Tech Time Warp: The wicked ways of the Witty Worm
Although the goal of the Witty Worm wasn’t widespread damage—its entire target population was only 12,000 computers the world over—the malware made its presence known with a vengeance. Within 45 minutes of its first appearance at approximately 8:45 p.m. PST March 19, 2004, the Witty Worm had corrupted those 12,000 computers, primarily in the United States, with its noteworthy payload, which carried the following message: “(^.^) insert witty message here (^.^).” Let’s dive into this week’s Tech Time Warp.
Earning a place in malware history
The Witty Worm deserves a spot in malware history for several reasons including:
- The worm was released via a bot network of approximately 100 infected computers.
- It was the first worm to target only machines running certain software—specifically, Internet Security System’s BlackICE and RealSecure. Only machines running certain versions of this software were targeted.
- The worm was one of the first to attack a security product, appearing only 36 hours after a vulnerability in the ISS software products was publicized. (Witty relied on a buffer overflow vulnerability in firewall software, and all 12,000 victims were compromised via their firewall software.)
- The worm was less than 700 bytes long and used a random number generator to send itself to random IP addresses with random destination ports.
- Witty featured a destructive payload and would delete data on random accessible drives in 64KB chunks.
The destructive payload was ultimately Witty’s undoing. Eventually, it would cause an infected machine to crash. Once enough of the 12,000 target machines had shut down, Witty was done. In 2005, researchers traced the virus’ origins to a single European computer.
Did you enjoy this installation of SmarterMSP’s Tech Time Warp? Check out others here.
Photo: Brian A Jackson / Shutterstock