E-mail Zombies Detonated By Chat And IM

Serious damage has been caused at enterprise sites including CNN, ABC, and The New York Times.
Reports are coming in from threat centers around the country that the Zotob virus continues to spread rapidly, and impact Windows XP computers on consumer and enterprise desktops. Reports have included serious service interruptions at CNN, ABC, the New York Times, and other places.

Dimitri Alperovithch, a research engineer at CipherTrust, says the Zotob virus is spreading faster than any virus he has ever seen. "It's the zombie effect," he says, "the Zotob virus is using zombie PCs that have been taken over by a hacker to spread a virus, very, very effectively." He noted that at one point today, more than 2000 zombies were part of the network that is spreading the virus. Meanwhile, the IMLogic Threat Center this morning reported that both the Zotob and IRCbot worms are using a chat channel to allow hackers to gain access and control of an infected machine. In a statement, the company said, "The rapid spread of these worms is illustrating the special problems posed by threats that can leverage real time data channels like IM."

The statement added that the worms are taking advantage of a Windows 2000, XP and Server 2003 vulnerability caused by a flaw in the Windows operating system which allows hackers to exploit the “plug and play” capability of the Windows system. The vulnerability can be exploited by an infected machine creating a denial of service attack on other vulnerable machines. By leveraging a chat channel, the initiating hacker gains access to a host machine, leveraging it to attack other networked machines.

Once successfully executed, the vulnerability allows a hacker to impact a number of systems, including stealing system info or the most damaging impact of forcing an infected computer into a continual reboot.

Initially rated a "low" risk by security industry threat centers, the rapid propagation of the Zotob and IRCbot worms has motivated providers to increase the risk level.

The worm appears to lay quiet on an infected machine until prompted into action by the hacker. The messaging channel opened up by the worm appears to await direction prior to disrupting system activity or propagating itself on the network.

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
Shane Snider, Senior Writer, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author