Zotob Proves Patching "Window" Non-Existent - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News
News
8/16/2005
03:02 PM
50%
50%

Zotob Proves Patching "Window" Non-Existent

The speed with which the latest effort to exploit a week-old vulnerability in Windows was launched has security experts alarmed. They are urging users to move as quickly as possible to defend against hackers, once patches are announced.

Although the initial attack on Windows 2000 PCs by bot worms exploiting a week-old vulnerability hasn't grabbed much traction, the way hackers jumped on the bug is proof that the patching "window" is virtually non-existent, said security experts Tuesday.

"The last week showed once more that there is no more patch window," wrote Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in the group's daily alert. "Defense in depth is your only chance to survive the early release of malware."

Exploits were circulating within three days of Microsoft disclosing the Plug and Play vulnerability and offering up a patch, and within five days, several bot worms -- notably Zotob.a and Zotob.b -- were attacking systems.

"Microsoft must be fuming that virus writers are exploiting security holes in their software so quickly," said Graham Cluley, senior technology consultant for security vendor Sophos, in a statement. "It's not only embarrassing for the software giant, but a real headache for businesses who need to move quickly to roll out security patches."

The reason for the fast hacker turn-around, said Ullrich, is that attackers are sharing more and more information. "Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground," Ullrich said. "The only way we can keep up with this development is by sharing information as efficiently.

"We need to outshare the attackers."

Even before the bots appeared, vulnerability investigators were tracking a high level of hacker chatter about the Plug and Play bug. Ken Dunham, senior engineer with VeriSign iDefense, said that this weekend his group eavesdropped on conversations about a Visual Basic script tool that would let attackers scan for vulnerable PCs. "There is a very high volume of hacker talk surrounding MS05-039 scanning and exploitation," Dunham said early Sunday morning, before the Zotob bot attacks were detected. "It is highly likely that malicious code will soon emerge exploiting this vulnerability."

It did.

In other developments, anti-virus vendors have identified additional bots that are using the Windows 2000 exploit to nail systems, including a third variation of the Zotob family and a new member of the Tilebot line.

Zotob.c, for instance, is similar to its Zotob.a and Zotob.b brethren, but rather than attack as a network worm that requires no user interaction, it's a mass-mailed piece of malware posing as an image file attached to an e-mail message. Zotob.c uses such subject headings as "Warning!" or "Important" to get the nave to view the message and open the file attachment.

"Because Zotob.c can also spread via e-mail it has the potential to affect more people than the previous incarnations," said Cluley. "The good news is that at the moment it does not appear to be spreading widely."

That seems to be the consensus among security vendors for the moment. The Internet Storm Center, for example, rolled back its infocon "state of the Internet" warning from yellow -- "currently tracking a significant new threat" -- to green ("everything is normal") on Tuesday. Symantec did much the same, dropping its ThreatCon from level 2 to level 1.

"The ThreatCon was maintained at level 2 as result of attackers publishing exploits…and leveraging them in the wild," Symantec explained in its daily bulletin to DeepSight Threat Management customers. "As vendor-supplied patches and mitigating strategies have been available for 6 days, the risk associated with these issues is reduced, and as such the ThreatCon is being returned to level 1."

On Monday Microsoft again updated the Plug and Play security advisory it originally published Thursday, August 11, to account for the variations on Zotob, as well as to clarify that even if administrators had enabled anonymous connections for Windows XP SP1 PCs, the current bots can't exploit the Plug and Play vulnerability anonymously on those systems.

Microsoft has also created a new Web site dedicated to the Zotob attacks, dubbed " What You Should Know About Zotob." The site includes instructions on manually sniffing out the Zotob.a and/or Zotob.b, then links to a lengthy set of steps for cleansing an infected system.

Although Microsoft has yet to update its free-of-charge Windows Malicious Software Removal Tool to account for the Zotobs, Symantec offers a free detection/deletion tool that takes care of the Zotob.a and Zotob.b variants. It can be downloaded from the vendor's Web site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
Commentary
Will AI and Machine Learning Break Cloud Architectures?
Lisa Morgan, Freelance Writer,  6/10/2019
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
Humans' Fascination with Artificial General Intelligence
Guest Commentary, Guest Commentary,  6/6/2019
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll