ZOTOB Not Quite as Bad as Expected?

GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "

Patch available?

[Kelson]

When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!

What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).

The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.

Re:Surprisingly slow spread

[Forseti]

> Why didn't zotob spread faster?
I'll tell you why: NAT and RFC1918.

The worm (reportedly) only tries to spread to adresses with the same first 2 octets as the current machine. Even if it hit a machine through a static NATed public IP, once infected, it would detect only the private address of that host, and spread only within the company. It was poorly written to be able to spread quickly. It almost needs to be moved to another network manually! Witty went random, that's much smarter.

In fact, we're generally lucky that most virus writers are inept. Otherwise, we would have seen some MUCH WORSE infections already.

Re:not minimal

[blincoln]

Security updates are still downloaded to pirated copies.

Actually, they're not, although my understanding was that MS claimed they were.

One of my neighbours asked for help with her PC a few days ago. One of the problems turned out to be that she was running the original version of XP. I tried to service pack it, and it said the license key used was invalid, and therefore the service pack wouldn't apply.

Unless you have at least SP1, you can't get security updates anymore.

I'm sure there are tons of people in a similar situation.