Slashdot Mirror

← Back to Stories (view on slashdot.org)

ZOTOB Not Quite as Bad as Expected?

Posted by CmdrTaco on from the only-wrecks-a-zillion-computers dept.

GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "

25 of 407 comments (clear)

  1. Aren't all media reports of internet viruses by Trigun · · Score: 5, Interesting

    overblown? I think it all started at the Michaelangelo virus, where the media was telling everyone to turn their computer off on Mikey's birthday? It's gotten worse since then.

    1. Re:Aren't all media reports of internet viruses by plarsen · · Score: 2, Interesting

      I find it good that media is reporting virus-incidents as topnews, since then common non-computer interested people will read it, and get some ideas that their systems at home needs protection. To many have no clue about AV and Firewalls and asume a system should run safe connected to the internet aslong as they don't download files from suspicious websites.

    2. Re:Aren't all media reports of internet viruses by peculiarmethod · · Score: 5, Interesting

      Nothing compared to the Turkey Virus.. did a report on it in the early 90s. In the eighties it showed a pretty picture of of a turkey while focusing most of the cathode rays at a central point, causing the tube to burn out, and in several instances, catch fire. There was even a deadly house fire attributed to it. Deadly computer virus in the 80s.. beat that.

      --
      ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
    3. Re:Aren't all media reports of internet viruses by nmb3000 · · Score: 2, Interesting

      Call me a n00b, but this sounds like crap. I don't think software had such specific control over something like a monitor, even in the 80's. Even if it did have more control than today, isn't the CRT physically designed to spread the electron beams evenly as to display a picture? What possible reason would there be to allow manual focusing of the beams?

      I'm trying to find information about this but not having much success. Any links to validate this "Turkey Virus"?

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    4. Re:Aren't all media reports of internet viruses by hoxford · · Score: 2, Interesting

      It's true that you can't really "focus" the electron beam on the monitor from the video card. And even if you could the worst that would happen is to create a small spot of burn in on the phosphor. However, as other posters have pointed out it is possible to do damage to an older monitor by running the video timing out of spec. I personally experienced this when setting up my very first X Server configuration on my very first Linux installation back in 93. It didn't cause a fire but it did blow one of the power transistors in the monitor (after making a helluva squealing noise). Depending on how the monitor was designed it's plausible that running the monitor sufficiently out of spec could cause it to catch on fire.

  2. Warzone by databyss · · Score: 2, Interesting

    From all that I've read on the news lately, it looks like the various variants are battle each other... so they may be keeping their own numbers down.

    --
    Hmmm witty sig or funny sig? Maybe elitest techy sig!
  3. August: Season of the crashes by Destoo · · Score: 5, Interesting

    I would like to name August the official Worm month.

    August 2003: Sobig
    August 2004: Sasser
    August 2005: Zotob

    What's next?

    --
    Nouvelles de jeux et technologies en français. TC
  4. Actually... by TimTheFoolMan · · Score: 4, Interesting

    It's been pretty hairy here, inside the walls of a Fortune 500 company. Probably because we have so many variations of Windows in our lab, it was all over the place. People who had kept up to date and patched weren't hit bad (I'm on XP SP1), but we were creating ad-hoc teams all afternoon yesterday trying to get things clean.

    In some ways, this was a bigger deal than Sobig.

    Tim

    1. Re:Actually... by grasshoppa · · Score: 2, Interesting

      This was my thought.

      Whomever was asleep at the wheel should be fired. Of course they won't be, because they'll blame it on software breaking or MS or aliens for all I know. but the hard truth of the matter is, they should be.

      Yes, I understand what's required before patches go live. I understand you have a lot of software you need to test before you can approve a patch. I also know how long that takes and how long it takes to make things work. A week, at most, is all you should ever be behind in patches.

