Witty_worm

A vulnerability was discovered in the PAM (Protocol Analysis Module) component, used in current ISS host, server, and network protection software and devices. The flaw relates to incorrect parsing of the ICQ protocol within the Protocol Analysis Module that may lead to a buffer overflow condition.

A worm dubbed 'Witty' is known to have exploited this vulnerability. The worm targets unpatched versions of the BlackICE PC Protection product.

A vulnerability was discovered in the ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM) component. PAM parses several IM protocols including ICQ. Incomplete boundary checking when parsing certain protocol fields embedded within ICQ response can be exploited by a remote attacker to cause memory corruption with the potential for remote exploitation.

A worm named Witty is known to exploit this vulnerability. The worm sends its payload in UDP packets to 20,000 random IP addresses with source port UDP/4000 and random destination port numbers (If the source port of an incoming UDP packet is 4000, it is assumed to be an ICQ server response).

It then opens a random physical drive that allows for disk access and writes itself to the disk. The act of writing directly to the drive will cause certain file system corruption. Any infected machine will likely have its operating system and partition data destroyed along with most files on the physical drives, depending on how long the worm runs on the machine. The worm is a memory-only based threat and does not create files on the system.

Note that since UDP is a stateless protocol, most IDS products (including ISS') are incapable of keeping state or record of a concurrent connection. This means that this flaw can be exploited by sending a single spoofed UDP packet. In contrast, Check Point's patented Stateful Inspection technology™ keeps tracks and state of every protocol, including UDP.

Using SmartView Tracker, users of SmartDefense NG AI will identify dropped logs with rule number 40009 appearing on the log viewer.

InterSpect and R55W users will receive the following SmartView Tracker information:

Attack Name: Worm propagation attempt
Attack Information: Witty worm UDP packet detected

InterSpect SmartView Tracker: Witty_Worm log entries

Users of VPN-1 NG AI R55, R55W and InterSpect should update SmartDefense by pressing the Update Now / Update SmartDefense button under the General tab in the SmartDefense configuration menu. The Update includes a new Service which blocks the ISS PAM ICQ parsing vulnerability and worms exploiting it (''Witty'') .

To enable the protection (users of R55, R55W and NGX R60):

• Select Manage > Services and check the newly added Witty_worm service (see below)

SmartDefense NG AI R55: Witty_worm Service

 

Note: The service may cause ICQ connectivity issues

• Go to Rules>Add Rule and create and a new rule for the Witty_worm. The rule consists of the following: Source=Any, Destination = Any, Service=Witty_worm, Action=drop. It is strongly advised to define the rule as one of the first rules of the security policy.
• Install policy on all modules.

To enable the protection (users of InterSpect):

1. On the SmartDefense navigation tree, click Application Intelligence > Block Witty Worm.



2. Install security policy on all modules.