Theory became reality on Friday, 19 March 2004, at approximately 8:45 p.m. Pacific Standard Time (PST). The Witty Worm began its spread, but this attack was unlike anything seen previously:

• It began to spread the day after the ISS vulnerability was publicized. This represents the shortest known interval between vulnerability disclosure and worm release!
• It was the first widely propagated Internet worm to carry a destructive payload.
• It started in an organized manner, spreading from an initial 'seed' of about 110 hosts. This number grew to 160 in the first 30 seconds.
• It reached its peak (supposedly infecting all vulnerable machines on the Internet) in about 45 minutes.
• It affected systems owned by people who were actively trying to security their computers and network.

This assemblage of features presents what appears to be an insurmountable security problem. Previous worms have lagged several weeks behind publication of new vulnerabilities. This has led to a general trend of patch management to protect vulnerable systems. There was generally sufficient time to patch these systems before malicious code was widely circulating. The Witty worm started to spread the day after information about the exploit and the software upgrades to fix the bug were available. We can no longer count on a buffer period in which to patch our systems. We must be on the alert to any new attacks, be ready to implement a multi-pronged defense, and prepared to monitor all systems until the threat has passed.

How Do We Defend Ourselves?

The patch management model of security our systems is a failure. Now don't misunderstand me. I'm not saying we should not patch our systems; I'm saying we cannot rely on this as a sure defense. In fact, there is no single security measure that will ensure our complete protection. We must employ security countermeasures for every possible avenue of attack.


First and foremost, deploy a defensive perimeter. A firewall is a definite MUST, but don't stop there. Firewalls should only allow traffic which corresponds to tightly defined rules. Include protections such as file attachment filters for email and via web content filtering. Use internal firewalls throughout the corporate network at various segment intersections. Apply appropriate access-control lists (ACLs) on routers and switches. Implement an intrusion detection system (IDS). Deploy anti-virus protection on servers and email gateways.

Inside the perimeter, examine your demilitarized zone (DMZ). Harden all servers, change all default passwords, and disable unnecessary service and protocols. Consider host-based IDS on critical systems. Check account permissions, file permissions, and trust relationships.

Internal systems need the same level of consideration as external-facing systems. Ensure all workstations are running anti-virus software. All workstations should be hardened, too. Make user end-users have the knowledge and awareness necessary to help protect your environment through regularly scheduled Security Awareness Training. Enforce the use of cryptographically strong passwords. Discourage the use and downloading of unauthorized software and perform regular audits to check for these things.