Newest Variation of Zotob Worm

Forum Moderators: open

Message Too Old, No Replies

Newest Variation of Zotob Worm

Zotob-C & -F exploit Plug and Play

Tigrou

10:31 pm on Aug 16, 2005 (gmt 0)

"The W32/Zotob-C and W32/Tilebot-F worms are following in the wake of the W32/Zotob-A and W32/Zotob-B worms that were let loose on the Internet over the weekend. All of these worms take advantage of the MS05-039 Plug and Play vulnerability announced by Microsoft last week, and there is a danger that many computer users may not have had the time to patch against the serious security hole."

[itvibe.com...]
[pcmag.com...]

Prolific

10:33 pm on Aug 16, 2005 (gmt 0)

CNN got nailed: [cnn.com...]

bulldog

7:05 pm on Aug 17, 2005 (gmt 0)

If you have the Microsoft update (listed on this link)
then you should be covered to this point.
[microsoft.com ]

[edited by: jatar_k at 7:47 pm (utc) on Aug. 17, 2005]
[edit reason] fixed link [/edit]

Brett_Tabke

7:57 pm on Aug 17, 2005 (gmt 0)

encyclo

8:08 pm on Aug 17, 2005 (gmt 0)

It seems to be overwhelmingly Windows 2000 machines which are affected - I'm not sure that Windows XP is vulnerable in the same way:

[infoworld.com...]

Of course, Windows 2000 is still huge in corporate environments.

rogerd

10:15 pm on Aug 17, 2005 (gmt 0)

The good thing is that very few home users run Win2K.

I'm guessing a few IT heads will roll when CEOs find out that there was a patch available to prevent it. Admittedly, some corporate environments like to test updates before rolling them out company-wide, but "ummm, we weren't done testing it yet" is going to sound pretty lame to an exec who lost his whole network.

Leosghost

10:58 pm on Aug 17, 2005 (gmt 0)

My phone already rang ..friend who had 2K pro installed in a home computer by the local "shop" ( no disk so apperently microsoft have 2 reg numbers for them theirs and someone elses ) after they creamed their last system ( millenium ) due to addiction to emule et al ..dont even know if the patch or the link to mentioned here it existed in french language ....

Standard practice here is "what would sir or madam like for an OS on their new hard disc "..the poor guys knew nothing about licensing etc....the shop says for "200� maybe we can put you in XP pro "..again with no disc left in your hands ...

ah well ...had to go visit anyway for something else unrelated

twist

11:00 pm on Aug 17, 2005 (gmt 0)

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.
First it tests connection to port 445 and if successful, it tries to exploit the vulnerability.
[f-secure.com...]
A few questions for the security pros,
1) Why would any company have port 445 open to the internet in the first place?
2) I have a $60 router/firewall that, as far as I can tell, blocks port 445. I have seen firewalls that sell for multi-thousand dollars, I assume this is the kind of firewalls these companies are using, yet they have ports wide open?
3) Even if their ports are open, shouldn't these ultra-expensive firewalls be sniffing for strange packets from untrusted sources?
4) Why would any company use windows itself as the first line of defense against virus's spread over the internet. It seems like port-scanning virus's should be squashed at the firewall level. Even if the virus was installed by an employee, shouldn't they have firewalls between the different departments?

Leosghost

11:30 pm on Aug 17, 2005 (gmt 0)

Just heard the BBC give this one airtime at midnight .30 gmt ...for a "moderate threat" worm it seems to be doing more damage than is usual ...2k users complacency?

Twist ..since when did Lan guys and the like have the sort of mindset to understand how systems can be hit and by what, whom etc...especially running 2k which was always considered to be better locked off from the OS core than the other stuff out of Redmond..most of them think that the only threat is from without..talked about this along time ago along here with "isitreal" ( miss ya H .. ..promise I'll write soon ..likewise "V" )..some was joking , ..much was what Lan guys and sys admins just miss or dont even imagine can happen which is how some of us cut our teeth seeing how to get in and get out again ..

A foot in the darkside can keep one from being buried upto the neck or higher in "that which happens"...

encyclo

12:44 am on Aug 18, 2005 (gmt 0)

1) Why would any company have port 445 open to the internet in the first place?

They don't. However, it takes one laptop user to bring it in and it will take down the whole internal network if there are not multiple firewalls and complex protection systems. It is waaay harder than just blocking it at the router.

Secondly, port 445 does have a legitiate use: Microsoft Directory Services. You can block this from the net, but you can't just block it on your internal network as it is vital for Windows networking to function.

twist

2:31 am on Aug 18, 2005 (gmt 0)

Where a friend of mine works the company allows certain employees to check out laptops for work and the hard drives are key locked and the O/S is restricted to the most basic operations. Once the laptops come back they have to be run through multiple virus scans. Seemed a little harsh when I first heard about it but I guess now I can see why they do it.

I still would consider it a sloppy tech staff to allow a simple port scanning bug to take down a company. Then again, most companies pay their tech staff a tenth of what their useless butt-kissing executives get. A good virus scare can also be pretty good job security I suppose.

amznVibe

11:38 am on Aug 18, 2005 (gmt 0)

There is yet another new vulnerability out yesterday:
[news.com.com...]
Search for the file Msdds.dll on your system ASAP.

Indirectly related, Abobe announced yesterday that ALL VERSIONS of Adobe Acrobat (Reader and Full version for all platforms) can allow code execution via PDF files. Now that one is gonna take alot of people by surprise - when was the last time you updated your PDF reader? Ever?
[webmasterworld.com...]

encyclo

1:44 pm on Aug 18, 2005 (gmt 0)

Microsoft have published a special page for the Xotob and other variants:

[microsoft.com...]

You can get patches, and there is also a removal tool if you are infected.

Other news from the BBC - that different virus-writing gangs are competing in a kind of "virus war", and in the process are producing new variants which remove their competitors' versions and install their own:

[news.bbc.co.uk...]

Quite pathetic...

Dynamoo

11:00 pm on Aug 18, 2005 (gmt 0)

Another new and nasty trick of worm writers is to use a "dropper" - basically, encapsulate the worm code in a ZIP file and send it through email. Or in other words - use a standard email-based virus with an additional payload of a PnP worm.

We hadn't even started to look at that particular patch.. and then the ISCalert tool (Google it) started to flash on my home PC over the weekend.. at which point I new somethere serious was happening.

amznVibe

6:07 am on Aug 19, 2005 (gmt 0)

Apparently Windows ME can be affected by this as well, we got a call from a client today pleading for help.
But of course Microsoft no longer supports Windows ME!
LOL. Their tool [microsoft.com] literally refuses to run on ME.

In which case, tell your clients to use the Symantec tool:
[securityresponse.symantec.com...]
direct download:
[securityresponse.symantec.com...]
(system restore needs to be disabled)

Tigrou

12:52 pm on Aug 19, 2005 (gmt 0)

I used MS's Zotob worm tool, no infection, but now MS Excel doesn't work.

Amazing craftmanship there.

encyclo

1:03 am on Aug 27, 2005 (gmt 0)

Suspected Zotob Worm Authors Arrested [washingtonpost.com]

The FBI and Microsoft Corp. collaborated with law enforcement officials in Turkey and Morocco to secure the arrest on Thursday of two men thought to be responsible for creating computer worms that infected hundreds of thousands of computers worldwide this year.
Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder."

Both apparently caught when they tried to commit bank fraud with information stolen during the virus attacks. Both will face prosecution in their respective countries.