Black Ice flaw leads to tens of thousands of computers being damaged

Posted by: Phatal

Black Ice flaw leads to tens of thousands of computers being damaged - 04/05/04 10:21 PM

A quickly spreading Internet worm destroyed or damaged tens of thousands of personal computers worldwide Saturday morning by exploiting a security flaw in a firewall program designed to protect PCs from online threats, computer experts said. The "Witty" worm writes random data onto the hard drives of computers equipped with the Black Ice and Real Secure Internet firewall products, causing the drives to fail and making it impossible to restart the PCs. Unlike many recent worms that arrive as e-mail attachments, it spreads automatically to vulnerable computers without any action on the part of the user. At least 50,000 computers have been infected so far, according to Reston, Va.-based computer security firm iDefense and the Bethesda, Md.-based SANS Institute. The firewalls were developed by Atlanta-based Internet Security Systems. Chris Rouland, vice president of the company's X-Force research and development division, said that as many as 32,000 corporate computers could be infected. The company does not know how many home users are infected. ISS released a patch and a detailed writeup of the affected products.

Most infected computers will have to be rebuilt from scratch unless their owners instead decide to buy new ones, said Ken Dunham, a computer security expert at iDefense. "The thing looks like it will corrupt or crash most drives enough so that reinstallation is going to be required," he said. "This is a very destructive worm." Officials at the Department of Homeland Security, which is in charge of the government's cybersecurity efforts, were unavailable for comment. Internet worms, viruses and other malignant software often install software or open "back doors" that allow hackers to control infected computers. That often gives them access to private data that people keep on their computers, and allows them to use those computers to send out e-mail spam that cannot be traced back to its real owner. The Witty worm is different and in some respects more destructive because it renders the computer useless.
Detection
Infected hosts will send large amounts of UDP traffic, typically saturating a local network connection. The BlackIce task bar icon will no longer allow the user to shut down BlackIce. It will display a message reading "Operation could not be completed. Access is denied". Eventually, the system will crash. Infected systems are reported to show corrupted hard disks. The worm will not write itself to disk. As a result, Virus scanners may not detect it...

Removal
A reboot will remove the worm from the system. However, the worm causes random hard disk corruption and the system may no longer function.

Links

ISS Black Ice downloads - http://blackice.iss.net/update_center/index.php
Vulnerability Information - http://xforce.iss.net/xforce/alerts/id/166
F-Secure Writeup - http://www.f-secure.com/v-descs/witty.shtml
Symantec - Click here for what Symantec has to say about the Witty wom
McAffee - http://vil.nai.com/vil/content/v_101118.htm

Original article was on yahoo news, but is no longer available for some reason.