Zotob and Variants

I've been reading the massive press coverage about Zotob (technical details are here, here, and here), and can't figure out what the big deal is about. Yes, it propagates in Windows 2000 without user intervention, which is always nastier. It uses a Microsoft plug-and-play vulnerability, which is somewhat interesting. But the only reason I can think of that CNN did rolling coverage on it is that CNN was hit by it.

Posted on August 18, 2005 at 7:57 AM • 47 Comments

Comments

ORDAugust 18, 2005 8:40 AM

It's no big deal. But media coverage is a nice way to make John Average visit Windows Update once in a while.

RvnPhnxAugust 18, 2005 8:46 AM

I think that the real question is which back-room politico (with industry ties) is going around telling folks to hype this one worm (that was written after a full disclosure of an already suspected bug)? That last part is the important part--and it was the one that struck me most about the ABC coverage of the worm which exploits the bug. Somebody could very well be pushing an anti-disclosure agenda--much like what happened to CERT (it went from being top of the line to being complete garbage in one day--due to the lack of disclosure).

bromiAugust 18, 2005 9:07 AM

As far as press coverage is concerned, I feel it is a double edged sword. On one hand extra press coverage will get most non-technical users attention. On the other hand, too much coverage may serve to numb those same users to the problems of not updating their systems. All they will hear is 'patch patch worm virus', after time it will only be 'blah blah blah'... Also, people are watching CNN and saying 'it's only CNN, ABC, etc. not regular people. no need to spend the time/effort to patch'

Also, I like how you referred to /. as "press" ;0)

Fred PageAugust 18, 2005 9:18 AM

"But the only reason I can think of that CNN did rolling coverage on it is that CNN was hit by it."

I think you hit the nail on the head. If the press is bothered by something, it becomes news.

DamonAugust 18, 2005 10:02 AM

I think it's very telling that CNN had posted this as 'Breaking News' initially prior to when they revealed any details about it. Of course, this was well after (~24 hours?) the first Zotob variant.

Somebody mentioned the breaking news on CNN's site and I thought 'hrm...wonder if that's Zotob...that's not really breaking' and moved on.

Andre LePlumeAugust 18, 2005 10:12 AM

Hey. Give CNN a break. There weren't any new pretty blonde girls gone missing, and the BTK sentencing stuff gets to be too much of a downer.

Over to you, Biff!

(FWIW, I also smell anti-disclosure workings here)

Nicholas WeaverAugust 18, 2005 11:10 AM

Actually, this has had a suprisingly annoying effect for only attacking an End of Life-ed Operating System with a week to patch.

Dizzneyland apparently got hit really hard, as did Caterpillar.

The scary thing is how annoying it is to upgrade to XP (which will be EOL'ed in another 2-3 years anyway) has stopped people from upgrading.

Ed T.August 18, 2005 12:17 PM

@Fred,

I was actually watching CNN HN when the "breaking news" occurred. They were talking about how it was causing the systems in their LA bureau to reboot, and reboot... I wonder if they spent so much time on it 'cause their systems were down, so they couldn't read the 'other' news off of their screens?

ChrisAugust 18, 2005 12:44 PM

Firstly, I think the reason you're seeing so much coverage from CNN's point of view is that a) they were hit by it and have some first-hand material to report on it, and b) most companies are reluctant to go public with information that may erode consumer or investor confidence in their company or products. So CNN only has access to their own experience and that's what they aired. It took laws in California to get companies to disclose breaches rather than sweep them under the rug. Companies aren't going to disclose their problems with this worm any more than they have to because it would make them "look bad" to do so.

Second, I think this worm is a big deal as I got to witness first hand the other day the upheaval within a large company whose worldwide network was hit by this worm. Tens of thousands of PCs were affected. At least one division of the company, and probably many others, won't have their payroll go out on time because the finance people couldn't access their mainframe to verify and authorize the payroll files. The mainframes were fine; users just couldn't access them because they couldn't use the terminal emulation software on their PCs. Even severe virus outbreaks I've seen here before haven't cause a denial of service this widspread.

