The computer used to kick-start a global worm outbreak in March 2004 has been traced using crucial kinks in its code.
The same technique could, in future, help law enforcers pinpoint those responsible for distributing viral code across the internet, researchers say.
The “Witty worm” first emerged at 0445 GMT on 20 March 2004 and infected more than 12,000 computer systems around the globe within 75 minutes. It exploited a software bug in a commercial firewall package to infect new machines, randomly generating new network address targets as it went.
Nicholas Weaver and Vern Paxson from the University of California, Berkeley, and Abhishek Kumar from the Georgia Institute of Technology, both in the US, carefully analysed the way the worm generated new targets and painstakingly retraced its steps back to the first computer – or “patient zero” – of the outbreak.
They used a technique known as “telescope analysis” to gather valuable data about the worm’s spread. The approach involves monitoring portions of the internet where little or no network traffic normally exists, but which receive packets of data when a computer worm or virus starts generating traffic indiscriminately.
“A worm’s release illuminates, for a few moments, dark corners of the network just as supernovae illuminate dark and distant corners of the universe,” the researchers write in a paper outlining their work. “Within the overwhelming mass of observed data lies a very structured process that can be deciphered and understood, if studied with the correct model.”
Combined with an analysis of the worm’s code, this data provided crucial clues as to how it spread.
Examining the worm’s code revealed that it employed a “pseudo random number generator” to produce new network addresses to target. As this method is not genuinely random, the team were able to calculate precisely which addresses the worm could feasibly send packets to.
Analysing the traffic data gathered by the network telescopes revealed some infected machines outside of these addresses, which must have been infected manually. The earliest of these machines was identified as patient zero – a PC registered with an unnamed European ISP.
The researchers also found that the worm targeted 110 systems, all within a single US military installation, in the first 10 seconds of the outbreak, which kick-started the worm’s spread.
“It is interesting research,” says Eric Chein, chief researcher at Symantec Security Response in California, US. “It could definitely be useful, especially if patient zero turned out to be the author’s machine.”
But Chein says that worm writers will typically use another computer to begin spreading their creation. And he notes that the amount of data gathered by this type of network analysis could be time-consuming to sort through. “Time is obviously crucial,” he says.
Nevertheless, Weaver, Paxson and Kumar, believe the approach could provide valuable new analytic tools for investigators.
“A worm’s propagation is a rare but spectacular event in today’s networks,” the researchers write. “We have shown how a fine-grained understanding of the exact control flow of a particular worm … when coupled with network telescope data, enables a detailed reconstruction of nearly the entire chain of events that followed the worm’s release.”
By Will Knight