My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Witty Worm Wrap-up

Published: 2004-03-22. Last Updated: 2004-03-22 18:38:16 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Witty Worm Wrap-up

For our more technical discussion about the Witty worm, see Saturdays diary:

http://isc.sans.org/diary.html?date=2004-03-20
We expect to return to infocon 'GREEN' later today.

Witty Worm Traffic

Infected machines generated outbound UDP traffic at line speed, frequently saturating local area networks. As a result, the traffic generated was high compared to the number of infected hosts. At this time, we have reports for about 20,000 unique IP addresses sending UDP packets from port 4000 over the weekend. The traffic rose very fast, and dropped within the first hour. This is likely a result of the Witty worm's destructive component, which will crash infected systems and prevent them from rebooting.

Graphs

Witty traffic (packets reported): http://isc.sans.org/images/witty1.jpg

Unique IPs per hour: http://isc.sans.org/images/witty2.jpg

Geographic Animation: http://isc.sans.org/witty.html
(this diary will be updated throughout the day)

--------------

Johannes Ullrich, jullrich_AT_sans.org
Keywords:
0 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Login here to join the discussion.


Top of page
Diary Archives