The latest variants of the Zotob worm, which target Microsoft Windows' Plug and Play flaw, may be responsible for a number of large network outages at companies running Windows 2000, including Capitol Hill, CNN, ABC and The New York Times. The Sans Internet Storm Center believes it could be caused by a fourth variant of the Zotob worm, but believes its impact will be limited.
"All statements so far [from CNN] make this look like a Zotob variant, even though this variant appears to reboot the system. [Zotob-D?]," ISC handler Chris Carboni wrote in the handler's diary. "Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around three days after the outbreak. "
Otherwise it appears to have had a minimal impact on enterprises, in part because both Microsoft and corporate IT shops seem to be getting a better handle on the patching process.
"We're in a 'it could be much worse' situation for a number of reasons," Graham Cluley, senior technology consultant for Lynnfield, Mass.-based AV firm Sophos, said in an e-mail interview. "The Zotob worm doesn't really work on Windows XP computers, so the masses of home users out there running XP don't seem to be getting hit by this one. And unlike when worms have struck in other years, we now have XP SP2, which has automatic downloading of security patches and a rudimentary firewall turned on by default. Microsoft learned that many home users don't care about downloading security patches, so they made it the automatic default behavior. These factors should have a marked effect on the intensity of future virus outbreaks that exploit known flaws."
And, he said, companies have gotten much better at prompt patching, "if only because they know they have to in order to survive."
As of 8:30 a.m. ET Tuesday, Sophos' lab was monitoring:
- Three variants of the Zotob worm. The latest variant, Zotob-C, is different from the first two in that it also spreads by e-mail rather than just through networked computers. When it spreads by e-mail, it uses a number of disguises. In one instance, Sophos said it pretends to be a Web cam photograph. Because of the e-mail component, Cluley said this variant could have a wider reach than the first two.
- The Tilebot-F spyware worm. Sophos said this one can steal user account information from infected computers and launch distributed denial-of-service attacks against Web sites. Cluley said the lab has received reports from organizations hit by Tilebot, but it doesn't appear to be a mass outbreak at the moment. "Sometimes there's simply no logic to which viruses become successful and which don't," he said. "Sometimes it seems to just be a case of luck."
Finnish antivirus firm F-Secure Corp. has been
"We were contacted some hours ago by an organization that had several hundred Windows computers in their internal network infected by a new variant of Ircbot," he said. "While analyzing the malware, we noticed that this Ircbot variant had something new up its sleeve: Instead of the usual replication methods of guessing share passwords or probing for RPC/LSASS vulnerabilities, this bot was using the brand new MS05-039 Plug and Play vulnerability -- just like the Zotob worm."
Hypponen said the organization in question has a lot of Windows 2000 machines behind its firewall. "Once one machine got infected, the bot could easily find lots of machines to infect in the internal network," he said.
Meanwhile, the Bethesda, Md.-based SANS Internet Storm Center [ISC] has moved its alert status from yellow back to green. "As expected, we did see various bots, in particular 'Zotob,' take advantage of [the Plug and Play flaw]," ISC CTO Johannes Ullrich said on the organization's Web site. "At this point, the situation is static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point."
He added that the last week has shown that there is no longer a patch window. "Defense in depth is your only chance to survive the early release of malware," he said. In this particular case, he added, three distinct best practices can mitigate the vulnerability:
- Close port 445 at least at the perimeter;
- Patch systems quickly; and
- Eliminate NULL sessions.