The report by the Cooperative Association for Internet Data Analysis (CAIDA) says Witty broke new ground by simultaneously infecting dozens of machines maintained by security-savvy users, and targeting a very recent vulnerability. Witty's spread was limited primarily by its destructive nature and the small installed base of the ISS products it exploited, CAIDA noted, positing that similar tactics could be repeated using huge "botnets" of compromised boxes targeting Windows machines.
"The patch model for Internet security has failed spectacularly," the report said. "The fact that all victims were compromised via their firewall software the day after a vulnerability in that software was publicized indicates that the security model in which end-users apply patches to plug security holes is not viable."
Witty's victims were "participating in the best security practice that can be reasonably expected," noted CAIDA, which previously published analyses of the Slammer and Code Red worms. "It is both impractical and unwise to expect every individual with a computer connected to the Internet to be a security expert."
Witty is one of several recent malware outbreaks that have made end-runs around anti-virus programs. Several recent variants of the Bagle virus have spread using an auto-download feature exploited through HTML e-mail, rather than an attachment. The Phatbot trojan "has the ability to polymorph on install in an attempt to evade antivirus signatures," according to an analysis from Lurhq.
CAIDA urged the security community to "reconsider the notion that end user behavior can solve or even effectively mitigate the malicious software problem," and focus on writing better software and developing more secure Internet infrastructure. But those are complex, long-term solutions to an immediate challenge. If malware authors are indeed gaining the upper hand on the security community, the problems envisioned by CAIDA are likely to arrive long before the solutions.