Complicating matters further, lots of internal gateways and Internet proxies started denying access to external partners and vendors because they couldn't authenticate user credentials. This company uses Active Directory on Windows 2000 servers for user authentication and those just kept rebooting. This cut off communications with lots of vendors as well.

Most of their critical software runs on various flavors of Unix boxes or mainframes and those kept chugging along. But processes that required human interaction or depended on authentication services provided by machines running Windows started failing. The "non-mission-critical" infrastructure suddenly became the critical infrastructure.

Standard procedure when these outages occur is for users to start communicating with vendors, customers, and other divisions. But with no PCs, convenient email and instant messaging services are unavailable. The natural recourse is to get on the phone (hope you've got those numbers memorized because you can't get them from your PC's address book!) and call these people -- which some users couldn't do because their IP-based phones wouldn't work due to an overloaded network. Phone service started coming back when users began to unplug their computers from the network, but many had to resort to using cell phones.

Third, there's the problem of patching & cleaning the affected boxes. Remember that these PCs are constantly rebooting. Any unpatched box connected to the network will reboot before it has enough time to download and install a patch or AV software update. Patching thousands of desktops is suddenly an unmanagable nightmare because you can't use your automated patch & upgrade processes. And what about boxes in lights-out locations? You can't use your remote tools to manage those either. Many users at my location unplugged from the network to stop the reboots -- no automated tools for patching those, too.

Now none of this is a surprise to anyone who reads blogs like this one, or the RISKS digest, etc. A homogenous environment with an unpatched vulnerability is a prime target for this kind of attack. Professionals know about the ever-shortening window between the discovery of a vulnerability and its exploitation. I've even heard mention of this trend in mainstream media reports prior to this outbreak.

I find two points interesting about this outbreak. First is that its interesting is how critical "non-critical" infrastructure can become. There are disaster recovery procedures for data centers being destroyed, major disasters taking out offices, power outages, and the like. I don't recall seeing a DR procedure for "nobody in the entire company, worldwide, can use their PC". A failure of imagination.

To be fair, not everyone was hit by the worm. Outside contractors like myself with XP and up-to-date patches, antivirus and firewall software were unaffected. Servers and PCs being used to test the latest patches stayed up. Company employees with enough clout to keep their desktops from being locked down usually had the proper patches and were unaffected. But a small handful of people aren't enough to keep a large company running.

The second interesting point, and it's something I've known intellectually but never really appreciated before: I'm not sure how to mitigate vulnerabilities like this. With the fear of Sarbanes-Oxley compliance over their head, not to mention simple prudence, no company will rush to patch a production system without following their documented testing and promotion procedures. Patching will continue to take more time than it takes someone to create an exploit. Can you have lots of versions of critical software running on user's desktops? That's going to balloon support costs and companies don't have overflowing budgets for items perceived as cost centers. Switch everyone to an O.S. perceived to be more secure? That means retraining tens (or hundreds) of thousands of people; and no piece of software is perfect anyway, especially something as complicated as an operating system. Don't publicly publish vulnerabilities? Ok, then only the bad guys will know about them and they'll never get fixed. Give user's more control over their desktops and hope they keep them in running order? Ok, only joking about that one. Make everyone clones of me and trust them? Don't think that would go over too well, and it's still a monoculture with its own problems...

Phil HollowsAugust 18, 2005 1:54 PM

My frustration with all the fuss about unpatched systems is that, according to FSecure, the following ports are used:

Port 445 - The worm scans for systems vulnerable to PnP exploit through this port

Port 33333 - FTP server port on infected systems

Port 8888 - The command shell port opened by the exploit code

Block these ports and there's no infection inbound, no propagation out.

[rant]

It's difficult, off-hand, to see legitimate reasons for any host to be listening on these ports (out to the Internet), and for any firewall administrator to have them globally open - particularly inbound on "perimeter" deviecs. Sure, patches have to be deployed and tested, but a basic defense like blocking the ports would give harried admins time to do it properly. Since they didn't bother, they're paying the price.

