Jack M. Germain, newsfactor.com
Finish antivirus firm F-Secure found a new worm on Sunday that attacks
the Windows Plug-N-Play vulnerability that Microsoft patched last
Tuesday. The security firm's researchers said the worm, which they
named ZoTob, poses the biggest risk to users running Windows 2000.
Industry researchers began seeing exploit code for the critical
Microsoft vulnerability showing up on various hacking Web sites on
Friday. According to F-Secure's Web site, Zotob began spreading as
early 7:30 a.m. EST Sunday morning.
Mikko Hyppnen, director of antivirus research for F-Secure, wrote that
the new worm is based on MyTob, a mass-mailing virus that opens a back
door and lowers security settings on compromised machines.
Hyppnen noted that the ZoTob worm might be using exploit code
published by a researcher known as "houseofdabus" four days ago. ZoTob
is the first major self-propagating program since the Sasser worm --
which began spreading April 30, 2004 -- to target a Microsoft Windows
vulnerability.
F-Secure researchers also announced their discovery of two variants of
the ZoTob worm. Each one gives hackers access to unpatched computers
and shares several similarities with the earlier MyTob worm.
Windows XP Users Safe
According to F-Secure researchers and other antivirus companies, ZoTob
has no affect on computers running Windows XP Service Pack 2 or
Windows Server 2003. Thus, the ZoTob worm should not spread as quickly
as Sasser did.
According to researchers, Microsoft confirmed that ZoTob only infects
Windows 2000 systems. Redmond said that any Windows XP system that
applied the updated patches released last Tuesday would be safe.
Other antivirus researchers, however, say unpatched vulnerabilities in
other Windows platforms -- Windows 95, 98 and ME -- could be at risk.
Attack Scenario
Antivirus firm Trend Micro (Nasdaq: TMIC - news) said the ZoTob worm
places a copy of itself into the Windows system folder as botzor.exe
modifies the system's host file in the infected computer, preventing
the user from getting online assistance from antivirus Web sites.
According to the Internet Storm Center, which monitors network threats
for the SANS Institute, the ZoTob worm compromises computers by
sending data on TCP port 445. The worm uses the infected computer as a
file transfer protocol (FTP) server in an effort to propagate itself.
F-Secure's Hyppnen said that researchers found a message hidden inside
the virus code warning death to the first to discover the worm. That
message said, "MSG to avs: the first av who detect this worm will be
the first killed in the next 24hours!!!"
Although ZoTob appears to be a failed attack, David Perry, Trend
Micro's Director of Global Education, recommends that all users remain
vigilant.
"ZoTob. A utilizes modular programming, which is considered a
mainstream programming technique, and has been in wide use since
MyDoom.A in January, 2004," said Perry. "ZoTob.A carries on in that
tradition, utilizing a module of the MyTob family of worms, called
'HELLBOT.' Therefore, it is certainly possible that further variants
will be forthcoming."
ZoTob/Botzor.exe is expected to be quite active searching out Windows 2000
systems during this week, August 15-20.
Copyright 2005 NewsFactor Network, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, NewsFactor Network, Inc.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml