Personal Tech Pipeline | Virus Writers Exploit Holes Faster Than Microsoft Can Plug Them

White Papers

Sponsor Resources

WebCasts
Free Newsletter GlossaryContact UsAbout Us
Players & CamsPhones & PDAsHome & AutoOnline

August 16, 2005

Virus Writers Exploit Holes Faster Than Microsoft Can Plug Them



Courtesy of TechWeb News

Although the initial attack on Windows 2000 PCs by bot worms exploiting a week-old vulnerability hasn't grabbed much traction, the way hackers jumped on the bug is proof that the patching "window" is virtually non-existent, said security experts Tuesday.

"The last week showed once more that there is no more patch window," wrote Johannes Ullrich, chief research officer at the SANS Internet Storm Center, in the group's daily alert. "Defense in depth is your only chance to survive the early release of malware."

Exploits were circulating within three days of Microsoft disclosing the Plug and Play vulnerability and offering up a patch, and within five days, several bot worms -- notably Zotob.a and Zotob.b -- were attacking systems.

"Microsoft must be fuming that virus writers are exploiting security holes in their software so quickly," said Graham Cluley, senior technology consultant for security vendor Sophos, in a statement. "It's not only embarrassing for the software giant, but a real headache for businesses who need to move quickly to roll out security patches."

The reason for the fast hacker turn-around, said Ullrich, is that attackers are sharing more and more information. "Malware can only develop as fast as it is developing in this case because of extensive code sharing in the underground," Ullrich said. "The only way we can keep up with this development is by sharing information as efficiently.

"We need to outshare the attackers."

Even before the bots appeared, vulnerability investigators were tracking a high level of hacker chatter about the Plug and Play bug. Ken Dunham, senior engineer with VeriSign iDefense, said that this weekend his group eavesdropped on conversations about a Visual Basic script tool that would let attackers scan for vulnerable PCs. "There is a very high volume of hacker talk surrounding MS05-039 scanning and exploitation," Dunham said early Sunday morning, before the Zotob bot attacks were detected. "It is highly likely that malicious code will soon emerge exploiting this vulnerability."

It did.

In other developments, anti-virus vendors have identified additional bots that are using the Windows 2000 exploit to nail systems, including a third variation of the Zotob family and a new member of the Tilebot line.

Zotob.c, for instance, is similar to its Zotob.a and Zotob.b brethren, but rather than attack as a network worm that requires no user interaction, it's a mass-mailed piece of malware posing as an image file attached to an e-mail message. Zotob.c uses such subject headings as "Warning!" or "Important" to get the naïve to view the message and open the file attachment.

"Because Zotob.c can also spread via e-mail it has the potential to affect more people than the previous incarnations," said Cluley. "The good news is that at the moment it does not appear to be spreading widely."

That seems to be the consensus among security vendors for the moment. The Internet Storm Center, for example, rolled back its infocon "state of the Internet" warning from yellow -- "currently tracking a significant new threat" -- to green ("everything is normal") on Tuesday. Symantec did much the same, dropping its ThreatCon from level 2 to level 1.

"The ThreatCon was maintained at level 2 as result of attackers publishing exploits…and leveraging them in the wild," Symantec explained in its daily bulletin to DeepSight Threat Management customers. "As vendor-supplied patches and mitigating strategies have been available for 6 days, the risk associated with these issues is reduced, and as such the ThreatCon is being returned to level 1."

On Monday Microsoft again updated the Plug and Play security advisory it originally published Thursday, August 11, to account for the variations on Zotob, as well as to clarify that even if administrators had enabled anonymous connections for Windows XP SP1 PCs, the current bots can't exploit the Plug and Play vulnerability anonymously on those systems.

Microsoft has also created a new Web site dedicated to the Zotob attacks, dubbed " What You Should Know About Zotob." The site includes instructions on manually sniffing out the Zotob.a and/or Zotob.b, then links to a lengthy set of steps for cleansing an infected system.

Although Microsoft has yet to update its free-of-charge Windows Malicious Software Removal Tool to account for the Zotobs, Symantec offers a free detection/deletion tool that takes care of the Zotob.a and Zotob.b variants. It can be downloaded from the vendor's Web site.

E-mail This Story
Print This Story
Reprint This Story




Get the latest Personal Tech news, product info, and trends every week.


Related Content

  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Main RSS Feed
  Right-click and choose Copy to extract RSS Feed URL  Personal Tech Pipeline's Blog RSS Feed

<A HREF="http://as.cmpnet.com/event.ng/Type=click&amp;FlightID=43527&amp;AdID=86369&amp;TargetID=3743&amp;Segments=1411,1892,2691,3108,3448,4526,4760&amp;Targets=1491,2625,2878,3743&amp;Values=34,46,51,63,77,85,90,100,140,222,227,399,442,645,646,659,1184,1405,1431,1716,1767,1785,1798,1901,1925,1935,1936,1945,1970,2217,2299,2310,2329,2352,2678,2787,2862,2878,2942,2956,3229,3347,3385&amp;RawValues=&amp;Redirect=http://www.cmp.com/resources/res_whitepapers_main.jhtml?cid=b2b_feet" target="_top"><IMG SRC="http://i.cmpnet.com/ads/graphics/as5/ps/blank.gif" WIDTH=300 HEIGHT=250 BORDER=0></A>

Keeping Up To Date On Enterprise Server Tech?
Review our compilation of columns on server security, database software, and Linux issues.
Unleash the Power & Opportunity of Grid Computing
Experts will identify trends in grid computing, provide
examples and examine solution options.
Using Current Performance to Shape
Future Results

Hear new strategies for improving business
performance and results.

Editor's Picks

Well, Microsoft has "unfolded" its "Origami" ultra-mobile PC platform Thursday. It turned out to be a full-featured PC smaller than a tablet but bigger than a PDA. Are you impressed?
Yes! I want one!
Sort of. We'll see.
No! It's too big for a pocket and too small for real computing. What's the point?


In search of personal tech products? See our new Product Finder, where you'll find personal computing devices, communications solutions, security products, and more.



PERSONAL TECH PIPELINE MARKETPLACE (sponsored links)
Transform your IT infrastructure with IBM
Successful CIOs see IT as a prime stimulus for business innovation-and themselves as key participants in a process that develops business and IT strategies in concert. Read an executive summary and register to download the full IBM paper.

Symantec Backup Solutions
Desktop to Data Center Protection. Explore the Official Symantec Site.

SEC & HIPAA IM Compliance
Satisfy regulatory and compliance requirements for instant messaging.

Secure & Easy Console Management with Digi CM
The Digi CM console server provides secure, intelligent & easy access to network devices with a serial console port. With Digi CM, you can securely monitor & control servers, routers, switches & other devices even when your network is down.

Understand the financial impact of open source.
Will open source pay off? Open source is becoming standard within enterprises, often because of cost savings. Find out how much of a financial impact it can have on your organization. Get this methodology and calculator now, compliments of JBoss. Go!


Buy a Link Now


Top ten search terms from the TechWeb TechEncyclopedia
How does your pay rate? Check the InformationWeek Salary Survey
Mobilized Solutions Guide: Find and compare solutions for your business
Top Requested White Paper Categories from TechWeb White paper Library
Top ten search terms from the TechWeb TechEncyclopedia