      Now granted, there are staff shortages and the like. However, there just simply aren't that many software packages. And if you truly are a fortune 500 company, you should be leaning on any software vendor heavily to make them work to keep their software working.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
  5. Affects more than just windows machines by thedogcow · · Score: 3, Interesting

    Zotob is affecting more than Windows machines. Case and point, the network is really slow (via the Windows garbage) which is making Slashdot load slow for me and I am running Solaris. Grr.

    --
    Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
  6. Surprisingly slow spread by G4from128k · · Score: 5, Interesting

    The Witty worm spread much faster despite the very small base of susceptible hosts (only about 12,000 total that had some old version of some firewall software). Witty had a doubling time of only a couple minutes and nearly saturated (infected all susceptible hosts) in less than one hour.

    A modern worm should be able to spread extremely quickly -- sending out hundreds of infectious packets per second if the payload is small (Witty's was only 637 bytes). If only 1 in 10,000 machine is susceptible, then a worm spewing 100 randomly addressed packets per second should double the number of infected machines every 100 seconds. I'd wager that the number of zotob-susceptible machines was much greater than only 1 in 10,000, so zotob should have spread faster. If anyone ever creates a worm that can infect even 1% of IP addys, it would double every second and saturate the net within the first minute or so.

    Why didn't zotob spread faster?

    --
    Two wrongs don't make a right, but three lefts do.
  7. This may not be an accident by Animats · · Score: 2, Interesting
    Makes you wonder if Microsoft had a role in encouraging its release, doesn't it?

    It's striking how nice the virus writers are to the antivirus companies. Most viruses do just enough damage to require ongoing spending for antivirus tools and upgrades, but not enough to make users switch to, say, Linux. There are exceptions, like the virus that encrypts data on the hard drive and demands payment in E-gold, but those are very rare. Few viruses erase data. Few do things that would make removal impossible without physically opening the computer, like modifying the BIOS so it can only boot from the hard drive. The mainstream viruses seem to be carefully tuned to optimize the revenue stream of antivirus and upgrade vendors.

    Somewhere there's a reason for this.

    1. Re:This may not be an accident by NatasRevol · · Score: 2, Interesting

      But it would be truly easy to combine a fast propogation worm with a time delay and a format C: command. Infect, propogate, wait 30 min, format. It's all out there already, but it seems that no one has (or wants to?) put them all together...yet.

      That should make a lot of people tremble but, for some reason, people keep using an OS that allows this.

      --
      There are two types of people in the world: Those who crave closure
  8. This outbreak hit media outlets by ewg · · Score: 2, Interesting

    This malware outbreak received disproportionate media coverage, because it hit media outlets first and hardest.

    --
    org.slashdot.post.SignatureNotFoundException: ewg
  9. Not minimal here by Stanistani · · Score: 2, Interesting

    San Diego County Government had 12,000 workstations crash.
    People couldn't do ANYTHING connected to the county.
    They had 3,000 systems up today.
    Wonder if I can apply for the sysadmin job?

    --
    You can't talk about Wikipedia's flaws on Wikipedia
  10. unpatched machines? by shimmin · · Score: 1, Interesting

    Microsoft's decision to no longer patch pirated installations has a few unintended consequences. There is now a base of unpatched machines that any new worm will likely be able to exploit. If a greater fraction of machines are unpatched, a greater fraction of infection attempts will succeed, and the worm will spread faster. A faster-spreading infection means a more legitimate Windows users will be infected before they patch (although the auto-updating feature of Service Patch 2 will help with this).

    And of course, that population of never-patched machines affects everyone who uses the internet, regardless of their operating system.

  11. Dr. It hurts when I do this by wardk · · Score: 2, Interesting

    hard to feel sorry for the people still running windows, how many times does the car have to break down on the freeway before you trade the SOB in for something reliable?

    what is it called when you continue the same behavior and expect different results?

    1. Re:Dr. It hurts when I do this by Anonymous Coward · · Score: 1, Interesting

      how often has your car broken down and you figured out you really needed a boat?

      probably not too often.
      Windows programs mainly run on Windows systems (ignoring wine, which only works with some programs)

      OS2, Linux, Unix, Mac, ReactionOS for the most part can't run windows programs. There isn't always a 1:1 replacement for some programs.

