Zotob demonstrates viruses can exploit vulnerabilities days after discovery
Tokyo (Japan) - A report released this afternoon by security provider Trend Micro, in the wake of reports of Windows 2000 systems infected with the new Zotob strain of viruses, indicates that malware writers are taking less time than ever to exploit a Windows vulnerability, after its discovery and initial report.
The vulnerability which the Zotob network worm exploits was first announced on 9 August, in warnings simultaneously published by Microsoft and by Internet Security Systems, the company Microsoft credited with discovering the vulnerability. Microsoft immediately issued a patch in accordance with the warning. However, a Trend Micro report released this afternoon points out, the first reports of virus infection were received only four days later - a new record.
David Perry, global director of education for Trend Micro, believes Zotob may signal the beginning of a new class of viruses : one which gives off the savvy of the boot-sector viruses of the 1980s, complete with their cute and semi-threatening messages, but not requiring the same level of intellect. This wave, believes Perry, is triggered by Microsoft’s own security memos : "All of the network viruses, from Code Red on out, follow on after Microsoft’s patch announcements, without fail," Perry told Tom’s Hardware Guide. "The reason for that is simple : The people who are writing the viruses only find out about the vulnerabilities that they’re exploiting, from the Microsoft technical bulletins. That’s their source of information. Every time there’s been one that has been exploitable, it’s ended up being exploited. It’s like a 100 percent turnover."
In an e-mail to Tom’s Hardware Guide late today, Counterpane chief technology officer Bruce Schneier agreed, saying, "The ’window of exposure’ between vulnerability announcement and patching is a prime target."
Malware writers, stated Perry, are being affected now by what he calls the "zero-day effect :" "A ’zero-day’ would be any time you have a virus or an exploit that is released before there is a patch available, but approaching zero-day is as good as zero-day, for most intents and purposes." The race is on among malware writers to do as much damage and gain as much notoriety as possible, from the time Microsoft announces a vulnerability to the time it’s effectively patched.
The Zotob strain is itself a variant of a class of worms that security providers call RBOTs. As Tom’s Hardware Guide reported on Monday, Zotob infects computers running Windows 2000, by instigating traffic through port 445 - a port originally reserved for Universal Plug and Play, specifically for network peripherals that communicate their configurations to network systems using TCP/IP protocol. In Windows 2000, the buffers associated with such communications are unchecked ; and on many corporate firewalls, traffic along that port is not blocked.
For your own system to have become vulnerable to infection, Perry stated, "you had to do a couple of things : You had to be running Windows 2000, you had to have not applied the patch, you had to have a firewall that was open to port 445 - there were a number of hurdles to get through before this virus could infect you."
The first companies to report slowdowns to their internal systems on Monday were major news organizations, including The New York Times, ABC News, and CNN. Is it possible that those organizations were specifically targeted ? Perry believes, most likely not. "Being a network worm, there’s no social engineering involved," he told us. "You’re not mailing it to a bunch of e-mail addresses. [Zotob] looks for any place inside the Internet that it can infect, and infect it." The most likely scenario, he said, is that media organizations fit the profile of a susceptible organization.
Size alone may be one reason. The last customers to patch their operating systems, believes Perry, are large networks. Among the reasons why, enterprise network administrators spend the most time testing the waters when planning their network operating system migrations. Also, enterprise networks may have the most to lose, especially in the case of major news organizations who are still bound to Windows 2000 because their asset management systems may not have been upgraded to take advantage of Windows Server 2003’s new authentication system. In newer Windows operating systems, processes such as the one that takes over port 445 in Zotob, cannot gain access to that port because they cannot properly authenticate themselves. In many applications written for Windows 2000, process authentication was bypassed, and for some applications to this day, have yet to be rewritten.
"Contrary to conventional wisdom," stated Perry, "large system, enterprise-level networks are, generally speaking, a little more cautious about when they run the upgrades to new operating systems, so it was the large companies that were more susceptible to this worm than the individual home users."
Perry disputes reports from security software vendor F-Secure that multiple variants of the virus, including one which actually removes earlier variants, is an indication of any kind of "malware gang war." Earlier reports speculated that, since newer strains of Zotob actually seek out and destroy older strains of Zotob, writers of variants are actually working in opposition to Zotob’s original writer(s). "In my opinion," said Perry, "there’s absolutely no proof of this ["gang war"]. In the past, whenever we’ve had a virus or a bot or a worm, there’s been belligerent language back and forth, included in the virus ; and in this case, there is not...We’ve spent an awful lot of time speculating, trying to read these kids’ minds over the years. We don’t know what their motivation might be. It could be because of the double-sunspot cycles. I’m not able to reach into that guy’s brain and come up with a cogent reason why they do things. A lot of people try to. There’s a long jump between speculation and reality."
According to security provider Keynote Systems, at approximately 2:45 pm Eastern time Tuesday afternoon, Web servers at ABC (including ABC News) and ESPN - two Disney properties, as well as Keynote customers - experienced greatly reduced availability : down to less than 5 percent of capacity, with load times exceeding 20 seconds per page versus the normal 4 seconds. In the accompanying graph, ABC sites are represented with a yellow line, ESPN with a blue-green line.