It was not another Blaster, but the Zotob malware that hit the internet over the weekend marked both the return of the high-profile network worm and one of the shortest periods between the disclosure of a wormable vulnerability and the worm itself.
Zotob.A can remotely infect Windows 2000 machines that have not applied the patch associated with the MS05-039 vulnerability alert that Microsoft published last Tuesday. No user interaction is required.
According to virus experts, the number of infections indicates that the worm, and its B variant, has not spread as broadly as previous network worms such as Sasser and Blaster. There have been no reports so far of major outages.
The reason we called out this one was to say ‘Don’t panic’, Trend Micro Inc’s global director of education David Perry said. The potential for damage is limited by the number of vulnerable machines, he said.
It is estimated that 73% of Microsoft’s Windows customers are now running Windows XP, which is only vulnerable to Zotob under a fairly unusual configuration. Of the remainder, only unpatched Windows 2000 machines would be hit.
The worm hit the internet late Friday, about 24 hours after MS05-039 proof-of-concept exploit code became broadly available on security mailing lists and web sites, and only three days after Microsoft publicized the vulnerability.
That would make it the second-fastest turnaround between disclosure and worm ever, second only to Witty, which broke into PCs running personal firewalls from Internet Security Systems Inc on March 19, 2004, one day after the vulnerability was disclosed.
Perry said Trend’s free HouseCall virus scanning service found 50 infections by Zotob.A, but about 1,000 infections of Zotob.B. He estimated that number represented less than a tenth of a percent of the total number of infected machines.
Late Monday, F-Secure Corp reported it had also spotted another variant, Zotob.C, and that a new version of the well-known IRCBot backdoor program has been found spreading itself through the MS05-039 vulnerability.
Zotob comes in over TCP port 445, used by the vulnerable Plug and Play (PnP) component of Windows. Otherwise vulnerable computers would not be open to infection if their firewalls or ISPs filter port 445.
It drops a backdoor on machines it infects, as well as a loader that enables the worm to launch whenever the machine reboots. Prolific network worms in the past have tended to reside in memory, meaning a reboot is sufficient to clean the machine.
It also modifies the Windows hosts file to prevent users visiting domains such as symantec.com, mcafee.com and other antivirus sites, as well as popular e-commerce sites such as paypal.com, ebay.com and amazon.com.
Trend’s Perry said that while Zotob appears to not be as prolific as the likes of Code Red or Blaster, it could act as a progenitor of other, more successful worms, much like the little-known BlueCode spawned the more destructive Nimda in 2001.
Zotob is the first prolific network worm to be detected since May 2004, when Sasser ran on a rampage, hacking Windows boxes and gobbling bandwidth, causing disruptions in rail, air, post and banking services worldwide.
According to antivirus software vendors, the worm contains the plaintext: Botzor2005 Made By …. Greetz to good friend Coder. Based On HellBot3. MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
HellBot3, according to Sophos Plc, is a worm transmitted by email that contains a spyware Trojan. It seems likely that the backdoor components of HellBot3 were combined with the MS05-039 exploit code to create Zotob.