According to several reports there are several big media outlets seeing what is reported as the zotob worm which exploits a Microsoft Windows vulnerability (MS05-039) disclosed last week. There seems to be no better way for something to make the news than for it to affect the companies that bring us the news…. CNN for one is reporting that the worm has affected their networks as well as ABCnews and the New York Times. The Caterpillar Company is also mentioned.
The zotob worm primarily affects unpatched Windows 2000 systems, some XP systems are vulnerable. A patch, of course, is available from Microsoft. The vulnerability is in plug and play which was designed to ease installation of hardware. Devices that were plug and play compatible would be automatically detected. (Why Microsoft designed functionality to listen for remote network requests into this service I have no idea.)
Cnn is also reporting that some are blaming a different worm, by the name of worm-rbot.cbq (update 9:30PM EDT – looks like this is a name from TrendMicro – they seem to be describing the same bug I’ve detailed below.) CNN’s source suggest that this is a variant or derivation of the zotob worm. Others are speculating that what CNN is seeing may be named Zotob.D because the rebooting behavior is one that hadn’t been seen in earlier incarnations of the worm. (Now incidents.org is reporting that this is actually Zotob.e according to a release from symantec in just the last few minutes. They are further reporting that this is affecting Capitol Hill as well.
An earlier update at Incidents.org suggested that although it has gotten broader media coverage (as they’ve been affected), they did not see evidence to indicate that there was a massive new outbreak and that the outbreak has already peaked (as they report on the third day since it’s entrance into the wild which has been typical for this kind of worm.)
Further, Symantec has a writeup on Zotob.E including step by step removal instructions. It looks as though it creates a mutex named wintbp.exe (so that only one copy loads into memory at a time.) It also drops a file called wintbp.exe into the Windows directory of the affected machine (Windows/WinNT/etc.)
“Wintbp” = “wintbp.exe”
to the registry subkey:
to start at each system boot…
It attempts to detect network connections (may fail if it’s on a non-routable address)
It opens a backdoor at port 8080 to connect to a machine at ip address 184.108.40.206
It opens multiple ports
Sends packets to IP addresses at random (searching for infectable hosts?)
It attempts to spread using port 445
It creates a file at %Temp%[NUMBER].bat on the infected machine. Then uses TFTP to download the worm to the infected computer. The file is created as %Windir%a[NUMBER].exe and logs the ip of the infected machine to the IRC channel that it communicates with.
It’s worth noting that Zotob.E is the first in this virus family to be rated a 3 on their virus rating scale (which goes to 5) (the others have been 2).
Microsoft has a page up on dealing with zotob.a (What you need to know about Zotob.A which they rate as a minimal threat.
It should be noted that Symantec has posted A removal tool for zotob.a and zotob.b I expect it will be updated to deal with the rest of the virus family soon. Microsoft has not yet updated it’s malicious software removal tool to deal with zotob. (Didn’t they buy an antivirus company in the last year???)
Over at the Security Fix Brian is once again giving an overview of what’s going on. He also gives a theory on how the media companies found themselves in such a fix (not patching their systems?) Suggesting that they were reporting from a hostile network and the infected laptops got brought back inside the firewalls and blasted the internal networks. Just a theory, but certainly plausible. It just goes to show that perimeter (firewall) security is not always the only solution but a piece of the puzzle. If you have laptops that migrate in and out of various network they need to be scrutinized for patches at a much greater level than the big desktops inside.
What troubles me most about this is that CNN reported that Capital Hill was affected, you would hope that this serves as a wakeup call in securing those systems. I wonder what amount of data may be compromised on those machines?
Related PostsRelated Posts
- Esbot and Zotob updates.... Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary. They also explain why......
- The virus arms race? is locking down systems the key? The securityfix has a post on the "dirty little secret" about antivirus. Eugene Kaspersky of Kaspersky antivirus has posted an introspective article on the antivirus industry and it's current problems. The biggest problem with antivirus is that it's always one step behind the virus writers. Antivirus software only can prevent......
- Windows Police Pro Yes folks, it's Windows Police Pro, the gift that keeps on giving apparently. It's crawled back into Googles top searches tonight. If you want to see how to remove it look at Windows Police Pro Removal, you may be interested in Who is behind Windows Police Pro and probably will......
- Acme People Search Assessment Acme People Search Scam came from a keyword list from my blog. It was one of the generally searched phrases to my blog in the past 30 days. The only thing I can imagine is so many people are seeing Tissa Godavitarne technique for the first time and they think......
- New threat: Hackers look to take over power plants LOLITA C. BALDOR, Associated Press Writer WASHINGTON — Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. Cyber criminals have long tried, at times successfully, to......
- Free Spyware Removal Software I do not recommend using free spyware removal software for many reason but if your going to you might as well use the best free spyware products out there. In the end of this article we will tell you why not to use these programs as your main source of......
- Serious Symantec Antivirus Vulnerability
- Zotob.b may be affecting some XP SP2/2003 installs
- Zotob may affect XP Service pack 1 systems
- Esbot and Zotob updates….