SCIENCE

A quickly spreading worm that emerged over the weekend damaged computers at several universities and at least one Web hosting company, according to the first wave of damage reports that began surfacing on Monday as system administrators returned to work. The so-called "Witty" worm spread rapidly throughout the Internet early Saturday morning, infecting as many as 30,000 computers before subsiding, said Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, Kazinform reports with reference to The Washington Post. The worm disrupted service for thousands of customers of Webhosting.net, a Miami-based Web hosting company. Andrew Martin, the company's chief information officer, said the worm completely destroyed four of the company's Windows servers, shuttering more than 1,000 Web sites for most of the weekend. The company is in the process of bringing customers back online. "Those computers were pretty much hosed," Martin said. "Luckily we were able to retrieve the data that was on them from backup servers, but the infected computers had to be rebuilt from scratch." The worm targeted computers running one of two firewall software programs in conjunction with Microsoft's Windows operating system, taking advantage of a security flaw in the firewall applications that was uncovered earlier this month. Once it infects a computer, it destroys files and often makes it impossible for people to restart their computers. It also tries to use the computer to look for new infection targets, but as the number of affected computers shut down, the worm's spread subsided. Unlike many recent worms that arrive as e-mail attachments, the Witty worm migrates without any action on the part of the user. It gets the name "Witty" from a line of code in the worm that says, "insert witty message here." The worm does its work without creating new files on infected PCs, so few antivirus products would have detected it, Ullrich said. It also writes random data onto the computer hard drives, often causing them to fail. The worm can overwrite most data on the hard drive within about 20 minutes. Technologically sophisticated computer users could recover that data, but most users would have to go through the complicated process of reinstalling the operating system. In some cases, the worm can damage computers beyond all repair. The firewalls were developed by Atlanta-based Internet Security Systems Inc., which estimated that 16,000 computers were infected during the weekend. Chris Rouland, vice president of ISS's X-Force research and development division, said the number could have been higher if the worm struck during the work week when most vulnerable computers were turned on. Scott Fendley, an IT security analyst for the University of Arkansas in Fayetteville, lost much of the work he had done on his master's thesis after the Witty worm took down his computer on Saturday. The worm did not take down the university's critical computers, but Fendley said that the school was considering whether to buy a university-wide license for Black Ice. "I have a feeling that we will reconsider what our options are for enterprise firewall software," he said. "It's more than a little ironic that this comes from a security firm that makes much of its money from discovering security flaws in other people's software." The worm also hit the University of Michigan, infecting 75 Web and e-mail servers. Traffic generated by the worm trying to infect other systems quickly brought e-mail and Web traffic to a halt on the school's network for the bulk of the day. Jim Daniels, a network administrator for the University of Michigan, said the school is in the process of rebuilding the servers. "When they tried to reboot these machines, we learned they were pretty much finished off," Daniels said. "I don't think anyone has been able to restore one without completely rebuilding it." No suspect has been identified in Saturday's attack. Rouland of ISS said that the company contacted the FBI. The FBI is aware of the situation but a spokesman declined to say whether it is investigating. Security vulnerability research firm eEye Digital Security identified the flaw on March 8. The Aliso Viejo, Calif.-based company discovered that it could trick some versions of Black Ice and Real Secure into processing Internet traffic that would allow attackers to transfer dangerous data to vulnerable computers. ISS made a patch available for its corporate customers shortly after the eEye announcement, but did not provide a fix for its vulnerable desktop PC versions until Friday afternoon. Initial copies of the worm appear to have been "seeded" -- or initially released from at least 100 computers that the attackers had taken over, said Colleen Shannon, a senior security researcher for the Cooperative Association for Internet Data Analysis (CAIDA). CAIDA monitors Internet traffic trends from its location at the San Diego Supercomputing Center at the University of California, San Diego.