Part of the bigger issue here, I think, is that the focus on patch, patch, patch is detracting from the basics of risk and security management. Or perhaps it's that the vulnerbaility and patch guys aren't talking to the firewall folks - a side effect of the stovepiping we see a lot in larger enterprises. For the large corporations like CNN, SBC, I think it's passing the buck to blame the users for not updating (although they should) when the InfoSec teams can't even be bothered to shut the door to the infection.

[/rant]


Finally, Sarbanes-Oxley and compliance has nothing to do with security.

Compliance!=Security.

It's tragic that people, especially exectives, are being allowed to believe that passing a compliance audit means that they're secure.

ChrisAugust 18, 2005 2:06 PM

@Phil Hollows:

"Finally, Sarbanes-Oxley and compliance has nothing to do with security.

Compliance!=Security."

I agree with you 100%. Personally, I think Sarb-Ox is just plain bad law passed as a knee-jerk reaction to an economic abberation. What Enron et al did was already illegal, they were already getting caught and punished and a Sarbanes-Oxley style-law wouldn't have done a damn thing to prevent it.

It's biggest problem is that nobody can really tell you what it means or if you're compliant with it. Since nobody at the top wants to find himself facing jail time, this has lead to *a lot* of CYA policies and practices that don't do anything but cost money and cause frustration amongst people that work for publicly-traded companies.

It's a source of friction, and the only reason I mentioned it in this context is because it slows down updates and configuration changes to production systems in paranoid companies.

SecurityWonkAugust 18, 2005 2:17 PM

This is a big deal because:
1) A Windows vulnerability went from announced to self-propagating code in 5 days. This continues the trend of the evaporating patch window. Ref: http://informationweek.com/story/...
2) It exploits Windows 2000, which is installed on half of corporate desktops.
3) There are more than a dozen variants running around, some of them attacking each other. It's very difficult to defend against a constantly varying attacker.

It short it's further proof that patch and pray, scan and scream, and signiture based AV and IDS are inaffective. And despite what Counterpane might be selling, active monitoring does do much for you when you have 1000 systems infected in 30 minutes.

We need better, more proactive defensives like IPS, host-based FW's, and network access controls to stop these worm outbreaks.

BjornAugust 18, 2005 2:25 PM

This should remind IT departments of the M&M syndrome. There is usually no need for client computers to be aware of other clients or be visible to them. The only exceptions are usually stand-alone printserver boxes. They should only see the server network segment and the internet. Furthermore, access to the server network should be firewalled, just as access to the internet is filtered based on addresses and ports. Add this to proper patch management, and you'll sleep much better.

flushAugust 18, 2005 3:14 PM

It's funny how many breaks a company may receive if their work benefits the economy in some positive way. If any other non-computer type product were released and had as many problems with it it would've been recalled time and time again, but people just keep on smiling like a special olympics winner and keep on using a broken product.

The same mentally challenged gnomes will be smiling in line, forking over their cash for the next version when it comes out, happily hoola hooping the security patches into their system and blindly dismissing all the security issues past and present because they fear learning something new and they fear change.

More money for a new version to protect themselves from having to think.

Stay tuned for the next million GB of bandwidth wasted discussing all the future exploits and patches for the wonderful closed source OS. Life is short, too short to be wasted discussing security on closed source products. Switch to open source and let the coders spot the problems and fix them, rather than guessing about closed source malware infecting closed source OS.

All of the text in this post was in my opinion for entertainment purposes only, no comments are directed towards any particular person, organization, company, or entity real or imagined, yadda yadda.

peachpuffAugust 18, 2005 3:44 PM

I think a lot of tech and security professionals underestimated this virus because they underestimated how many private servers run Windows 2000. They also overestimated how much the virus would be contained by firewalls. Inside the firewall, pretty much every machine running Windows has port 445 open. Plus, Windows 2000 is used for a lot of file servers (SMB on port 445) and a lot of things that everyone has access to but aren't at the top of the security list (DNS servers, for example).

