Security experts don't think Zotob will blossom into the next Sasser-sized attack. But they're stunned by how fast a worm was developed to exploit the Plug and Play flaw Microsoft announced less than a week ago. The big worry is that Zotob may be a dress rehearsal for something far worse.
"We're not seeing a large number of reports on Zotob, but I wouldn't be surprized if other malicious code writers jumped on the bandwagon and came up with something bigger," said Graham Cluley, senior technology consultant for Lynnfield, Mass.-based Sophos. "Exploit code was out very quickly after Microsoft released the patch, and now there's a worm."
Finnish security firm F-Secure Corp., the French Security Incident Response Team (FrSIRT) and the Bethesda, Md.-based SANS Internet Storm Center sounded the alarm for Zotob Sunday, warning that it targets the security hole Microsoft outlined in MS05-039, one of the critical bulletins it issued Tuesday as part of its monthly patch rollout. By Monday morning, antivirus firms like Sophos, Cupertino, Calif.-based Symantec and Tokyo-based Trend Micro were issuing alerts as well. At the time of writing, most firms were detecting two variants: Zotob-A and -B.
MS05-039 addressed flaws in Plug and Play, a program that allows users to insert and remove devices like PC cards without having to configure them; connect to or disconnect from a docking station or network without restarting the computer or changing configuration parameters; and add a new monitor or USB keyboard by plugging it in and turning it on. "A remote code execution and local elevation of privilege vulnerability exists in Plug and Play that could allow an attacker… to take complete control of the affected system," Microsoft said Tuesday.
A Microsoft spokesperson said Monday morning that the software giant is monitoring Zotob's progress. She added that Microsoft has posted an advisory on its Web site to help users make sense of the threat.
Cluley said Zotob-A and -B don't travel by e-mail but spread to other networked machines the way Sasser did -- by exploiting security holes in Microsoft's software.
Once it infects a PC, Zotob opens a backdoor that lets remote hackers gain access and control over the computer, he added. Affected machines then look for other computers to infect.
"Once hackers have control over your computer they can see everything you do online and steal credit card details, your passwords and commit identity fraud if they wish," Cluley said. "These worms are invisible intruders on your Windows PC. They will not announce that they have infected you."
Microsoft said users who have installed the MS05-039 fix have nothing to worry about, and added, "If you are using any supported version of Windows other than Windows 2000, you are not at risk..."
Waiting for the shoe to drop
Security experts have warily watched cyberspace since exploit code for the latest Microsoft flaws began to circulate late last week. The Internet Storm Center took the rare step of raising its alert status to "Infocon Yellow," which means it is tracking a significant new threat. Internet Storm Center handler Tony Carothers said on the organization's Web site Sunday, "Starting around 11:30 UTC, we've received several reports on a new worm variant that makes use of MS05-039 to spread. If you're not patched yet, this is your last call."
Mikko Hypponen, director of AV research for F-Secure
He said Zotob is based on the prolific Mytob worm and might be using exploit code published four days ago by a researcher who goes by the online name "houseofdabus."
"This whole case has a nasty ring to it," Hypponen said. "The infamous Sasser worm was released two days after houseofdabus released exploit code for the LSASS vulnerability."
Not the next Sasser
That said, Hypponen doesn't expect Zotob to become the next Sasser, which left countless companies around the world reeling from infestations in April 2004.
"First of all, it will not infect Windows XP SP2 machines," Hypponen said. "It also won't infect machines that have 445/TCP blocked at the firewall. As a result, [a] majority of Windows boxes [on] the net won't be hit by it."
Hypponen said his lab also found a message hidden within Zotob: "MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!"
The F-Secure Web site has posted a full technical description of Zotob.