Zotob worm bites big media outlets



According to several reports there are several big media outlets seeing what is reported as the zotob worm which exploits a Microsoft Windows vulnerability (MS05-039) disclosed last week. There seems to be no better way for something to make the news than for it to affect the companies that bring us the news…. CNN for one is reporting that the worm has affected their networks as well as ABCnews and the New York Times. The Caterpillar Company is also mentioned.


The zotob worm primarily affects unpatched Windows 2000 systems, some XP systems are vulnerable. A patch, of course, is available from Microsoft. The vulnerability is in plug and play which was designed to ease installation of hardware. Devices that were plug and play compatible would be automatically detected. (Why Microsoft designed functionality to listen for remote network requests into this service I have no idea.)

Cnn is also reporting that some are blaming a different worm, by the name of worm-rbot.cbq (update 9:30PM EDT – looks like this is a name from TrendMicro – they seem to be describing the same bug I’ve detailed below.) CNN’s source suggest that this is a variant or derivation of the zotob worm. Others are speculating that what CNN is seeing may be named Zotob.D because the rebooting behavior is one that hadn’t been seen in earlier incarnations of the worm. (Now incidents.org is reporting that this is actually Zotob.e according to a release from symantec in just the last few minutes. They are further reporting that this is affecting Capitol Hill as well.

An earlier update at Incidents.org suggested that although it has gotten broader media coverage (as they’ve been affected), they did not see evidence to indicate that there was a massive new outbreak and that the outbreak has already peaked (as they report on the third day since it’s entrance into the wild which has been typical for this kind of worm.)

Further, Symantec has a writeup on Zotob.E including step by step removal instructions. It looks as though it creates a mutex named wintbp.exe (so that only one copy loads into memory at a time.) It also drops a file called wintbp.exe into the Windows directory of the affected machine (Windows/WinNT/etc.)

It adds
“Wintbp” = “wintbp.exe”

to the registry subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
to start at each system boot…
It attempts to detect network connections (may fail if it’s on a non-routable address)

It opens a backdoor at port 8080 to connect to a machine at ip address 72.20.27.115

It opens multiple ports

Sends packets to IP addresses at random (searching for infectable hosts?)

It attempts to spread using port 445

It creates a file at %Temp%[NUMBER].bat on the infected machine. Then uses TFTP to download the worm to the infected computer. The file is created as %Windir%a[NUMBER].exe and logs the ip of the infected machine to the IRC channel that it communicates with.

It’s worth noting that Zotob.E is the first in this virus family to be rated a 3 on their virus rating scale (which goes to 5) (the others have been 2).

Microsoft has a page up on dealing with zotob.a (What you need to know about Zotob.A which they rate as a minimal threat.

Information Week is reporting on the decreasing “patch window” between vulnerability disclosure and exploitation….

It should be noted that Symantec has posted A removal tool for zotob.a and zotob.b I expect it will be updated to deal with the rest of the virus family soon. Microsoft has not yet updated it’s malicious software removal tool to deal with zotob. (Didn’t they buy an antivirus company in the last year???)

Over at the Security Fix Brian is once again giving an overview of what’s going on. He also gives a theory on how the media companies found themselves in such a fix (not patching their systems?) Suggesting that they were reporting from a hostile network and the infected laptops got brought back inside the firewalls and blasted the internal networks. Just a theory, but certainly plausible. It just goes to show that perimeter (firewall) security is not always the only solution but a piece of the puzzle. If you have laptops that migrate in and out of various network they need to be scrutinized for patches at a much greater level than the big desktops inside.

What troubles me most about this is that CNN reported that Capital Hill was affected, you would hope that this serves as a wakeup call in securing those systems. I wonder what amount of data may be compromised on those machines?

Related Posts

Blog Traffic Exchange Related Posts
  • Esbot and Zotob updates.... Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary. They also explain why......
  • The virus arms race? is locking down systems the key? The securityfix has a post on the "dirty little secret" about antivirus. Eugene Kaspersky of Kaspersky antivirus has posted an introspective article on the antivirus industry and it's current problems. The biggest problem with antivirus is that it's always one step behind the virus writers. Antivirus software only can prevent......
  • Windows Police Pro Yes folks, it's Windows Police Pro, the gift that keeps on giving apparently. It's crawled back into Googles top searches tonight. If you want to see how to remove it look at Windows Police Pro Removal, you may be interested in Who is behind Windows Police Pro and probably will......
Blog Traffic Exchange Related Websites
  • Acme People Search Assessment Acme People Search Scam came from a keyword list from my blog. It was one of the generally searched phrases to my blog in the past 30 days. The only thing I can imagine is so many people are seeing Tissa Godavitarne technique for the first time and they think......
  • New threat: Hackers look to take over power plants LOLITA C. BALDOR, Associated Press Writer WASHINGTON — Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. Cyber criminals have long tried, at times successfully, to......
  • Free Spyware Removal Software I do not recommend using free spyware removal software for many reason but if your going to you might as well use the best free spyware products out there. In the end of this article we will tell you why not to use these programs as your main source of......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site