When I heard, "Oh, it's only Windows 2000 on the native file-sharing port. No big deal," I was blown away. I'm with CNN on this one. This isn't a case of the media not listening to the experts--It's a case of the experts not listening to the victims. This thing is a much bigger problem in reality than in theory.

EricAugust 18, 2005 5:39 PM

This is the worst worm we've seen in years. Our local subnet was untouched--we have a rather paranoid firewall--but the 10,000-user site upstream from us has been off the net for two days trying to battle the infection.

It's clear, in hindsight, that a 10,000 user network is just too big. Once the virus gets inside, it spreads like wildfire. But if you chopped the network up into 200 groups of 50 users each, you could control the infection. (Alternatively, if you had sufficiently clever switches, you could simply drop all port 445 traffic. This essentially puts a firewall on every machine.)

IIRC, real-world firewalls appear inside buildings, not just at the boundaries between buildings.

GregAugust 18, 2005 6:56 PM

Why --Oh why do ppl insist on using windows? --Its not the high productivity!!!!

EdAugust 18, 2005 7:47 PM

It affected computers where I work, where my brother works, and my sisters computer (we live in 3 different states). So I'm assuming it is worthy of attention from the media.
I agree with Greg using Windows is not highly productive. I've been fixing my pc since a fresh install of Windows 2 days ago. Yeah I know fixing a fresh install... it's crazy!

Phil HollowsAugust 18, 2005 8:55 PM

@peachpuff

You have it right. We "experts" left port 445 open and voila. Massive infections. The important point is not the /. win32 vs linux vs whatever futility, but that as a community Infosec dropped the ball, bigtime. Having a "paranoid firewall" is a Good Thing - how many times does this tyoe of thing have to happen before admins stop being so smug and take their mission seriously? RPC endpoints exposed. Port 1433. How many slammers, Zotob's, [your worm here] have to happen before we move to a "deny all except known good" philosophy in the enterprise? How much time wasted before we get a clue?

A simple FW rule stops this malware stone dead. If it gets as far as your IDS from the outside your security posture is already broken.

I firmly believe that the mess Zotob caused is *our* fault. The fact that it's a hacker duel is neither here nor there. We prepared such a beautful field for them to duel upon.

Nurse, I'm ready for my medication now...

Chung LeongAugust 18, 2005 9:06 PM

IT pros might hate virus outbreaks, but I think most office workers don't really care. In fact, I suspect that they secretly like having their computers infected. First, it give them a legitimate reason to slack off and socialize. Second, it breaks the everyday monotony of office life. Third, it makes them feel connected them to a larger event. "Look, I'm a part of this CNN story!"

Most financial estimates exaggerate the damage done by computer viruses. They assume that every hour of downtime lead to a loss of the hourly pay of the worker. But in most offices, the amount of work is fixed and deadlines don't move just because someone's computer is malfunctioning. Things will get done on time, somehow.

If corporations are really losing billions of dollars each year to viruses, they'd be lobbying hard for harsher punishment for the troublemakers. Far more "productivity" is probably lost each day to employees reading and posting on blogs during workhours.

gregAugust 18, 2005 9:20 PM

@Chung Leong

I didn't think anything got done by the deadline. I wonder why they call it a deadline?

Filias CupioAugust 18, 2005 9:44 PM

So, how was it at Counterpane as this worm came through? Did clients suffer, or had you already configured them safely? What countermeasures did you take? Did each client need individual support, or can you do something like en-mass reconfiguring all of your client's firewalls?

jammitAugust 19, 2005 12:25 AM

Luckily where I work at and where my brother works at, we dodged this bullet. We both patch like maniacs. He and I work mainly from linux machines. Where he works the users won't give up their microsith boxes without a fight, so he makes sure they're patched. I have a win2k machine with daily patches, 3 different AV, 4 different anti-spyware, and networked only when necessary that I use to fix other systems. I have another win98 machine updated daily and online all the time. I use it as a canary in a coal mine. Its hard drive is imaged daily for a quick restore. I feel when it comes to mission critical systems (or the bosses machine), it shouldn't be relegated to one big monster, but should be shared between multiple machines. The machines shouldn't all be linux or Mac or Microsoft or even OS/2, but a combination of all four. Even on the off chance that someone out there makes a killer virus for a linux machine, the other three should be able to ride out the storm. Trying to make a cross platform virus for 4 different OS would be ungainly. Not impossible, just ungainly.

