Tracing Back a Zero-Day Worm

Thomas Ptacek | May 25th, 2005 | Filed Under: Uncategorized

This is impressive detective work, though par for the course for Vern Paxson’s teams. Kumar and Paxson pick apart the Witty worm and, using a network telescope, break the random number generator used by the worm to trace its progress across the Internet.

Coolest finding: among the packets captured from “typical” infectees, they found a standout source that appears to have used a different random number generator. It’s highly probable that this machine wasn’t a normal infection at all, but rather the “patient zero” host the worm authors used to kick-start infections. FWIW, patient zero seems to have been a European ISP address. Other findings:

• When you can reconstitute the sequence of random numbers used by an infectee, you can estimate the rate at which it scanned the internet by comparing two observed packets from the infectee and working out the length of the random number sequence between them.
• By being overly clever with the random number generator, Witty’s author managed to miss 10% of infectable hosts.

Math is the new string search; these results are more clever than most of the tricks “deep packet” security tools use (though Stefan Savage’ signature synthesis work is extremely clever too —- but it too is more math-y than string-y).

Paxson’s team also has a paper up on reliable TCP reconstruction, a topic close to my heart, so I guess I’m going to lose another 30 minutes of working time. Sorry, Jeremy.

[more security]