Zotob worm bites big media outlets



According to several reports there are several big media outlets seeing what is reported as the zotob worm which exploits a Microsoft Windows vulnerability (MS05-039) disclosed last week. There seems to be no better way for something to make the news than for it to affect the companies that bring us the news…. CNN for one is reporting that the worm has affected their networks as well as ABCnews and the New York Times. The Caterpillar Company is also mentioned.


The zotob worm primarily affects unpatched Windows 2000 systems, some XP systems are vulnerable. A patch, of course, is available from Microsoft. The vulnerability is in plug and play which was designed to ease installation of hardware. Devices that were plug and play compatible would be automatically detected. (Why Microsoft designed functionality to listen for remote network requests into this service I have no idea.)

Cnn is also reporting that some are blaming a different worm, by the name of worm-rbot.cbq (update 9:30PM EDT – looks like this is a name from TrendMicro – they seem to be describing the same bug I’ve detailed below.) CNN’s source suggest that this is a variant or derivation of the zotob worm. Others are speculating that what CNN is seeing may be named Zotob.D because the rebooting behavior is one that hadn’t been seen in earlier incarnations of the worm. (Now incidents.org is reporting that this is actually Zotob.e according to a release from symantec in just the last few minutes. They are further reporting that this is affecting Capitol Hill as well.

An earlier update at Incidents.org suggested that although it has gotten broader media coverage (as they’ve been affected), they did not see evidence to indicate that there was a massive new outbreak and that the outbreak has already peaked (as they report on the third day since it’s entrance into the wild which has been typical for this kind of worm.)

Further, Symantec has a writeup on Zotob.E including step by step removal instructions. It looks as though it creates a mutex named wintbp.exe (so that only one copy loads into memory at a time.) It also drops a file called wintbp.exe into the Windows directory of the affected machine (Windows/WinNT/etc.)

It adds
“Wintbp” = “wintbp.exe”

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to start at each system boot…
It attempts to detect network connections (may fail if it’s on a non-routable address)

It opens a backdoor at port 8080 to connect to a machine at ip address 72.20.27.115

It opens multiple ports

Sends packets to IP addresses at random (searching for infectable hosts?)

It attempts to spread using port 445

It creates a file at %Temp%\[NUMBER].bat on the infected machine. Then uses TFTP to download the worm to the infected computer. The file is created as %Windir%\a[NUMBER].exe and logs the ip of the infected machine to the IRC channel that it communicates with.

It’s worth noting that Zotob.E is the first in this virus family to be rated a 3 on their virus rating scale (which goes to 5) (the others have been 2).

Microsoft has a page up on dealing with zotob.a (What you need to know about Zotob.A which they rate as a minimal threat.

Information Week is reporting on the decreasing “patch window” between vulnerability disclosure and exploitation….

It should be noted that Symantec has posted A removal tool for zotob.a and zotob.b I expect it will be updated to deal with the rest of the virus family soon. Microsoft has not yet updated it’s malicious software removal tool to deal with zotob. (Didn’t they buy an antivirus company in the last year???)

Over at the Security Fix Brian is once again giving an overview of what’s going on. He also gives a theory on how the media companies found themselves in such a fix (not patching their systems?) Suggesting that they were reporting from a hostile network and the infected laptops got brought back inside the firewalls and blasted the internal networks. Just a theory, but certainly plausible. It just goes to show that perimeter (firewall) security is not always the only solution but a piece of the puzzle. If you have laptops that migrate in and out of various network they need to be scrutinized for patches at a much greater level than the big desktops inside.

What troubles me most about this is that CNN reported that Capital Hill was affected, you would hope that this serves as a wakeup call in securing those systems. I wonder what amount of data may be compromised on those machines?

   Send article as PDF   

Similar Posts