MathFoxAugust 19, 2005 3:35 AM

@RavageMan:
There are sevaral ways that Microsoft could force people to update their machine and I think that releasing a "patching worm" is a real bad idea.
A bad update may break a computer, any system that forces updates on computer can lead to (unintended) denial of service. The computer doesn't function without the update and the computer doesn't function with it.

KMBAugust 19, 2005 3:37 AM

Ravage,
the idea is old and MS publicly stated it won't do it.
Fighting fire with fire does work faster but it also leaves a lot more burned ground.

Maybe something good will come out of it and there will be a focus on the writers of the malware. So far the internet is a playground for these kids. It's like we let kids play with fire in an ammunitions factory. Except that the kids are fire-proof and invulnerable in most cases and won't get hurt.

FrooshAugust 19, 2005 5:35 AM

As many companies who have done business via e-mail with CNN in the past several years, this is certainly not news: CNN always gets the latest and greatest virus/trojan/worm and quite happily passes it on...

Of course it's harder to track down and prove now that none of the e-mail worms use the sender's real address, but for about a year, CNN were always the first to send us the newest variants.

dARKfIREAugust 19, 2005 5:48 AM

This discussion, although technically above my rather meagre abilities, does bring to mind an interesting model for distributed network security.

1st model:
========
Huge network with many distinct sub-groups, each of which have seperated & "secure" net access.

2nd model:
========
Huge network that has a *single* physical point of access to the internet. Obviously this SPOA would have to be firewalled & guarded to the hilt, but this potentially has the benefit that if an IT security department gets to hear about a vulnerability (suspected or actual) regarding its systems, then simply physically pull the plub out of the socket! Granted, this results in many extremely irritated employees, but the loss of custom & revenue due to a few hours with no internet acess is probably significantly easier to bear than the devastation caused by having 000's of PCs infected by god knows what.

You chaps know more about this sort of thing - what do you think?

briceAugust 19, 2005 7:59 AM

I think the problem is with lazy and/or ill-equipped IT departments. The patch for the exploit this worm uses was out 5-6 days before eeye reported seeing code in the wild and issued their warning. As others have stated above, even if there was not enough lead time to patch all affected machines, there was plenty of time to block some ports at their network borders.

I also agree with Bruce, that this was blown slightly out of proportion by CNN, but I think the reason had more to do with nothing else to report, as apposed to this story taking precedence. I was listening to a local radio station when this thing started sweeping through ABC's network, and the DJ was completely lost without his computer screen telling him what to say next.

EricAugust 19, 2005 8:14 AM

If you have a big enough network, a border firewall is useless against this kind of worm. There's always somebody who brings an infected laptop in from home. Even if you have a "no laptops" policy, management or sales will often wheedle an exception.

Until we start thinking about how to prevent the *spread* of worms *inside* the firewall, we'll keep facing these infections.

ATNAugust 19, 2005 9:19 AM

I find quite strange that people assume they can use an antivirus _after_ an attack to get back a working PC, and quite strange none of the virus writer try to do serious damage.
Once a virus/worm has taken control of a PC, it can erase targetted sectors of the hard drive so that the filesystem is completely lost - or even begin to download random firmware in FLASH and lock IDE hard drive by random master password - so that the easiest and cheapest way forward is to put the PCs in the bin.
OK, terrorists are not interested by this kind of action because they have simpler way to terrorise - but one day someone will make something more than the next "funny worm" displaying "hello world".
By the way, your backup computer will be targeted first - hopes it is off-line most of the time.

ChrisAugust 19, 2005 10:17 AM

@ATN:

You could certainly write malicious code into viruses to do that; the earliest viruses were destructive in just those fashions.

