By Gregg Keizer
Aug. 16, 2005
Although the initial attack on Windows 2000 PCs by bot worms
exploiting a week-old vulnerability hasn't grabbed much traction, the
way hackers jumped on the bug is proof that the patching "window" is
virtually non-existent, said security experts Tuesday.
"The last week showed once more that there is no more patch window,"
wrote Johannes Ullrich, chief research officer at the SANS Internet
Storm Center, in the group's daily alert. "Defense in depth is your
only chance to survive the early release of malware."
Exploits were circulating within three days of Microsoft disclosing
the Plug and Play vulnerability and offering up a patch, and within
five days, several bot worms -- notably Zotob.a and Zotob.b -- were
"Microsoft must be fuming that virus writers are exploiting security
holes in their software so quickly," said Graham Cluley, senior
technology consultant for security vendor Sophos, in a statement.
"It's not only embarrassing for the software giant, but a real
headache for businesses who need to move quickly to roll out security
The reason for the fast hacker turn-around, said Ullrich, is that
attackers are sharing more and more information. "Malware can only
develop as fast as it is developing in this case because of extensive
code sharing in the underground," Ullrich said. "The only way we can
keep up with this development is by sharing information as
"We need to outshare the attackers."
Even before the bots appeared, vulnerability investigators were
tracking a high level of hacker chatter about the Plug and Play bug.
Ken Dunham, senior engineer with VeriSign iDefense, said that this
weekend his group eavesdropped on conversations about a Visual Basic
script tool that would let attackers scan for vulnerable PCs. "There
is a very high volume of hacker talk surrounding MS05-039 scanning and
exploitation," Dunham said early Sunday morning, before the Zotob bot
attacks were detected. "It is highly likely that malicious code will
soon emerge exploiting this vulnerability."
In other developments, anti-virus vendors have identified additional
bots that are using the Windows 2000 exploit to nail systems,
including a third variation of the Zotob family and a new member of
the Tilebot line.
Zotob.c, for instance, is similar to its Zotob.a and Zotob.b brethren,
but rather than attack as a network worm that requires no user
interaction, it's a mass-mailed piece of malware posing as an image
file attached to an e-mail message. Zotob.c uses such subject headings
as "Warning!" or "Important" to get the na=EFve to view the message and
open the file attachment.
"Because Zotob.c can also spread via e-mail it has the potential to
affect more people than the previous incarnations," said Cluley. "The
good news is that at the moment it does not appear to be spreading
That seems to be the consensus among security vendors for the moment.
The Internet Storm Center, for example, rolled back its infocon "state
of the Internet" warning from yellow -- "currently tracking a
significant new threat" -- to green ("everything is normal") on
Tuesday. Symantec did much the same, dropping its ThreatCon from level
2 to level 1.
"The ThreatCon was maintained at level 2 as result of attackers
publishing exploits=85and leveraging them in the wild," Symantec
explained in its daily bulletin to DeepSight Threat Management
customers. "As vendor-supplied patches and mitigating strategies have
been available for 6 days, the risk associated with these issues is
reduced, and as such the ThreatCon is being returned to level 1."
On Monday Microsoft again updated the Plug and Play security advisory
it originally published Thursday, August 11, to account for the
variations on Zotob, as well as to clarify that even if administrators
had enabled anonymous connections for Windows XP SP1 PCs, the current
bots can't exploit the Plug and Play vulnerability anonymously on
Microsoft has also created a new Web site dedicated to the Zotob
attacks, dubbed " What You Should Know About Zotob." The site includes
instructions on manually sniffing out the Zotob.a and/or Zotob.b, then
links to a lengthy set of steps for cleansing an infected system.
Although Microsoft has yet to update its free-of-charge Windows
Malicious Software Removal Tool to account for the Zotobs, Symantec
offers a free detection/deletion tool that takes care of the Zotob.a
and Zotob.b variants. It can be downloaded from the vendor's Web site.
Sept 16-18th, 2005
San Diego, California