Security: good ;login: preprint article on the ‘Witty’ worm. ‘Conclusion: Witty represents a new generation of malcode: written by a motivated, skilled, and malicious individual. Witty’s author is the first to combine both skill and substantial malice. The author had some motive which lead, for him, to desire a destructive effect. Witty was written by an expert and, unless caught, he could do it again.’
However, there’s one point where I think the authors have slipped up:
The use of previously compromised machines (for seeding) requires that the attacker either obtained access on 110 machines using a different tool, already had access to 110 machines, or took control of these machines from a third party. Thus Witty’s author probably possessed some ties to the attacker underground, to gain these machines in the short timeframe.
IMO, that’s not necessarily the case. Given that current estimates are that 80% of spam emanates via open proxies, and that those in turn are generally insecure machines that have been taken over, I would surmise that someone with access to a reasonable amount of spam and an off-the-shelf Windows vulnerability scanner could quickly amass 110 machines to launch the attack with — simply by scanning for the vulnerabilities those machines were r00ted with in the first place.
Good article otherwise, though…