But that's no longer the point of most modern viruses, worms, and trojans. They want the box to stay up as long as possible and infect as many other machines as possible. The point is to own a large collection of machines for a purpose other than destruction. Typically extortion via DDOS attacks and data theft to facilitate fraud.

A virus that immediately kills its host won't spread very far or for very long -- it will burn out just as the most lethal human viruses do. Every couple of years the Ebola Zaire virus flames up in a village in Africa. It kills maybe a hundred people and then burns out because the people died before they could spread the virus outside the village. The successful viruses (from a biological standpoint) lay dormant for weeks or months but keep their hosts contageous during this time so they can infect others.

This latest virus was, imho, pretty poorly written. This could be because it was hastily written to take advantage of a vulnerability published just days before it was launched. Or the programmer might not have been very good; I don't know which is the case.

Anyway, it included a small ftp server and connected to an IRC channel to receive updates and instructions (de reguere for worms and trojans these days). From the writer's point of view, those are good things. But it advertised its presence too blatantly (crashing machines over and over and over, consuming large amounts of network traffic) so it was quickly recognized and countered. Plus it was trivial for even a moderately skilled user to remove without 3rd party tools, unlike many other nastier pieces of malware.

Personally, I think everyone's lucky we're getting such a cheap wakeup call that our electronic infrastructure needs better protection.

BrianAugust 19, 2005 12:28 PM

Part of building a secure infrastructure is the "inside" security. A large portion of inedpt admins feel securing the "outside" is sufficent to protect them. While if the network is pretty small that may be the case, but if the network is of any substantial size, it most certantly is not the case. Properly segmented IP networks(after all..that is what a subnet mask is for),properly configured routers, ACL's, properly configured switches, firewalled server subnets, all this go a very long way in preventing this mass outbreak from infecting more than a local subnet due to an infected notebook being brought up on the wire..

BryanAugust 19, 2005 3:37 PM

Darkfire:

The idea of a large network with many logical partitions which users must authenticate to get past has definitely been tried (I won't mention the name of the extremely large and well-known company where I saw it) and runs into quite a few $$$-costing problems. All this authentication is costly and takes time to implement, then takes lots of manpower and time to keep running. All those internal firewalls must be maintained, proper access approved and implemented, and problems and user issues troubleshot. It's not cheap and it slows down business.

This isn't to say it's impossible. But it is costly.

Your second idea is actually what many companies are already doing in essence. They're not down to a single point of infection though, because as noted it's not always the internet that infects you. It can be any laptop or worker using a VPN connection from home. It could be a vendor coming in to do work you paid for. And so on ... the important thing to realize is that it only takes *one* instance of a virus getting inside your net to spark off hundreds or thousands of problems if the other computers are vulnerable. Firewalls and/or unplugging external connections after this has happened will do little good; the barn is already on fire.

The smartest security is to go through all your hosts one-by-one and make sure they present the smallest possible network footprint. Even so, sooner or later you're going to have some exploit taking advantage of network functions you *had* to leave open in order to do business (otherwise you'd have no network, right?) ... it's at this point that security responses by the network itself should be considered. Preferably long before the incident actually happens.

All of the above are my own opinion. I'm sure others would argue.

HarryAugust 20, 2005 2:55 AM

I think worms, viruses, spyware and malware are all part of a healthy computing ecosystem. Just like the early part of the last century, they were killers but over time we learnt to protect ourselves from them and even harness the power of bacteria to replicate genes and perform other biological services. So continue to bring them on, so that we can continue to find better ways to protect our systems and one day we'll treat them just like we do bacterial, a quick wipe down is enough to keep them at acceptable levels!

DarkFireAugust 20, 2005 6:06 AM

Ah. Please all ow me to clarify my 1st post: I intended to say that I believe that the 1st example of a network setup provides a poor security / price result, and that the 2nd example would be much better.

