Slashdot Mirror
Zotob Worm Hits CNN and Goes Global
securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."
A feeling of having made the same mistake before: Deja Foobar
The Internet Storm Center's take on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:
It doesn't effect Windows XP, so Microsoft will just go "You should of updated". Which will lead to more sales of XP by the masses beliving they need the latest OS to "be safe".
I like muppets.
All of a sudden, a worm makes mainstream news because it invaded CNN's network. I guess that is a sad indicator of what it takes to raise awareness.
C|N>K
As reported by Slashdot t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:
Carousel is a lie!
Dunno if the slashdotting did it, But MS's site now says it's a Moderate Severity risk.
Or code Bert...
hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others.
Hm, must be a Karl Rove plant.
Or else it's just another victory in the GWOT?
Fuck it
160 dead in Venezuela Crash, Gaza Pull out and Paul Abdul's Idol issues.
I doubt it - yet it's front page on CNN.COM...
EMail: 0110001101100010010000000110001101110010 0110000101111010011011100110000101110010 0010111001100011011011110110
... how many computers Apple will sell because of this?
Now that media is directly affected, they will start proclaiming that this worm is the worst ever, and has caused billions of dollars in losses for businesses.
.pdf file!
Media worm hype really sucks, is my point.
What I found amusing today were the two alert emails in my inbox. The first one was a warning about the new Acrobat flaw [which makes it a requirment to install a bad version of Acrobat, and then patch it *3* times to fix it!]. Then next email was one about this Zotob worm spreading through the PnP ethernet bug in Windows 2000 - but the information came via a
Saskboy's blog is good. 9 out of 10 dentists agree.
"Gives a remote attacker full control over the compromised computer to perform various actions, including:
..."
Downloading and executing files
Making queries to www.google.com
Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?
Never let your sense of morals prevent you from doing what's right. --Isaac Asimov
What virus?
The executable in this particular instance is "wintbp.exe". I thought at first it might be a randomly-named executable, but all 100+ systems I'm manually disinfecting at the moment have the same executable. It tries to connect to other systems via port 445, aka the "Magic Windoze Port"(tm).
Apparently all it's doing is rebooting systems, but I haven't done any kind of a postmortem so don't know. I haven't detected any other connection attempts either inside or outside.
Manual disinfection means disconnecting your NIC and then using regedit to delete this value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
You must then reboot the machine to disable the executable which is:
C:\%systemroot%\System32\wintbp.exe.
Good luck. I'm glad my own systems are Linux....
I have something in common with Stephen Hawking...
I just got XM in my car. I'm an internet dude. What struck me as I was driving home around 6pm EST was how CNN was covering it, admitted they got infected, and it seemed to remind me of SQL Slammer / Code Red.
Anyway, they kept saying only windows 2000 was affected, but the patch was for pnp on 2000/xp/2003. In a later report CNN did mention it might affect XP too.
This makes me wonder how seriously people (BHPs, IT guys, FireWall guys, etc) take worms. Where I work we have many FWs, push patches very often, and accelerate our pace when things like this are out there. If CNN, ABC, etc, can all get infected does that reveal that they might not take all this PC security seriously enough when it comes to their own networks?
I know we have stepped it up in the past 3 or so years, Code Red, SQL Slammer, and Nimda were all wake-up-calls. Maybe THIS one will make a new set of users/admins/PHBs wake up... We can only hope right? It was front and center on CNN tonight.
-Jon
Silly Rabbit: tricks are for kids.
I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.
The Caterpillar plant I work at was down for over 16 hours, I doubt they would consider it low impact in light of the profit lost, as a result. Maybe they will switch to Linux.
Then again, they don't hire people based on their qualifications, multiplying any estimated repair time by ~10 and you come close to the actual down-time time in our facility.
why a company like CNN and ABC with billions of dollars in revenue is still running unpatched windows 2000 computers.
did you forget to take your meds?
That's why I keep saying, "Linux is still not ready for the desktop."
I've come up with an awareness slogan to help us remedy the situation: "It's not the applications, it's the infections."
"Kittens give Morbo gas!"
Actually the current threat level of the worm is light fusia. However, experts are predicting it might go to dark fusia by tonight.
