The Spread of the Witty Worm

Thanks to Joel Scambray (coauthor of the Hacking Exposed series of books) for bringing this to my attention.

Not many people paid much attention to this worm, because it affected a non-Microsoft product, but the analysis is interesting nevertheless. What was really worrying (to me, anyway) is the one day (yes, ONE DAY!) time delta from the vulnerability being publicly known (when ISS issued their patch, and eEye ( issued their disclosure) to the worm’s arrival. It was also the first real destructive worm.

CAIDA has a very nice write up on the worm.

Comments (3)

  1. Dennis Forbes says:

    "…because it affected a non-Microsoft product…"

    I think a fairer statement is "because its maximum impact was 12,000, often `low-value’ hosts" (who runs add-in software firewalls on high value machines?). Microsoft does get unfairly critical attention at times, but in this case I think your analysis was flawed.

  2. Michael Howard says:

    The fact that it affected "only" 12,000 hosts is interesting – and it is noted in the paper – it doesn’t take millions of machines to support a worm.