The organisation on which my thought was based doesn't allow laptops, doesn't allow external staff connections and most employees don'e even ahve access to removable media drives, not even floppy disks. Makes it internally secure as well as externally secure... at a price.

BryanAugust 21, 2005 9:49 PM

Darkfire -

Actually the first example you gave is pretty good. Lots of companies are doing it because it works pretty well. Of course minimizing the number of ingress/egree point at your network isn't the /only/ security measure you should take, but it's a good start since it reduces complexity, allowing you to focus more on real issues and less on the complexity itself!

The second idea... well as I said I've seen it tried and it's difficult, complex, and time consuming. It may be right for some organizations, but I think most would balk.

Same goes for outlawing laptops, VPN connections, floppies and so on. These work for certain orgs but would be disaster in other orgs.

Think of your own hometown. If the mayor said he was going to guarantee no one were ever assaulted again, and no one ever hurt in a car crash, he'd probably enjoy a wave of popularity. Until he mentioned that this would be accomplished by posting a cop in riot gear at every house and business door, then replacing all cars and motorcycles with Yugos that only go 20 mph!

People would then clamor for the ability to be mugged and have accidents.

RoyAugust 22, 2005 11:10 AM

Most of those accusing sysadmins and companies of being "lazy" because "the patch was out for 5 days" have probably never applied a patch in a production environment in their life. Breaking production machines because of a buggy patch is going to have you much more reliably fired than going through a testing procedure and being hit by a worm in the interim. Any company that manages to both properly test and apply Windows patches within 5 days I applaud - but I don't think it's a realistic timetable.

Gary W. LongsineAugust 25, 2005 1:34 AM

As others have pointed out, the media circus surrounding Zotob almost certainly resulted from the panic felt at the news agencies when their networks were hit. They might not have noticed their systems being taken over by the worm, except for the dramatic effect of every PC around rebooting itself over and over and over. With only a few infected systems, no PC in an office could stay up more than a few minutes.

However, the mainstream media, and even the IT trade press, are missing the interesting parts of the story.

One bit: There seem to be more variants than it appears from looking at a single AntiVirus vendor's web site. Some of the strains we've seen are detected generically by the AntiVirus vendors, and poorly documented or not documented at all.

One variant that showed up on August 15th is now detected as a generic W32.spybot.worm by Symantec 9, but the characteristics observed on an infected system don't match any documented variant able to exploit MS05-039, which it was clearly doing. It has some stuff that matches the documented Zotob.A (Symantec), and some stuff that matches WORM_RBOT (Trend Micro) and some that matches neither.

This hybrid variant downloaded executable files onto infected systems on August 15th and August 16th which are still not recognized by some AntiVirus vendors today -- 9 days later. (When it comes to malware, submit early, submit often!)

There are interesting aspects to the Zotob outbreak, they just weren't reported on CNN.

Braun TaconAugust 29, 2005 4:15 PM

Well...for 3+ years we had kept this sort of thing out of our environment through the use of a well tuned patch program (30 days from notice to compliance), Solomic judgment (emergency patch when needed) , and a bit of luck.

On Aug 17th, our luck ran out, making our "emergency" patching decision on the morning of the 17th after much debate. At the same time we were kicking off SMS patching, we started to get the first reports of blue and black screening boxes. Hurt us for a few hours, but we were completely back up by the end of the day, suffering only 2500 infections out of 30,000+ Wintel boxes. Still, this whole event has caused us to step back and scratch our collective heads. The answer may be there, but for now...it eludes us.

Braun Tacon

Misty LynnOctober 4, 2005 7:39 PM

Something left unsaid I have seen is this virus came across our email filter as a socially enginered attachment. So if in one of its various flavors, patch .exe from MS, .jpg.exe (with an 100+ spaces between the .jpg and the .exe hiding it from almost any view) of your boss in a compromising situation from a co-worker, or message from your IT department about your password/account being changed .zip it only takes 1 user to open and infect the entire network. Note that none made it to us as I ban tons of attachment types, and our own domain sending in to us from SMTP. But it looks like the initial attack vector before it spread through the MS vulnerability.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..