Boing Boing has a link to a Bruce Schneier story in Computerworld that talks about the ‘Witty’ worm from March 2004. This was the first that I’d seen about Witty, but it sounds freakishly scary: it was targeted on ISS’s BlackICE/RealSecure intrusion-detection systems. It was released under 48 hours after the vulnerability in BlackICE was made public. It infected 100% of the vulnerable systems on the net in 45 minutes. It was launched from a coordinated set of ‘drone’ machines. And it slowly destroyed the systems that it infected by overwriting random blocks of their hard drives.
Fortunately, there were only 12,000 vulnerable systems on the net. This time. The problem is that the code for Witty is out in the wild now. It’s only 700 bytes long, and it should be easy for an attacker to modify it to fit the next UDP exploit that shows up. Can you imagine what would happen if this blew through 20 million Windows boxes?
This might be a good time to run backups.