Zotob Worm and Variants Hit Net

Jul 30, 2005

by Judith Dinowitz

August 18, 2005 -- This week, we've seen a tremendous amount of news coverage on the Zotob worm and its variants. The worm has gotten so much attention because it has hit many high profile media organizations, such as ABC, CNN, The Associated Press and The New York Times. It's causing the most problems at companies with large networked computers.

To put this in perspective, according to a Business Week Online article, the damage from this attack is not as devastating as the damage done by previous worms. These analysts are more concerned by how quickly the code to create the worms first appeared on the Net.

To quote the article from Business Week:

"Instead, what concerns researchers is the record time in which the worms appeared following Microsoft's disclosure of a vulnerability in Windows last week. 'Normally it would take two to four weeks from the time that an exploit is disclosed to the time that we would normally see even the first proof-of-concept code that takes advantage of it,' says Bruce Hughes, senior antivirus researcher at TrendMicro (TMIC ) a computer-security software company based in Tokyo." ("For Worm Writers, Speed Thrills," Business Week Online, August 18, 2005)

Microsoft announced the Plug 'n Play Vulnerability for Windows systems on August 9th. By August 12, the first code to take advantage of the patch was up on the Net, and by August 14th, the first worm was out there. The blinding speed at which the worms were hatched makes it clear that it is vitally important for administrators to install patches as soon as a security hole is announced.

So we can't stress this enough: If you're using a Windows operating system, download the latest service pack so that your security systems are up to date! It only takes a few minutes of your time but it will prevent you from becoming another security statistic.

If you have already become infected, you should download Microsoft's no-cost, software-based cleaner tool that automatically remove the Zotob worm and its variants from infected PCs after deploying the security update. It's available on Microsoft's website.

What is the Plug 'n Play hole? It allows an attacker to run remote code that could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. For more information, check out the Microsoft Security Bulletin in the list of links below.

(The Plug 'N Play vulnerability is one of several Microsoft security holes that were recently announced. We've included the others in our list of links as well.)

Security Links and Cleanup:

MS05-039 Worm in the Wild (Internet Storm Center, August 14, 2005)

Free Security Scanning Utilities (Eeye.com)

Microsoft Ships Zotob Worm Removal Tool (Legit Reviews, August 18, 2005)

Microsoft Security Advisory 899588 (Microsoft, August 17, 2005)

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege

Vulnerability in JView Profiler Could Allow Remote Code Execution (Microsoft, July 12, 2005)

Vulnerability in Telephony Service Could Allow Remote Code Execution

Microsoft Windows 2000 Plug and Play Universal Remote Exploit #2 (MS05-039) (French Security Incident Response Team, August 12, 2005)

Vulnerability in Print Spooler Service Could Allow Remote Code Execution

Exploits Released for Latest Microsoft Flaws (Netcraft.com, August 12, 2005)

Mazu Profiler Proves Critical in the Wake of the Zotob Worm (Press Release for Mazu Networks, August 18, 2005)