A destructive worm targeting Internet Security Systems (ISS) BlackICE products began circulating Saturday. ISS recommends immediately applying patches it's supplied to prevent infection by Witty-A, unauthorized system access or arbitrary code execution by a remote attacker.
"If a vulnerable system is infected, the Witty worm attempts to propagate by scanning random IP addresses," said an ISS advisory. "The Witty worm is destructive to the target system, and overwrites key hard disk sectors after sending out its payload. The junk data written to disk may impact system stability and cause a "blue screen" to occur upon reboot."
Though rated low-risk by antivirus vendors, Witty-A does pose a threat.
The worm exploits a vulnerability in the Protocol Analysis Module (PAM), which is part of ISS RealSecure, Proventia and BlackICE products for detecting and preventing system intrusion. However, ISS said Proventia products aren't affected by the Witty worm. BlackICE versions 3.5 and below aren't affected by the worm or the vulnerability, according to Chicago-based managed intrusion prevention and protection services provider Lurhq.
This is the second time in less than a month that eEye Digital Security has revealed a major vulnerability in a core module affecting multiple products of rival ISS.
The problem is in the PAM's ICQ response handling routine. ICQ is a popular instant messaging tool, originally developed by ICQ Inc. and now part of America Online. ISS software parses several instant messaging protocols, including ICQ, to detect attacks. An attacker can send a specially crafted SRV_MULTI response containing two embedded response packets directed at the source port of 4000. During the PAM's processing, packet contents will be copied into a 512-byte buffer without any checking. This can cause a buffer overflow that a remote attacker can manipulate to run arbitrary code with system privileges, permitting unauthorized system access.
Since this vulnerability involves the stateless protocol UDP, a single specially crafted datagram can affect every vulnerable host in a network simultaneously. In a test, eEye reports that it was able to compromise a BlackICE installation with maximum security configuration.
The problem affects multiple ISS products, including BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, RealSecure Desktop, RealSecure Guard, RealSecure Sentry, RealSecure Network, RealSecure Server Sensor, and Proventia A, G, and M Series.
While there is no workaround, ISS suggests blocking ICQ traffic where the ICQ protocol isn't in use by blocking UDP packets with a source port of 4000 at the network perimeter. Because DNS and some other program/protocols use ephemeral UDP ports, including 4000, some side effects may occur.
Just last month, eEye found another serious vulnerability in the PAM's scanning of the Server Message Block (SMB) protocol.
SearchSecurity.com News Writer Shawna McAlearney contributed to this report.