Zotob Proves Patching "Window" Non-Existent Aug. 16, 2005
http://informationweek.com/story/showArticle.jhtml?articleID=168602115
The speed with which the latest effort to exploit a week-old vulnerability
in Windows was launched has security experts alarmed. They are urging users
to move as quickly as possible to defend against hackers, once patches are
announced.
By Gregg Keizer
TechWeb News
Although the initial attack on Windows 2000 PCs by bot worms exploiting a
week-old vulnerability hasn't grabbed much traction, the way hackers jumped
on the bug is proof that the patching "window" is virtually non-existent,
said security experts Tuesday.
"The last week showed once more that there is no more patch window," wrote
Johannes Ullrich, chief research officer at the SANS Internet Storm Center,
in the group's daily alert. "Defense in depth is your only chance to survive
the early release of malware."
Exploits were circulating within three days of Microsoft disclosing the Plug
and Play vulnerability and offering up a patch, and within five days,
several bot worms -- notably Zotob.a and Zotob.b -- were attacking systems.
"Microsoft must be fuming that virus writers are exploiting security holes
in their software so quickly," said Graham Cluley, senior technology
consultant for security vendor Sophos, in a statement. "It's not only
embarrassing for the software giant, but a real headache for businesses who
need to move quickly to roll out security patches."
The reason for the fast hacker turn-around, said Ullrich, is that attackers
are sharing more and more information. "Malware can only develop as fast as
it is developing in this case because of extensive code sharing in the
underground," Ullrich said. "The only way we can keep up with this
development is by sharing information as efficiently.
"We need to outshare the attackers."
Even before the bots appeared, vulnerability investigators were tracking a
high level of hacker chatter about the Plug and Play bug. Ken Dunham, senior
engineer with VeriSign iDefense, said that this weekend his group
eavesdropped on conversations about a Visual Basic script tool that would
let attackers scan for vulnerable PCs. "There is a very high volume of
hacker talk surrounding MS05-039 scanning and exploitation," Dunham said
early Sunday morning, before the Zotob bot attacks were detected. "It is
highly likely that malicious code will soon emerge exploiting this
vulnerability."
It did.
In other developments, anti-virus vendors have identified additional bots
that are using the Windows 2000 exploit to nail systems, including a third
variation of the Zotob family and a new member of the Tilebot line.
Zotob.c, for instance, is similar to its Zotob.a and Zotob.b brethren, but
rather than attack as a network worm that requires no user interaction, it's
a mass-mailed piece of malware posing as an image file attached to an e-mail
message. Zotob.c uses such subject headings as "Warning!" or "Important" to
get the naïve to view the message and open the file attachment.
"Because Zotob.c can also spread via e-mail it has the potential to affect
more people than the previous incarnations," said Cluley. "The good news is
that at the moment it does not appear to be spreading widely."
That seems to be the consensus among security vendors for the moment. The
Internet Storm Center, for example, rolled back its infocon "state of the
Internet" warning from yellow -- "currently tracking a significant new
threat" -- to green ("everything is normal") on Tuesday. Symantec did much
the same, dropping its ThreatCon from level 2 to level 1.
"The ThreatCon was maintained at level 2 as result of attackers publishing
exploitsand leveraging them in the wild," Symantec explained in its daily
bulletin to DeepSight Threat Management customers. "As vendor-supplied
patches and mitigating strategies have been available for 6 days, the risk
associated with these issues is reduced, and as such the ThreatCon is being
returned to level 1."
On Monday Microsoft again updated the Plug and Play security advisory it
originally published Thursday, August 11, to account for the variations on
Zotob, as well as to clarify that even if administrators had enabled
anonymous connections for Windows XP SP1 PCs, the current bots can't exploit
the Plug and Play vulnerability anonymously on those systems.
Microsoft has also created a new Web site dedicated to the Zotob attacks,
dubbed " What You Should Know About Zotob." The site includes instructions
on manually sniffing out the Zotob.a and/or Zotob.b, then links to a lengthy
set of steps for cleansing an infected system.
Although Microsoft has yet to update its free-of-charge Windows Malicious
Software Removal Tool to account for the Zotobs, Symantec offers a free
detection/deletion tool that takes care of the Zotob.a and Zotob.b variants.
It can be downloaded from the vendor's Web site.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
