Zotob worm - a reminder for network administrators to patch

Westlake Village (CA) - Antivirus companies today informed users of a new worm that is infecting computers around the world. While some reports indicate that Zotob is spreading like wildfire, similar to how Sasser spread in 2004, it now appears that the worm is fairly contained. The three variants Zotob.A, Zotob.B, and Zotob.C, however, are a clear reminder that network administrators should keep their systems patched.

The Zotob worm takes advantage of a PnP networking vulnerability that was recently patched in the latest round of updates to Microsoft Windows 2000. The worm enters through open port 445, which is reserved for Universal Plug and Play. After infection, the worm modifies the "hosts" file of a computer, and opens up FTP and IRC connections through port 8080 and, if not open, tries port 33333 instead.

Changes to the hosts file hinder the user from attaining patches from well-know anti-virus vendors by mapping the domain names to an IP address of 127.0.0.1. In addition to anti-virus vendors, the worm reroutes traffic going to commercial sites such as eBay, PayPal and Amazon. This could be a prelude to a phishing attack where usernames, passwords and credit card information are harvested and transferred to the Internet.

While this may sound scary, Zotob has not been spreading like previous worms and the Internet’s major backbones seem to functioning normally.

Dan Berkowitz of Keynote Systems, a firm that measures response times of web servers, says, "as of 11:45 am PST, according to our tools, all major backbones are functioning normally and average response times (of websites) have remained at less than three seconds."

While the impact of Zotob is likely to be limited, security experts reminded users and web adminstrators to diligently patch their computer systems not only with virus updates, but also security updates for servers and operating systems. David Nardoni, president of First Response Consulting Services, a company that performs incident response and forensic analysis says that some of his clients have had problems with recent Microsoft patches and became leery of updating.

"About 70 percent of my clients have are on Windows XP Service Pack 2, but the others are so behind the times and some are not even on XP. Some clients get ’patching paralysis’ and try to lock things down while not patching at all," he said. According to Nardoni, ’patching paralysis’ is a phenomenon, where clients try to avoid patching and concentrate on other methods of preventing attacks. Administrators will install firewalls and anti-virus software, in hopes of staving off an attack, but in the end these measures are useless if a virus or worm comes through an unpatched vulnerability.