ZOTOB Not Quite as Bad as Expected?

GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "

Perhaps not as bad, but it still is a problem.

[marbike]

This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.

This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.

Re:Flaw was patched days before the outbreak.

[Trigun]

Patch caused errors in 3rd party software. Not enough lead time to do proper regression testing. News at 11, if they get their computers fixed.

Windows XP and Server 2003?

[mranime]

Both Symantec link and F-Secure link

States that only Windows 2000 machines were affected.

F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."

Re:not large penetration

[dioscaido]

The code used in the Zotob worm to exploit the Microsoft PnP vulnerability addresses in MS05-039 relies on NULL sessions to exploit the target system. Default installations of Windows XP SP2 and Windows 2003 do not have NULL sessions enabled, and thus are not affected by the worm.

Re:really...

[Patoski]

It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.

Actually Windows 2000 does have a firewall. It just doesn't have a purdy gui.
http://online.securityfocus.com/infocus/1559

Anyhow, how does a firewall help one when an infected machine gets in the building (like a laptop)? You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.

While we didn't get hit where I work I can sympathize with companies that did. When you're working in a large environment it can take some time to test patches to make sure they work as advertised (esp. on mission ciritcal servers). One week lead time is really intense.

Re:Did you see that ridiculous CNN coverage?

[mhollis]

The CNN coverage was probably due to CNN still using Windoze 2000, which we use here at NBC for all of our desktop computers.

Mind you, we also have high end workstations running Avid Newscutters and the DS that are based on XP but for desktop use, it's strictly 2000.

It is quite possible that news ops software, like Avid's iNews (a very necessary script-writing, show organizing and newswire access tool that almost every news organization uses) does not work or is not supported on XP. It may also be an issue that XP requires better hardware (highly likely) than 2000 and large, worldwide organizations like CNN, ABC, NBC, CBS, BBC and so on are highly dependent on that version of Microsoft's OS.

So, at least in their case, the hysteria at CNN may have been warranted.

Ofcourse it's not as bad...

[GillBates0]

It even removes your spyware for you, as several /. comments noted in the last Zotob story: http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html It could be that problems (reboots, etc) that people experienced were caused by inadequate testing than purely malicious intent...but then it's a worm, so it is implicitly malicious.

Deletes the following registry values:
"MyWebSearch"
"WINDOWS SYSTEM"
"Zotob"
"MyWay"
"WeatherOnTray"
"Apropos"
"IBIS TB"
"TBPS"
"Toolbar"
"Hotbar"
"CMESys"
"NavExcel"
"ViewMgr"
"eZula"
"EbatesMoeMoneyMaker"
"Ebates"
"AutoUpdater"
"Gator"
"Trickler"
"QuickTime"
"GatorDownloader"
"eZmmod"
"Viewpoint"
"TkBellExe"
"180"
"WinTools"
"Real"
"QuickTime Task"
.
.
.

Re:unpatched machines?

[sriram_2001]

Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks

Re:This may not be an accident

[DaHat]

The reason that viruses are not as damaging today as they were long ago is because virus writers have learned, propagation is the goal, not destruction.

Compare computer viruses to real world viruses and you'll see.

Ebola, smallpox take your pick from the fast acting, horrific and deadly viruses, very contagious and extremely deadly. With such a rap, why they it killed off everyone on earth yet. The answer why they haven't is simple, they kill their hosts before they have much of a chance to spread.

That is why HIV is such an evil bug, it takes it's time before killing its host, as well as taking plenty of time before an infection is apparent.

Computer viruses are the same, one that destroys a PC or locks down files isn't going to get very far, while one whose sole job is reproduction will spread far and wide and cause havoc only because of it's level of penetration and infection.

Re:not minimal

[b0r1s]

For the record:

The reason the risk to XP and 2k3 are minimal is that they require authentication for the particular vulnerability to be exploited, where Win2k can be exploited using a NULL session.

Setting RestrictAnonymous=2 in the registry will disable null sessions and prevent infection on Win2k systems.

Re:really...

[jwgoerlich]

I blame it more on crappy IT administration.

And how! Almost all of my clients' machines are immune to this (though we patched anyways). Why? Because we disable anonymous connections (RestrictAnonymous registry key), which has been a recommended practice for YEARS.

See the tech advisory: "Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users."

http://support.microsoft.com/kb/q246261/

http://www.microsoft.com/technet/security/advisory /899588.mspx

The same thing happened with Slammer. The MSSQL servers we setup were immune out of the gate because they were setup properly from the get-go.

Re:Patch available?

[man_of_mr_e]

I'll install the next service patch as soon as Microsoft let's me decide which browser to do it with. Where's the network install (aka downloadable) patch?

Right here:

http://www.microsoft.com/downloads/details.aspx?fa milyid=E39A3D96-1C37-47D2-82EF-0AC89905C88F&displa ylang=en

Re:Aren't all media reports of internet viruses

[peculiarmethod]

hsync and vsync value hack in the early days of heculese and cga cards, initiated with ASM code. and all those moderators who modded overrated need to learn more about hardware.

"Turkey Virus"

[alexhs]

> Any links to validate this "Turkey Virus"?

I've found that...

> isn't the CRT physically designed to spread the electron beams evenly as to display a picture?

No, it isn't a TV set. The VGA cable is really controlling the electron beam. Well, it was... now there is some embedded electronic to do some adjustments and avoid to damage the tube (for example, using too high refresh rates).

Try xvidtune under X,
check the modeline doc in linux/Documentation/fb,
read that link.

(Now assuming you've read the last link and understand porch times)
Your VGA cable basically sends five signals : red green and blue controlling the energy of the three beams, and two sync signals controlling "next line" and "next screen". Usually porch times are constant, so you're drawing in a rectangle somewhere.
Changing horizontal porch times will move the image to the left or right, or modify the image width.
Changing vertical porch times will move the image to the top or bottom, or modify the image height.
Constantly changing porch times result in waving effects (as reported in the first link).

Re:Depends a lot on your point of view

[bitslinger_42]

Software firewalls can work. A company I work with has over 10k laptops in use, and nearly all of them run a standard firewall package. It has centralized logging, so we can tell when someone disables it and/or uninstalls it. Those users are warned once and then walked out the door if it happens again, even managers. Patch management is handled automatically, so when a user logs on, the patch is pushed to them. If the firewalls are configured intelligently (i.e. absolutely NO MS networking allowed when in an untrusted network), patches are maintained, and antivirus software is in place, the virus problem gets much more managable. Add to that an IDS that has provisions to automatically identify propegating worms inside the company, interfaces with the trouble-ticketing system, and a process through which access control lists are applied to the appropriate routers within 15 minutes, and you have a method for dealing with viruses quickly and without a bunch of manpower. These days, a bad virus outbreak for me is 2-3 computers, and we've got well over 40k end users.

Re:not minimal

[Keeper]

If you want to download and apply updates manually, go here: http://www.microsoft.com/technet/security/current. aspx