Got this in...thought I would forward it on to the nerfilter list in the interest of security. According to the link.. "Witty is a network worm that spreads through direct network connections, targeting machines that are running BlackIce security software." It exploits ICQ apparently... "Witty uses a vulnerability in ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM)." It might be a good idea to start LOG lines for a source of port 4000 for unusual traffic(for iptable secured gateways). This would be effective in Even beter; block or limit these for awhile? Good Luck to everyone. --- Gadi Evron <ge@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > From Gadi Evron Sat Mar 20 09:25:22 2004 > Date: Sat, 20 Mar 2004 19:25:22 +0200 > From: Gadi Evron <ge@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> > To: bugtraq@xxxxxxxxxxxxxxxxx > CC: full-disclosure@xxxxxxxxxxxxxxxx > Subject: The witty worm > > Information can be found at: http://www.f-secure.com/v-descs/witty.shtml > > According to that link the worm sends itself to 20K random IP's, > > It's also on a repeat though. > > To block it you need to block packets coming from UDP source port 4000. > > I'd suggest blocking local port 4000, as well. This thing spreads fast > and many networks probably send it out now too. > > Example Cisco rule which shows how fast this thing spreads (from a > network ran by a friend of mine, Scott McHenry): > > deny udp any eq 4000 any (65 matches) > <20 seconds> > deny udp any eq 4000 any (77 matches) > > Gadi Evron. > ===== In the absence of order there will be chaos. __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
