Worms targeting Windows Plug and Play go global

By Shawna McAlearney and Bill Brenner, News Writers 17 Aug 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Organizations around the world this morning are scrambling to combat multiple large-scale worm outbreaks targeting the Plug and Play flaw on Windows 2000. It began last night with reports of devastating infections at Capitol Hill, CNN, ABC and The New York Times, but security experts say that's only the beginning.

"We were hit hard here and I have heard reports of

Protect yourself How to protect your network from the Plug and Play exploits Security experts offer practical advice to reduce the risk of your company's networks being infected by a variety of malicious code now circulating.

variable credibility that other orgs were hit as well," said a security manager at a Fortune 500 company who wished to remain anonymous. "From a management perspective it was utterly depressing because it was moving so fast we knew that we were still going to take a big hit."

"We discovered that the backdoor was using TCP port 8080 to a specific IP and set up a firewall rule to block that traffic, which also gave us a list of infected machines," the security manager added. "We saw some machines getting stuck into a 'boot loop,' they would start to boot up and then reboot continuously. We suspect that was the result of infection attempts."

He said it only added to the confusion that at least three new variants of the Zotob worm came out yesterday. Vendors reported other worms as well, but malware naming conventions continue to present problems for users trying to determine what they've been infected by. Among the worms: Zotob-A through Zotob-F, Zytob, IRCbot.worm, Tpbot-A, Dogbot-A, Esbot-A, SDbot-ACG, Rbot-AKM and Rbot-AKN; and Drugtob-B.

"Many enterprises, large and small, have internal infections of Windows 2000 systems by worms," said David Kennedy, senior risk analyst, Cybertrust Corp. "The problem is complicated by undisciplined naming by various antivirus vendors."

Stefana Ribaudo, director of Computer Associates' eTrust Security Management division, said

Read more on the Plug and Play attacks: More malcode targets Windows Plug and Play flaw   Zotob exploits Microsoft Windows flaw   The exploits of August   Critical fixes for IE, Windows

Tpbot-A seemed to be the most prevalent so far.

"We had more than enough reports to go to a medium alert," she said. "The first reports started coming in from Australia. Then the reports rolled east with the sunrise."

Multiple variants of the Zotob worm. Zotob-C, is different from the first two in that it also spreads by e-mail rather than just through networked computers. The other variants spread by scanning TCP port 445. When it spreads by e-mail, it uses a number of disguises. In one instance, Sophos said it pretends to be a Web cam photograph. Because of the e-mail component, this variant could have a wider reach than the first two.

The Tilebot-F spyware worm. Sophos said this one can steal user account information from infected computers and launch distributed denial-of-service attacks against Web sites. Cluley said the lab has received reports from organizations hit by Tilebot, but it doesn't appear to be a mass outbreak at the moment. "Sometimes there's simply no logic to which viruses become successful and which don't," he said. "Sometimes it seems to just be a case of luck."

The W32/IRCbot.worm. McAfee warned of a high-risk worm that it said

Naming conventions at issue Caught in the virus name game As this month's malware outbreaks attest, it's confusing when antivirus vendors attach different names to the same malware.

could be global by this morning. "That worm appeared seven days from the initial announcement of the Microsoft vulnerability, demonstrating the fastest time between the announcement of a vulnerability and the success of a mass propagating exploit -- even faster than Sasser, which took 14 days," McAfee said in a statement. McAfee said IRCbot.worm contacts a remote IRC server and waits for further instructions. If this worm is run on a system, that hasn't been patched for the MS05-039 vulnerability, it will continually reboot. Infected systems will be listening on TCP port 8594.

"We are not aware at this time of a new attack; our analysis has revealed that the reported worms are different variations of the existing attack called Zotob," a Microsoft spokesperson said in a statement. "All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation."

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware The world's top 5 riskiest domains New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary