcement or wrote and tested the worm in less than two days.

"Usually, you have a week or two after the vulnerability was announced," Stewart said. "This was a substantial piece of work to be done in one day."

ISS counts about 1.6 million corporate installations of the BlackIce PC intrusion detection software, and that number does not include home installations.

"Our customers know you have to apply the most recent updates," said Ingevaldson. "They know that for it to work, they need to have the most recent updates, and they would not be affected at all if they did."

Grant Gross writes for IDG News Service

Read more on IT risk management