Zotob Worm Hits CNN and Goes Global

securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."

SANS/ISC's take on the CNN infection

[Kelson]

The Internet Storm Center's take on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:

Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it.

A sober second opinion...

[Saint+Aardvark]

... from the ever-excellent Inhttp://isc.sans.orgternetstorm/ Center:

Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

As reported by Slashdot t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:

We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

[....] Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

Symantec link is wrong

[Penguinshit]

The executable in this particular instance is "wintbp.exe". I thought at first it might be a randomly-named executable, but all 100+ systems I'm manually disinfecting at the moment have the same executable. It tries to connect to other systems via port 445, aka the "Magic Windoze Port"(tm).

Apparently all it's doing is rebooting systems, but I haven't done any kind of a postmortem so don't know. I haven't detected any other connection attempts either inside or outside.

Manual disinfection means disconnecting your NIC and then using regedit to delete this value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr ent Version\Run\wintbp.exe

You must then reboot the machine to disable the executable which is:

C:\%systemroot%\System32\wintbp.exe.

Good luck. I'm glad my own systems are Linux....

Re:Symantec link is wrong

[nvrrobx]

Check out http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html to see exactly what this is attempting to do.

XM, internet time, and worm threats

[joejoejoejoe]

I just got XM in my car. I'm an internet dude. What struck me as I was driving home around 6pm EST was how CNN was covering it, admitted they got infected, and it seemed to remind me of SQL Slammer / Code Red.

Anyway, they kept saying only windows 2000 was affected, but the patch was for pnp on 2000/xp/2003. In a later report CNN did mention it might affect XP too.

This makes me wonder how seriously people (BHPs, IT guys, FireWall guys, etc) take worms. Where I work we have many FWs, push patches very often, and accelerate our pace when things like this are out there. If CNN, ABC, etc, can all get infected does that reveal that they might not take all this PC security seriously enough when it comes to their own networks?

I know we have stepped it up in the past 3 or so years, Code Red, SQL Slammer, and Nimda were all wake-up-calls. Maybe THIS one will make a new set of users/admins/PHBs wake up... We can only hope right? It was front and center on CNN tonight.

-Jon

Re:Impact

[flowerHercules]

The Caterpillar plant I work at was down for over 16 hours, I doubt they would consider it low impact in light of the profit lost, as a result. Maybe they will switch to Linux.

Then again, they don't hire people based on their qualifications, multiplying any estimated repair time by ~10 and you come close to the actual down-time time in our facility.

Re:MS says..

[Guspaz]

What are you talking about? This virus does affect Windows XP. WinXP is a Windows 2000 based OS.

Microsoft has released patches for this that cover Windows XP as well as 2000 and 2003:

http://www.microsoft.com/technet/security/bulletin /MS05-039.mspx

It was all at Capitol Hill

[mtuller]

CNN is reporting that the worm hit at Capitol Hill. I wonder if Microsoft will get any sympathy from any Senator that has his/her computer distroyed by this.

We need to re-think patching.

[cperciva]

We need to re-think we way we apply security patches. The patches for this problem were available several days ago; why weren't they applied?

The answer is that Microsoft security patches have a reputation for causing things to break. Why this happens, I don't know -- Microsoft certainly has the resources necessary to test their patches before releasing them -- but for whatever reason, patches from Microsoft have developed that reputation. As a result, administrators of large networks have learned to not apply security patches immediately to all systems, but instead to test them on a few machines for some time first -- exactly the same way as other patches are handled.

The decreasing window between patch publication and widely distributed exploit code means that this approach simply doesn't work any more. Security patches must be applied to all affected systems immediately. Don't stop to test them; just apply the patches and reboot if necessary.

Of course, this means that vendors need to do a good job of testing security fixes before releasing them. I'm proud of the fact that in my time on the FreeBSD security team, we have never released a security patch which has caused new problems. While we don't officially recommend this, I know several people who have their systems automatically download and install FreeBSD security patches -- because they trust us to make sure that our security patches will never break anything.

After all... if you can't trust the security team of the operating system you're running, why are you running that operating system?

Re:Is your computer infected?

[daliman]

I thought you were joking about the Botzor.exe.

According to Microsoft, apparently not.

Re:MS says..