Microsoft is calling this threat "low-impact" or "moderate" is that they consider Windows 2000 to be a second-tier operating system at this point and that everyone (and I mean everyone and his dog or penguin) should be using XP. Good points made above for the "variant" aspect of this virus. I'm running XP on a customer's machine (that's my cop-out, anyway), and it's got botzor.exe in the registry.
So it has hit CNN, ABC, the New York Times. Obviously this worm is part of the Vast Right-Wing Conspiracy!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
CNN is reporting that the worm hit at Capitol Hill. I wonder if Microsoft will get any sympathy from any Senator that has his/her computer distroyed by this.
I'm wondering how much worse this has been made by the new policy of only allowing updates for legit copies of Windows. Can the millions with illegal copies get their fix, or will they just be sitting ducks for this and the next exploit to come along?
"No fair, you changed the outcome by measuring it!" - Professor Hubert J. Farnsworth
We need to re-think we way we apply security patches. The patches for this problem were available several days ago; why weren't they applied?
The answer is that Microsoft security patches have a reputation for causing things to break. Why this happens, I don't know -- Microsoft certainly has the resources necessary to test their patches before releasing them -- but for whatever reason, patches from Microsoft have developed that reputation. As a result, administrators of large networks have learned to not apply security patches immediately to all systems, but instead to test them on a few machines for some time first -- exactly the same way as other patches are handled.
The decreasing window between patch publication and widely distributed exploit code means that this approach simply doesn't work any more. Security patches must be applied to all affected systems immediately. Don't stop to test them; just apply the patches and reboot if necessary.
Of course, this means that vendors need to do a good job of testing security fixes before releasing them. I'm proud of the fact that in my time on the FreeBSD security team, we have never released a security patch which has caused new problems. While we don't officially recommend this, I know several people who have their systems automatically download and install FreeBSD security patches -- because they trust us to make sure that our security patches will never break anything.
After all... if you can't trust the security team of the operating system you're running, why are you running that operating system?
Tarsnap: Online backups for the truly paranoid
Except the "WhereTheHellsMyPictures" exploit that occurs whenever you plug in a digital camera, or the ever present "WhyCantBloodyLinuxSeeMyAccessPoint" when trying to use a wireless connection.
It's not totally bad... I mean at least it is trying to do the average joe some kind of favour:
n c/data/w32.zotob.d.html%5D
Kind of anyway:
[http://securityresponse.symantec.com/avcenter/ve
Searches for the following files and folders to delete the files and the contents of folders:
%SYSTEM%\pnpsrv.exe
%SYSTEM%\winpnp.exe
%SYSTEM%\csm.exe
%SYSTEM%\botzor.exe
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\Common Files\WinTools
%PROGRAMFILES%\Common Files\WinTools\*.exe
%PROGRAMFILES%\Toolbar
%PROGRAMFILES%\Toolbar\*.exe
%PROGRAMFILES%\CxtPls
%PROGRAMFILES%\NavExcel
%PROGRAMFILES%\AutoUpdate
%PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
%PROGRAMFILES%\eZula
%PROGRAMFILES%\eZula\mmod.exe
%PROGRAMFILES%\Common Files\GMT
%PROGRAMFILES%\Common Files\GMT\GMT.exe
%PROGRAMFILES%\Common Files\CMEII
Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:
Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the
I never thought about the fact that if a trusted but infected 2k machine comes into the LAN it will infect XP machines.
Lima India November Uniform X-ray
It's obviously a low impact worm. It invaded the CNN network and Miles O'Brien is still on the air.
Well all i can tell you is SBC is down(thats right the phone company SBC)...company wide!(Cingular is not down at this moment)
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.
It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.
If you mod me down, I shall become more powerful than you could possibly imagine.
Or perhaps the story summary is just making up stuff. The links provided have no quote from TM saying such silliness.
Where I work, we have classes. And the instructor takes his notebook out and hooks into the network, pulls his powerpoint. During the class a window pops up... Oh, he says, its just a virus, it pops up from time to time, and procedes to reboot and keep going.
After class the computer goes back in the bag for a month, as he has a desktop in his office. The virus hibernates....
Our IT folks must love this..
Zotob might be what most people need to clean up their spyware.....
# Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\Common Files\CMEII
The Doormat
If you're not outraged, then you're not paying attention.
Today is Tuesday Aug 16, 2005 8:50 EST
c /data/w32.zotob.a.htmlc /data/w32.zotob.b.html
c /data/w32.zotob.d.html
c /data/w32.zotob.e.html
From securityresponse.symantec.com, the threat assessment included when patterns were released.
Zotob.A Aug 14 http://securityresponse.symantec.com/avcenter/ven
Zotob.B Aug 14 http://securityresponse.symantec.com/avcenter/ven
Visit this link --> Zotob.D Aug 17 http://securityresponse.symantec.com/avcenter/ven
Note the
Virus Definitions (Intelligent Updater) *
August 17, 2005
Virus Definitions (LiveUpdate(TM)) **
August 17, 2005
Zotob.E Aug 16 http://securityresponse.symantec.com/avcenter/ven
Well Hmm... is Zotob D scheduled for release tomorrow.
Perhaps Symantec should invest in some of those Desk calendars to schedule the virus releases.
Seriously,
for the suxxors who rely on Symantec Live update, they will have to wait another day to get virus patters for viruses out TODAY.
While anyone with smarts enough to manually download the so called intelligent updater can have today's patterns.
Just why Symantec waits, I suppose is so Press consumer pain can and is generated about infections which only boost sales. Or presuming no ulterior motives, its because their download servers are weak and can't update same day scheduled over the whole day for their paying user base. I seem to remember AOL being sued ( and end users winning) for over selling service lines and having over loaded networks.
Don't know why this came out as Symantec bashing, just they way the note was written.
By the way after replacing NIS 2003 with 2005 with anti spam, my advertising is %1000 more of a pain in the ass and the Ad trash can is missing from the product.
Guess the ad's spam and missing ad trash can is why this came out as Symantec bashing, guess Symantec's bad karma's just making the rounds.
However, the MS05-39 vulnerability being exploited by Zotob exists in XP systems up to and including SP2, so it probably won't be long before a cousin of Zotob attacks XP.
I figure by 2030 or so my 6-digit UID will be something to brag about.
Major media corp IT depts badly behind in patching their systems, news at 11!
Honestly Zotob is a joke. I work IT for a major university thats 95% win 2k and xp, and so far we've had 0 zotob infections. I wouldnt be surprised if we eventually got 1 or 2 here and there with old boxes that arent tied into the domain, but the vast majority of the workstations auto update themselves and hence this is a non issue for any properly run network.
Lawyers, MBA's, RIAA? A jedi fears not these things!
From symantec, it almost sounds like the worm is trying to decrudify your system. It attempts to kill the realplayer, quicktime, gator, and many spyware/malware/adware toolbars. It alsocleans them out of the registry, and deletes their files.
Too bad it also opens an FTP, IRC connection, and many others, but I do wonder if it's a variant on code originally intended to clean rather than infest?
I also quite like how MS directs you to complain to the Internet Fraud Complaint Center Web site, I'm sure they really appreciate all the extra phonecalls about infected operating systems...
and for hours, only the international edition of CNN carried it on the front page. The US edition didn't. Actually, BBC wasn't much better, with just a small link on the side at the top of its news page.
I'm not really surprised, just sad. Celebrities hold more interest in the US than most other news stories, and forget international news, unless it involves (some of the many) ongoing wars.
"CNN's network admins suck."
So, MS, who desperately wants the 50% or so of entrenched businesses still on 2000 to upgrade, claims this worm is "low impact" hmm?
Clearly, MS is implying the solution is to upgrade to XP. From their site: If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants.
How convenient! Really, why do I think the first answer to Bill's brainstorming marketing session on "How do we get people to move off 2000?" was some smart-ass saying "Well, we could always write a virus or worm for it."
After all, any notion of "irreperable harm" from security threats has vanished in the onslaught on the Windows hegemony. One little, "not so bad" worm wouldn't really hurt the Windows reputation any more than it already has been, and it sure would be a nice kick-in-the-pants for those businesses sitting on the 2000 fence.
Just saying^H^H^H^H^H^Hpostulating.
Basically, the subject says it all.
