A recent article describes the latest malicious trend in network attacks. The Witty worm showed a number of advances in worm propegation and attack.  This worm had a small target - BlackIce users who had failed to patch a very recently found vulnerability. BlackIce is a personal intrusion detection system.  The worm infected 12000 machines. This seems a small number, but the frightening fact is that it found and destroyed the entire set of unpatched BlackIce users in 45 minutes. The attack itself was particularly malicious. The worm gained access the the vulnerable machines and then randomly erased RAM in 64K sections, effectively destroying the victim machines.

The timeline for this attack is frightening.  ISS, the company that produces BlackIce, discovered a stack overflow problem in its products on March 8th.  On March  9th ISS made a patch available to fix this problem, and on March 18th they announced the vulnerability .  On March 19th Witty struck. Did the malware author have prior knowledge of the vulnerability, or was he or she exceptionally fast in creating an exploitation of the problem?

The sad fact is that other hackers will pick up the lessons learned in Witty and apply them to newer, more malicious attacks against vunlerable machines.