According to several reports there are several big media outlets seeing what is reported as the zotob worm which exploits a Microsoft Windows vulnerability (MS05-039) disclosed last week. There seems to be no better way for something to make the news than for it to affect the companies that bring us the news…. CNN for one is reporting that the worm has affected their networks as well as ABCnews and the New York Times. The Caterpillar Company is also mentioned.
The zotob worm primarily affects unpatched Windows 2000 systems, some XP systems are vulnerable. A patch, of course, is available from Microsoft. The vulnerability is in plug and play which was designed to ease installation of hardware. Devices that were plug and play compatible would be automatically detected. (Why Microsoft designed functionality to listen for remote network requests into this service I have no idea.)
Cnn is also reporting that some are blaming a different worm, by the name of worm-rbot.cbq (update 9:30PM EDT – looks like this is a name from TrendMicro – they seem to be describing the same bug I’ve detailed below.) CNN’s source suggest that this is a variant or derivation of the zotob worm. Others are speculating that what CNN is seeing may be named Zotob.D because the rebooting behavior is one that hadn’t been seen in earlier incarnations of the worm. (Now incidents.org is reporting that this is actually Zotob.e according to a release from symantec in just the last few minutes. They are further reporting that this is affecting Capitol Hill as well.
An earlier update at Incidents.org suggested that although it has gotten broader media coverage (as they’ve been affected), they did not see evidence to indicate that there was a massive new outbreak and that the outbreak has already peaked (as they report on the third day since it’s entrance into the wild which has been typical for this kind of worm.)
Further, Symantec has a writeup on Zotob.E including step by step removal instructions. It looks as though it creates a mutex named wintbp.exe (so that only one copy loads into memory at a time.) It also drops a file called wintbp.exe into the Windows directory of the affected machine (Windows/WinNT/etc.)
“Wintbp” = “wintbp.exe”
to the registry subkey:
to start at each system boot…
It attempts to detect network connections (may fail if it’s on a non-routable address)
It opens a backdoor at port 8080 to connect to a machine at ip address 126.96.36.199
It opens multiple ports
Sends packets to IP addresses at random (searching for infectable hosts?)
It attempts to spread using port 445
It creates a file at %Temp%[NUMBER].bat on the infected machine. Then uses TFTP to download the worm to the infected computer. The file is created as %Windir%a[NUMBER].exe and logs the ip of the infected machine to the IRC channel that it communicates with.
It’s worth noting that Zotob.E is the first in this virus family to be rated a 3 on their virus rating scale (which goes to 5) (the others have been 2).
Microsoft has a page up on dealing with zotob.a (What you need to know about Zotob.A which they rate as a minimal threat.
It should be noted that Symantec has posted A removal tool for zotob.a and zotob.b I expect it will be updated to deal with the rest of the virus family soon. Microsoft has not yet updated it’s malicious software removal tool to deal with zotob. (Didn’t they buy an antivirus company in the last year???)
Over at the Security Fix Brian is once again giving an overview of what’s going on. He also gives a theory on how the media companies found themselves in such a fix (not patching their systems?) Suggesting that they were reporting from a hostile network and the infected laptops got brought back inside the firewalls and blasted the internal networks. Just a theory, but certainly plausible. It just goes to show that perimeter (firewall) security is not always the only solution but a piece of the puzzle. If you have laptops that migrate in and out of various network they need to be scrutinized for patches at a much greater level than the big desktops inside.
What troubles me most about this is that CNN reported that Capital Hill was affected, you would hope that this serves as a wakeup call in securing those systems. I wonder what amount of data may be compromised on those machines?
Related PostsRelated Posts
- Microsoft releases official VML patch!! The big news this afternoon is that Microsoft HAS gone out of the routine patch cycle to release a security fix for the VML vulnerability that's been actively exploited in recent days for everything from sneak keylogger installs to massive spyware installs. Sans has a few links, if you de-registered......
- Microsoft touts Windows vista restart manager Okay - here we go.... Microsoft is talking about a new feature of Vista that allows you to ... update parts of the operating system or applications without having to reboot the entire machine. Another angle at OSnews.com. If that works as advertised that's great. Update something related to networking,......
- Windows Police Pro Yes folks, it's Windows Police Pro, the gift that keeps on giving apparently. It's crawled back into Googles top searches tonight. If you want to see how to remove it look at Windows Police Pro Removal, you may be interested in Who is behind Windows Police Pro and probably will......
- Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution Vulnerability in Windows Shell Could Allow Remote Code Execution Published: July 16, 2010 Version: 1.0 General Information Executive Summary Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as......
- Acme People Search Assessment Acme People Search Scam came from a keyword list from my blog. It was one of the generally searched phrases to my blog in the past 30 days. The only thing I can imagine is so many people are seeing Tissa Godavitarne technique for the first time and they think......
- Apple Grabs Bigger Share of Sales Revenue [/caption]Apple computers accounted for 48% of the U.S. PC retail sales revenue this year, up from 33.44% last year!Â This number is even more mind blowing when you consider Windows based PCs account for such a huge majority of the units sold out there.Â While Apple only makes up a......
- Serious Symantec Antivirus Vulnerability
- Zotob.b may be affecting some XP SP2/2003 installs
- Zotob may affect XP Service pack 1 systems
- Esbot and Zotob updates….