In-Depth

Zotob Continues to Hammer Windows 2000

Exploits are already circulating for a recently announced Windows plug-and-play vulnerability. Experts recommend better endpoint security controls.

• By Mathew Schwartz
• 08/23/2005

Reports began last week that Zotob, a worm-like piece of malware, was infecting enterprise PCs, hitting such media organizations as CNN and ABC News especially hard.

Zotob exploits a vulnerability in Windows 2000 Plug and Play (PnP) functionality. The flaw was first announced and patched by Microsoft on August 9. According to Symantec, malware exploiting the vulnerability can “create a backdoor on the computer system and [allow] a remote attacker to have unauthorized access to the compromised computer.” Attackers can also shut down infected PCs. While Windows XP and Windows Server 2003 share the PnP vulnerability, related exploits for them have not appeared.

One culprit for the immediate spate of enterprise infections may be poor endpoint security. “It is likely that it has most successfully infected organizations that do not have adequate protection from viruses penetrating the corporate network via remote workers operating in non-secure environments,” notes MessageLabs. Even so, companies are likely just “collateral damage” as attackers gun for home PCs to exploit, “to generate zombie armies.”

Zombie—or bot—armies are exploited computers able to remain dormant until an attacker uses them to attack other sites (perhaps launching a denial of service attack), or as gateways for distributing spam or further malware attacks. Already, “we are seeing an increase in bot activity across the Web,” notes Oliver Friedrichs, a senior manager for Symantec Security Response.

When it comes to malware, modes of attack have evolved since the days of the “I Love You” virus. Instead of just arriving as an e-mail attachment, today’s malware can move and attack endpoints in multiple ways. For example, a worm may arrive with keystroke loggers built in, include ways of phoning home to receive software updates, and have numerous means for replicating and disguising itself. For example, “while this latest Zotob variant is not e-mail-borne, it does contain an apparently inactive copy of the e-mail engine from MyDoom and it is expected that future versions may therefore also spread by e-mail,” notes MessageLabs.

Attacks such as Zotob also illustrate the short time between the disclosure of a vulnerability and code written to exploit it. “It no longer takes weeks to develop a virus that can take down an entire network,” says Carmi Levy, an analyst with Info-Tech. In other words, “enterprises need to be on their toes, aware of patches being announced by their software providers on a daily basis and applying them as quickly as possible.”

Of course, not every organization can apply Microsoft patches without first taking the time to test their effect on corporate PCs and servers, hence the need for improved countermeasures, especially “so that road warriors cannot bring infection into the company,” says Alex Shipp, a senior anti-virus technologist at MessageLabs. In addition to “antivirus software and regular patching and updating,” he recommends firewalls run on all PCs.

Zotob could also portend an extended shootout between competing groups of malware writers, akin to the long-running and fast-iterating exchange of Netsky and Bagle variants. Already Zotob has competition: Bozori, a worm now in the wild which attempts to de-install Zotob. “These competing factions are part of organized criminal gangs and seem to be dueling for control of the botnets of domestic PCs in order to perpetrate wider internet criminal activity,” notes Shipp. If the dueling continues, “we may well now see a period of intense malware activity.”

Related Articles:

Microsoft Can’t Count: New Vulnerability Disclosure Criticism
http://esj.com/security/article.aspx?EditorialsID=1478

Q&A: Is Microsoft’s Security Trustworthy?
http://www.esj.com/Security/article.aspx?EditorialsID=1386