[cnettel]

It requires authentication, though. So, if you are not wide-open for file sharing through SMB or something, you will need to be infected by a machine that already has login credentials for some machine. So, it's remote privilege elevation on XP, but not form an anonymous user, making the threat much lower. Until that trsuted, unpatched 2000 machine enters the LAN.

Re:I have to ask

I recently did some contract work for one of the worlds largest investment banks - and they were still running NT4 as standard.

Some people are just too risk-averse to change their systems just because there is a later release.

Re:Is your computer infected?

[monkeydo]

That should be:

If ((OS == Windows 2000)&&(System.HasAllTheSecurityUpdates != True))
Then Could be.

Fastest spreading ever? Probably not.

[Gary+W.+Longsine]

There are other possible infection vectors, but that one is most likely. Corporations would never expose Windows systems directly on the internet, but they buy laptops by the truckload, allow users to take them anywhere, then bring them back into the office and hook them up as though they were not any different than your nice safely-protected behind the firewall chained to the desktop system -- as though they hadn't been handed over to organized crime for a few days, for example. It's really not rational, but it's almost universal practice.

ABC News on the worm
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."

We have seen this at a government client this week. It appears that the worm authors didn't test on Windows 2000 SP3. Several variants cause the target system to reboot when they attempt to exploit the MS05-039 defect on systems older than Windows 2000 SP4, apparently without infecting the target. The issue could be more subtle than that, perhaps systems running a particular hotfix or something like that, but I haven't had a chance to dig deeper on this point.

People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.

It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.

Re:MS says..

[Tony+Hoyle]

Except if 'simple' (aka. broken) file sharing is enabled, as it is on XP Home, it'll let anyone in as guest. It's implemented at the NTLM auth level.. as I've found to my cost with SSPI based applications (the workaroud is to check the registry for the setting and warn the user they disabled their security...).

Re:Apple user says...

[Tony+Hoyle]

There was a security patch for OSX just today..

You think they do it for fun???? No.. it's to avoid OSX exploits.

Symantec slow on virus pattern updates?

[WarmNoodles]

Today is Tuesday Aug 16, 2005 8:50 EST
From securityresponse.symantec.com, the threat assessment included when patterns were released.

Zotob.A Aug 14 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.a.html
Zotob.B Aug 14 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.b.html

Visit this link --> Zotob.D Aug 17 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html
Note the
  Virus Definitions (Intelligent Updater) *
  August 17, 2005

Virus Definitions (LiveUpdate(TM)) **
  August 17, 2005

Zotob.E Aug 16 http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.e.html

Well Hmm... is Zotob D scheduled for release tomorrow.

Perhaps Symantec should invest in some of those Desk calendars to schedule the virus releases.

Seriously,
for the suxxors who rely on Symantec Live update, they will have to wait another day to get virus patters for viruses out TODAY.
While anyone with smarts enough to manually download the so called intelligent updater can have today's patterns.

Just why Symantec waits, I suppose is so Press consumer pain can and is generated about infections which only boost sales. Or presuming no ulterior motives, its because their download servers are weak and can't update same day scheduled over the whole day for their paying user base. I seem to remember AOL being sued ( and end users winning) for over selling service lines and having over loaded networks.

Don't know why this came out as Symantec bashing, just they way the note was written.
By the way after replacing NIS 2003 with 2005 with anti spam, my advertising is %1000 more of a pain in the ass and the Ad trash can is missing from the product.

Guess the ad's spam and missing ad trash can is why this came out as Symantec bashing, guess Symantec's bad karma's just making the rounds.

Re:RTFM

[Fortran+IV]

However, the MS05-39 vulnerability being exploited by Zotob exists in XP systems up to and including SP2, so it probably won't be long before a cousin of Zotob attacks XP.

Re:Is your computer infected?

[bryhhh]

Actually it is possible for XP (and Server 2003) systems to get hit by this if the following value has been set in the registry,

    HKLM\System\CurrentControlSet\Control\LSA\Restrict AnonymousSam = 0

There are some applications that will set this value at install time, so don't be confident you wont get hit because you are running Windows XP.

Re:Is your computer infected?

[bryhhh]

My source suggests legacy domain controllers, Microsoft Exchange servers, Microsoft SQL Servers, etc.

I've not verified this, but I don't have any reason to doubt it.