Now that Microsoft is checking PCs for valid installation keys before you can get security updates, it won't be long before pirated installs of XP become a host for all sorts of nasty shit. And because it's pirated, they will not be able to prevent further revisions of this virus from infecting their PC and thus spreading it around perpetually.
Fuck, there goes my low ping rate for multi-player gaming due to the increase in traffic...so I would imagine.
Life is not for the lazy.
DISCLAIMER:This comment may be FUD...
Seeing as Microsoft stopped supporting Windows 2000, wouldn't this seem like a nice co-incidental way of "encouraging" users to upgrade to Windows XP??
Of course, one could always go to a pirated version of XP... Why pay for a simple security upgrade, after all?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Has anyone else noticed that according to the Symantec security response page, this virus removes several common spyware files? kills process, removes registry entry, and deletes. I suppose it does this so that it will have the machine's internet connection mostly to itself, but I find that fascinating.
Emory: Uh..we're still..beta testing that.
Oglethorpe: What you're testing is me and my patience!
anyone notice it is deleting these files;c /data/w32.zotob.d.html
now if it just woulnt reboot the computer.
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
as per http://securityresponse.symantec.com/avcenter/ven
and the like are all in a hard place.
As much as they would like very much to have a stable OS (OS X, Linux, BSD. any stable OS, dag nabbit,) they have developped software on their own for their own purposes (Microsoft doesn't make everything, ya kno',) and their budgets don't allow for the kinds of redeployment costs associated with a new OS or even a new version of an old OS. (The roll out costs to Microsoft's clients dwarfs the cost of the OS. If only it wasn't a POS.)
I was working at a client's who were heart-broken when WinNT got end-of-lifes. They had to gear up for deployment of 20 or 30 THOUSAND systems to Win2K...
And poor ol' Microsoft can't upgrade the APIs like they need to because of clients like mine. (Which is why also Linux is having a hard time getting in. It has to WORK from the 'get go.')
Fuck the GUI, its the API that are the hold up.
And as long as Windows can't change the APIs they don't have the lattitude to change the OS so stupid shit like this worm can't happen.
If Linux can deliver APIs that are the same as Windows, its got it made. Until then, its out in the cold.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Microsoft, a few days ago: "Worms are coming. Here's the patch. Secure your systems."
NYT/CNN/ABC: "Yawn. We don't see any worms. Stop trying to scare us. It's acceptable to lose a few LANs so we don't have our right to pr0n infringed, or something."
Today: Worm hits.
NYT/CNN/ABC: "It's Karl Rove's fault!"
FOX: "Our networks are fine. Who's the dumbass now?"
Microsoft: "Good thing people too stupid to run Windows Update are also too stupid to run Linux."
My first thought was that this was another foolhardy attempt at a white-hat worm, where the intention is to help clean a victim's machine, maybe of a lot of malware...
But having just spent an all-nighter in the office cleaning up the B variant, this new D doesn't do nearly enough to actually fix the damage.
What really pisses me off about Windows, is that this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.
Microsoft: please, for the love of god, implement KILL -9. Without a reboot. Thanks.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
From Microsoft's info page:
Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.
Ummm...
"Hello, FBI? Yeah, hi. This is Pat. Listen, I've noticed my computer has been running a little slow lately. Yeah, more so then usual... Well, I heard about this new worm virus on the news... Yeah, I know I should run a virus scanner... Yes, I'm aware that the FBI does not troubleshoot and provide support for PCs... No, I don't expect you to launch a huge investigation because I suspect I *might* have been infected... Of course I'm aware that even if I was infected, there's really nothing the FBI can do about my particular case. . . . What do you mean 'Why am I calling you'?? Microsoft said I should!!"
The Internet is generally stupid
I guess I've been out of the industry so long that I foget that Windows admins take hourly or daily crashes for granted.
Sorry, but the companies where that happens should really hire competent people instead of letting the secretary manage their IT infratructure. We use winxp, but crashes are extremely rare (say... 1 per year or so). Severely restricting users' privileges to mess with the system helps a lot of course...
If you use decent hardware, and install the OS + software correctly, windows XP can be rock stable too, just like linux (although the latter one tends to be a bit more forgiving in certain circumstances).
(OK, now mod me down with this if you're a linux zealot)