      Sure, we could get people to dump Windows, but then we would have to provide MSAccess*, a bunch of current games, in-house custom code (in ASP, or VBasic or VC++ etc...)

      *Yes, i know there are a number of good databases out there to replace MSAccess, still haven't found a good gui to replace it though.

      Just because the car keeps breaking doesn't mean that there is a better car to buy. (Linux can't drive on MSRoads any better then Windows can drive on GNU/Water)

  12. Re:Irony by Nuttles1 · · Score: 1, Interesting

    If you ask me, I find it amazing that businesses still rely on Microsoft.

    I know most /'ers hate all things Microsoft, but Windows 2000 is a pretty solid OS. I used it for years and I really don't notice a huge differance in my XP machine now. As far as businesses are concerned, from my experiance on the job, managers tend to resist change. Sort of like the Supreme court slows the rate of change that the executive or legislative branches can make. Managers have there place in much the same way. If they haven't changed, then the people who's job it is to inform them aren't doing their jobs...I.T. PEOPLE. Either that or they haven't a good enough arguement to change.

  13. Depends a lot on your point of view by Thumper_SVX · · Score: 5, Interesting

    Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.

    We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.

    See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.

    So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.

    Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.

    This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.

    One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.

    1. Re:Depends a lot on your point of view by HyTronix · · Score: 2, Interesting

      I agree with your assessment of the tribulations of large network administration.

      You might have 500 servers and thousands of workstations to manage, but how many gateways to public networks do you have? Substantially less, I'd wager. Would not proper firewalling have prevented this worm from entering the network in the first place? What about DHCP configuration that moves mobile/unknown hosts to an untrusted network, perhaps with carefully filtered VPN only access?

      Simple to manage steps can certainly be taken to reduce incidences like this, and provide excellent protection, even on unpatched networks.

    2. Re:Depends a lot on your point of view by Thumper_SVX · · Score: 3, Interesting

      Oh no, the actual patching method was pretty simple, automated and realistically only ate up a total of about 4 or 5 of those hours. The problems came when it came to controlled reboots, reboot schedules, application and server interdependencies and so forth. Also, the politics of dealing with servers in remote locations and having to call on-call staff in the middle of the night to power-cycle a box because McAfee hung the server on shutdown. That's what causes time... and is common across platforms.

    3. Re:Depends a lot on your point of view by Thumper_SVX · · Score: 2, Interesting

      Which then brings up the problem of application compatibility. As I mentioned in one of my other posts (though not specifically), many of our "custom" or at least "not-off-the-shelf" applications are only certified for Windows 2000 SP3, and have either never been tested or never certified on anything newer. This leads to the problem of the vendor leading the customer down a dark and dangerous path, but unfortunately corporate politics plays too much into this.

      We aren't allowed to run un-certified applications due to business requirements (we're governed by worldwide and federal regulations which are sometimes contradictory), and thus to upgrade the operating system would be to essentially "un-certify" these applications. It isn't really as cut and dried as even I like.

      Personally, I run XP SP2 on my laptop (with permission). The only reason I get away with that is because I'm in IT and therefore don't have to run the business applications that are not certified for this platform. If I do... well that's what VM's are for

  14. Re:not minimal by Dr.+Evil · · Score: 3, Interesting

    Of course all your WinXP machines are screwed if you're using a Win2k domain controller... or whatever it is called now.

    The worm has been a serious pain, but yeah, not catastrophic where I sit.

  15. Spooky by Anonymous Coward · · Score: 1, Interesting

    I work at a small Canadian bank. The whole company uses w2k desktops. On Tuesday and Wednesday I spent my entire shifts playing poker while around us computers continuously rebooted. Without net access all kinds of rumours developed about how the worm was affecting the rest of the world. Our only communication with management was occasional typewritten faxes.