Zotob Proves Patching 'Window' Non-existent
"The last week showed once more that there is no more patch window," wrote Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in the group's daily alert. "Defense in depth is your only chance to survive the early release of malware."
Exploits were circulating within three days of Microsoft disclosing the Plug and Play vulnerability and offering up a patch, and within five days, several bot worms -- notably Zotob.a and Zotob.b -- were attacking systems.
"Microsoft must be fuming that virus writers are exploiting security holes in their software so quickly," said Graham Cluley, senior technology consultant for security vendor Sophos, in a statement. "It's not only embarrassing for the software giant, but a real headache for businesses who need to move quickly to roll out security patches."
The reason for the fast hacker turn-around, said Ullrich, is that attackers are sharing more and more information. "Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground," Ullrich said. "The only way we can keep up with this development is by sharing information as efficiently.
"We need to outshare the attackers."
Even before the bots appeared, vulnerability investigators were tracking a high level of hacker chatter about the Plug and Play bug. Ken Dunham, senior engineer with VeriSign iDefense, said that this weekend his group eavesdropped on conversations about a Visual Basic script tool that would let attackers scan for vulnerable PCs. "There is a very high volume of hacker talk surrounding MS05-039 scanning and exploitation," Dunham said early Sunday morning, before the Zotob bot attacks were detected. "It is highly likely that malicious code will soon emerge exploiting this vulnerability."
It did.
In other developments, anti-virus vendors have identified additional bots that are using the Windows 2000 exploit to nail systems, including a third variation of the Zotob family and a new member of the Tilebot line.
Zotob.c, for instance, is similar to its Zotob.a and Zotob.b brethren, but rather than attack as a network worm that requires no user interaction, it's a mass-mailed piece of malware posing as an image file attached to an e-mail message. Zotob.c uses such subject headings as "Warning!" or "Important" to get the nave to view the message and open the file attachment.
"Because Zotob.c can also spread via e-mail it has the potential to affect more people than the previous incarnations," said Cluley. "The good news is that at the moment it does not appear to be spreading widely."
That seems to be the consensus among security vendors for the moment. The Internet Storm Center, for example, rolled back its infocon "state of the Internet" warning from yellow -- "currently tracking a significant new threat" -- to green ("everything is normal") on Tuesday. Symantec did much the same, dropping its ThreatCon from level 2 to level 1.
"The ThreatCon was maintained at level 2 as result of attackers publishing exploits…and leveraging them in the wild," Symantec explained in its daily bulletin to DeepSight Threat Management customers. "As vendor-supplied patches and mitigating strategies have been available for 6 days, the risk associated with these issues is reduced, and as such the ThreatCon is being returned to level 1."
On Monday Microsoft again updated the Plug and Play security advisory it originally published Thursday, August 11, to account for the variations on Zotob, as well as to clarify that even if administrators had enabled anonymous connections for Windows XP SP1 PCs, the current bots can't exploit the Plug and Play vulnerability anonymously on those systems.
Microsoft has also created a new Web site dedicated to the Zotob attacks, dubbed " What You Should Know About Zotob." The site includes instructions on manually sniffing out the Zotob.a and/or Zotob.b, then links to a lengthy set of steps for cleansing an infected system.
Although Microsoft has yet to update its free-of-charge Windows Malicious Software Removal Tool to account for the Zotobs, Symantec offers a free detection/deletion tool that takes care of the Zotob.a and Zotob.b variants. It can be downloaded from the vendor's Web site.