August 2005 - Posts
The good news about the Zotob outbreak is that we're unlikely to see future versions after two men - one in Morroco and one in Turkey - were arrested Thursday.
From The Washington Post's article:
The FBI and Microsoft Corp. collaborated with law enforcement officials in Turkey and Morocco to secure the arrest on Thursday of two men thought to be responsible for creating computer worms that infected hundreds of thousands of computers worldwide this year.
Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder."
Essebar and Ekici are suspected of releasing the "Zotob" and "Mytob" computer worms that were designed to take advantage of flaws in Microsoft's widely used Windows operating system. Both of the suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft.
In addition to Mytob and Zotob, vnunet.com reports that the pair are responsible for the Rbot worm family, too.
Here's to hoping for a fair trial and harsh punishment. The computer laws of Turkey and Morroco may both be put to test by this case.
Here are a collection of recent articles on the Zotob worm, which is at this point no longer spreading very quickly:
Some XP machines vulnerable to Zotob worm (TechWorld) - A full news article about the (rare) registry modifications that can result in Windows XP being vulnerable to the Zotob worm. Not a new threat.
Zotob epidemic past its peak (SmoothWall.net) - A good summary of events, with links.
From Melissa to Zotob: 10 Years of Windows Worms (eWeek) - Although “From Melissa to Sasser: 6 Years of Windows Worms” would actually be a more exact title for this article, this is a decent, albeit compacted, summary of significant computer worms of the modern Internet age.
We can now officially say that the Zotob worm outbreak is, for all intents and purposes, over.
F-Secure looks at new threats we're dealing with at their Weblog, in an article entitled “More pnp related malware.”
Good news on the Zotob front.
McAfee has lowered the risk to Medium.
Correspondingly, it is now considered a moderate outbreak.
If you've been following the news about Zotob, IRCBot, Bozori, and the other families of worms to attack the recent Plug-and-Play vulnerability (MS05-039), you know that another worm war has begun between the latter two worm families and Zotob, which so far is not “fighting back” with a new variant that deletes the others. F-Secure's highly recommended weblog provides this “high-tech illustration” of who's killing who:
Also a good read is vnunet.com's article, W32/IRCBot worm beats Sasser record, which talks a bit about how quickly this worm appeared after its associated vulnerability was released relative to the more widely successful (especially among home users) Sasser worm.
I received an email about this worm's ability to affect Windows XP machines, and the answer to that appears to be that Windows XP machines are not natively able to be infected, but with registry modifications (that are rare but occasionally found) it can be, although I have not been able to specifically verify this.
Early news reports indicate that the group most affected (or at least most publicly affected) by the IRCBot is the media. Brian Krebs at The Washington Post reports:
ABC News had an extensive outage today due to infections from Zotob or one of its variants [most probably IRCBot, which is also known as Zotob.E], which knocked out computers in the network's newsrooms on the East and West coasts today, said ABC News Vice President Jeffrey Schneider. The outage lasted two hours, he said.
“This was the first time I've ever seen writers at World News Tonight banging away on electric typewriters,” Schneider said.
Also affected by the worm is international news outfit CNN:
CNN's Wolf Blitzer is reporting that a computer worm has taken out many of their computer systems in Atlanta, New York and in other bureaus around the country, showing pictures of a computer constantly rebooting after being infected by the worm. CNN spokeswoman Edie Emery said the outage affected computers across the country, but that at no time did the outage affect the company's ability to report the news. A staffer I spoke with earlier from CNN's Washington bureau said many reporters in the company's New York and Atlanta bureaus relied on other bureaus to file their stories for them.
CNN International makes a quick mention of Washington, D.C. being affected, but information is sparse.
The Post's headline, A Media Worm?, is perhaps more telling than it means: so far, little information is available about how quick spreading the worms are, and two worms - Zotob.E and Esbot, which Symantec gives a medium risk rating, are spreading simultaneously. There is some possibility that this media coverage is less related to the rate of infection and more to the rate of media infection. Certainly, reports that this worm affects Windows 2000 more than Windows XP suggest that businesses are being affected even more than home users.
More information about the Zotob.E outbreak - as well as the Esbot incident - throughout the evening.
A new worm utilizing the MS05-039 vulnerability has became a major outbreak. More coverage upcoming.
Details
IRCBot is a fast-spreading worm affecting systems not patched for the MS05-039 vulnerability. Infected machines will reboot frequently, as well as connect to an IRC server and await further instructions
Protection
Detection of this worm, as it is an outbreak, should be released very soon, if it is not already out.
The Gist
IRCBot is an urgent outbreak and all systems should be patched that have not already been.
Links
McAfee - Write-up.
A new version of the extensive and successful MyDoom worm family has appeared. Fortunately, like many recent variants, this version has got off to a slow start and is unlikely to become a major threat.
Details
MyDoom.CF was discovered Tuesday, June 28th, 2005. It is a standard MyDoom family member, faking the email address it is sent from. Messages MyDoom.CF use typically make a relatively unsuceesful attempt at seeming either personal (“Is it your name listed here? It seems this is the Pentagon listing“) or official (“Your file hasn't passedour security check and thus was returned“) and are typically caught by spam filters, if they are present. MyDoom.CF is not a very damaging virus, and exists only to spread. Attachments associated with MyDoom.CF are 32,256 bites in size, although if in the .zip format, they can vary.
Protection
Detection for this worm may be covered generically under some current DAT files, as it is an unremarkable variant of a well-known worm family. Updates will likely start appearing within the next 24 hours. As this is a low-risk threat, emergency detection releases are unlikely. MS05-039 can be downloaded at windowsupdate.microsoft.com.
The Gist
MyDoom.CF, although it may spread some, is an unremarkable MyDoom variant and does not pose a significant risk at this time.
Links
F-Secure - Write-up.
I have returned from my vacation, which bled into yet another vacation to beautiful Toronto, a rich and diverse city. I was simply astounded by the number of languages that I couldn't even recognize!
I hope everyone is having a good summer and tolerating the heat.