Organizations around the world this morning are scrambling to combat multiple large-scale worm outbreaks targeting the Plug and Play flaw on Windows 2000. It began last night with reports of devastating infections at Capitol Hill, CNN, ABC and The New York Times, but security experts say that's only the beginning.
"We were hit hard here and I have heard reports of
"We discovered that the backdoor was using TCP port 8080 to a specific IP and set up a firewall rule to block that traffic, which also gave us a list of infected machines," the security manager added. "We saw some machines getting stuck into a 'boot loop,' they would start to boot up and then reboot continuously. We suspect that was the result of infection attempts."
He said it only added to the confusion that at least three new variants of the Zotob worm came out yesterday. Vendors reported other worms as well, but malware naming conventions continue to present problems for users trying to determine what they've been infected by. Among the worms: Zotob-A through Zotob-F, Zytob, IRCbot.worm, Tpbot-A, Dogbot-A, Esbot-A, SDbot-ACG, Rbot-AKM and Rbot-AKN; and Drugtob-B.
"Many enterprises, large and small, have internal infections of Windows 2000 systems by worms," said David Kennedy, senior risk analyst, Cybertrust Corp. "The problem is complicated by undisciplined naming by various antivirus vendors."
Stefana Ribaudo, director of Computer Associates' eTrust Security Management division, said
"We had more than enough reports to go to a medium alert," she said. "The first reports started coming in from Australia. Then the reports rolled east with the sunrise."
Multiple variants of the Zotob worm. Zotob-C, is different from the first two in that it also spreads by e-mail rather than just through networked computers. The other variants spread by scanning TCP port 445. When it spreads by e-mail, it uses a number of disguises. In one instance, Sophos said it pretends to be a Web cam photograph. Because of the e-mail component, this variant could have a wider reach than the first two.
The Tilebot-F spyware worm. Sophos said this one can steal user account information from infected computers and launch distributed denial-of-service attacks against Web sites. Cluley said the lab has received reports from organizations hit by Tilebot, but it doesn't appear to be a mass outbreak at the moment. "Sometimes there's simply no logic to which viruses become successful and which don't," he said. "Sometimes it seems to just be a case of luck."
The W32/IRCbot.worm. McAfee warned of a high-risk worm that it said
"We are not aware at this time of a new attack; our analysis has revealed that the reported worms are different variations of the existing attack called Zotob," a Microsoft spokesperson said in a statement. "All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation."