Slashdot Mirror
ZOTOB Not Quite as Bad as Expected?
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!
What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).
The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.
> Why didn't zotob spread faster?
I'll tell you why: NAT and RFC1918.
The worm (reportedly) only tries to spread to adresses with the same first 2 octets as the current machine. Even if it hit a machine through a static NATed public IP, once infected, it would detect only the private address of that host, and spread only within the company. It was poorly written to be able to spread quickly. It almost needs to be moved to another network manually! Witty went random, that's much smarter.
In fact, we're generally lucky that most virus writers are inept. Otherwise, we would have seen some MUCH WORSE infections already.
Delay is preferable to error. (Thomas Jefferson)
How odd that this worm should attack W2K so severely, and W2K3/WXP not so severely, just as Microsoft is dropping sales of W2K, and urging W2K users to upgrade, including draconian herding techniques like discontinuing W2K automatic update support.
Now, even if MS hasn't created this worm, or released it into the wild, or deprioritized fixing bugs in W2K for it to exploit, or overhyped its danger to create "relief" that its favored W2K3/WXP products aren't at as much risk... don't you think the people over at the "W2K extinction department" in Redmond are very happy about this bad news? That's an incentive to neglect security. Like the sheepdog carpooling with the wolf.
--
make install -not war
Take a big company with several thousand Win 2000 machines.
Take an idiot user with a laptop and Win 2000.
Idiot user gets infected off their home internet connection, takes laptop into work, connects it to the network and infects every other machine within minutes.
Because its part of their job, that's why.
B O R I N G
This is part of the first wave of "it's not so bad and it is the victim's fauly anyway" press releases which will be followed shortly with the 'any operating system is vulnerable to viruses' wave of press releases, followed by the 'Windows Vista is much more secure and everybody should upgrade' press releases. The only amazing part is that Windows users never seem to catch on. Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and hard before buying a fourth one. Windows users? Not a chance.
The problem we have is not someone "asleep at the wheel." It's an issue of "this is my PC, and you are NOT going to push service packs and updates down to me whenever you like. I'll apply them when I'm good and ready."
Our IT Admin's response was patient, up to a point. Then she started shutting off their VLANs, and people got serious about it.
Yeah, I know. The idea of programmers and computer geeks thinking they're smarter than the IT Admin is hard to believe. Right?
Tim
You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.
Whyever not? Or are you claiming that file and printer sharing (as opposed to using one of the stronger client-server protocols for these things) is a good idea?
"Little does he know, but there is no 'I' in 'Idiot'!"
You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.
Whyever not? Or are you claiming that file and printer sharing (as opposed to using one of the stronger client-server protocols for these things) is a good idea?
Because you'll break Active Directory.
G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
Hate to tell you this, bub, but you and your 150 machines are small-time, so you shouldn't go making broad pronouncements about who's competent or incompetent, based on your limited experience-- you're just a babe in the woods.
Any competent administrator of large entities of the sort that are getting hit with these worms knows to never roll out any Microsoft patches without first testing them thoroughly on non-production hardware to see if they break anything important.
Too many companies have gotten burned in the past by patches that caused worse problems than the worm infections they were supposed to prevent. Blindly rolling out a patch to production machines just because Microsoft says it's okay is pure folly.
Security updates are still downloaded to pirated copies.
Actually, they're not, although my understanding was that MS claimed they were.
One of my neighbours asked for help with her PC a few days ago. One of the problems turned out to be that she was running the original version of XP. I tried to service pack it, and it said the license key used was invalid, and therefore the service pack wouldn't apply.
Unless you have at least SP1, you can't get security updates anymore.
I'm sure there are tons of people in a similar situation.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman