Worms targeting Windows Plug and Play go global |
 |
By Shawna McAlearney and Bill Brenner, News Writers
17 Aug 2005 | SearchSecurity.com |
|
|
Organizations around the world this morning are scrambling to combat multiple large-scale worm outbreaks targeting the Plug and Play flaw on Windows 2000. It began last night with reports of devastating infections at Capitol Hill, CNN, ABC and The New York Times, but security experts say that's only the beginning.
"We were hit hard here and I have heard reports of variable credibility that other orgs were hit as well," said a security manager at a Fortune 500 company who wished to remain anonymous. "From a management perspective it was utterly depressing because it was moving so fast we knew that we were still going to take a big hit."
"We discovered that the backdoor was using TCP port 8080 to a specific IP and set up a firewall rule to block that traffic, which also gave us a list of infected machines," the security manager added. "We saw some machines getting stuck into a 'boot loop,' they would start to boot up and then reboot continuously. We suspect that was the result of infection attempts."
He said it only added to the confusion that at least three new variants of the Zotob worm came out yesterday. Vendors reported other worms as well, but malware naming conventions continue to present problems for users trying to determine what they've been infected by. Among the worms: Zotob-A through Zotob-F, Zytob, IRCbot.worm, Tpbot-A, Dogbot-A, Esbot-A, SDbot-ACG, Rbot-AKM and Rbot-AKN; and Drugtob-B.
"Many enterprises, large and small, have internal infections of Windows 2000 systems by worms," said David Kennedy, senior risk analyst, Cybertrust Corp. "The problem is complicated by undisciplined naming by various antivirus vendors."
Stefana Ribaudo, director of Computer Associates' eTrust Security Management division, said Tpbot-A seemed to be the most prevalent so far.
"We had more than enough reports to go to a medium alert," she said. "The first reports started coming in from Australia. Then the reports rolled east with the sunrise."
Multiple variants of the Zotob worm. Zotob-C, is different from the first two in that it also spreads by e-mail rather than just through networked computers. The other variants spread by scanning TCP port 445. When it spreads by e-mail, it uses a number of disguises. In one instance, Sophos said it pretends to be a Web cam photograph. Because of the e-mail component, this variant could have a wider reach than the first two.
The Tilebot-F spyware worm. Sophos said this one can steal user account information from infected computers and launch distributed denial-of-service attacks against Web sites. Cluley said the lab has received reports from organizations hit by Tilebot, but it doesn't appear to be a mass outbreak at the moment. "Sometimes there's simply no logic to which viruses become successful and which don't," he said. "Sometimes it seems to just be a case of luck."
The W32/IRCbot.worm. McAfee warned of a high-risk worm that it said could be global by this morning. "That worm appeared seven days from the initial announcement of the Microsoft vulnerability, demonstrating the fastest time between the announcement of a vulnerability and the success of a mass propagating exploit -- even faster than Sasser, which took 14 days," McAfee said in a statement. McAfee said IRCbot.worm contacts a remote IRC server and waits for further instructions. If this worm is run on a system, that hasn't been patched for the MS05-039 vulnerability, it will continually reboot. Infected systems will be listening on TCP port 8594.
"We are not aware at this time of a new attack; our analysis has revealed that the reported worms are different variations of the existing attack called Zotob," a Microsoft spokesperson said in a statement. "All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation."
This article originally appeared on SearchSecurity.com.
|
|
|
|
