Zotob network virus, variants, believed to have hit Disney today
By Scott Fulton
August 17, 2005 - 18:23 EST
San mateo (CA) - A spokesperson for security provider Keynote Systems told Tom's Hardware Guide this afternoon that response times for two Web sites run by Disney - a prominent Keynote customer - dropped significantly this afternoon, presumably in the wake of a virus infection with both companies acknowledged yesterday. A bastion of new network worms, led by the so-called Zotob strain, of which some companies are reporting at least seven variants discovered thus far, began infecting major systems last Saturday, according to Trend Micro, a security software producer. The Zotob strain is itself a variant of a class of worms that security providers call RBOTs. As Tom's Hardware Guide reported on Monday, Zotob infects computers running
Windows 2000, by instigating traffic through port 445, a port originally reserved for Universal Plug and Play, specifically for network peripherals that communicate their configurations to network systems using TCP/IP protocol. In Windows 2000, the buffers associated with such communications are unchecked; and on many corporate firewalls, traffic along that port is not blocked.
http://www.ad.tomshardware.com/cgi-bin/bd.m?count=762&time=QwPUEdFEPA4AAXoLbGA&location=banner2/hardnews/20050817_182341.html&dns=us&fillin=1&image=tom/blank.gif According to Keynote Systems, at approximately 2:45 pm Eastern time Wednesday afternoon, Web servers at ABC (including ABC News) and ESPN, two Disney properties, experienced greatly reduced availability: down to less than 5 percent of capacity, with load times exceeding 20 seconds per page versus the normal 4 seconds. In the accompanying graph, ABC sites are represented with a yellow line, ESPN with a blue-green line. Keynote had reported earlier that CNN also experienced a drop, but later retracted that statement due to inconclusive data.
Keynote Systems posted a page late this afternoon with
live data from its 40 prime business customers, showing relative levels of network service. The page does not give indicators as to the potential cause of service quality reductions.
The vulnerability which the Zotob network worm exploits was first announced on August 9, in warnings simultaneously published by
Microsoft and by Internet Security Systems, the company Microsoft credited with discovering the vulnerability. Microsoft immediately issued a patch in accordance with the warning. However, a Trend Micro report released this afternoon points out, the first reports of virus infection were received only four days later - a new record.
David Perry, global director of education for Trend Micro, believes Zotob may signal the beginning of a new class of viruses: one which gives off the savvy of the boot-sector viruses of the 1980s, complete with their cute and semi-threatening messages, but not requiring the same level of intellect. This wave, believes Perry, is triggered by Microsoft's own security memos: "All of the network viruses, from Code Red on out, follow on after Microsoft's patch announcements, without fail," Perry told Tom's Hardware Guide. "The reason for that is simple: The people who are writing the viruses only find out about the vulnerabilities that they're exploiting, from the Microsoft technical bulletins. That's their
source of information. Every time there's been one that has been exploitable, it's ended up being exploited. It's like 100 percent turnover."
Malware writers, stated Perry, are being affected now by what he calls the "zero-day effect:" "A 'zero-day' would be any time you have a virus or an exploit that is released before there is a patch available, but approaching zero-day is as good as zero-day, for most intents and purposes." The race is on among malware writers to do as much damage and gain as much notoriety as possible, from the time Microsoft announces a vulnerability to the time it's effectively patched.
In an e-mail late today, Counterpane chief technology officer Bruce Schneier agreed, stating, "The 'window of exposure' between vulnerability announcement and patching is a prime target."
The last customers to patch their operating systems, believes Perry, are large networks, for several reasons. Among them, they spend the most time testing the waters when planning their network operating system migrations. Also, they may have the most to lose, especially in the case of major news organizations--including The New York Times, ABC News, and CNN, which reported infections this week--who are still bound to Windows 2000 because their
asset management systems may not have been upgraded to take advantage of
Windows Server 2003's new authentication system. In newer Windows operating systems, processes such as the one that takes over port 445 in Zotob, cannot gain access to that port because they cannot properly authenticate themselves. In many applications written for Windows 2000, process authentication was bypassed, and for some applications to this day, have yet to be rewritten.
"Contrary to conventional wisdom," stated Perry, "large system, enterprise-level networks are, generally speaking, a little more cautious about when they run the upgrades to new operating systems, so it was the large companies that were more susceptible to this worm than the individual home users."
Perry disputed reports from security software vendor F-Secure that multiple variants of the virus, including one which actually removes earlier variants, is an indication of any kind of "malware gang war." Referring to the malware writers, Perry said, "We don't know what their motivation might be. It could be because of the double-sunspot cycles. I'm not able to reach into that guy's brain and come up with a cogent reason why they do things. A lot of people try to, [but] there's a long jump between speculation and reality."
