MS05-039: Zotob.A Worm -- In-the-wild

Welcome Guest ( Log In | Register )

Calendar Of Updates > Library: Information Resources & Product News > Security Information Center > Alerts

Register a free account to use forum features

Welcome to Calendar of Updates forums! Guest can view some contents but cannot use many forum features (example: create a new topic, post in existing topic, subscribe to receive email notification on new post, create a blog, send a private message, earn CoU-dos), please register a free account now to unlock this features that are available to registered members only.

MS05-039: Zotob.A Worm -- In-the-wild, ensure you are current on MS updates

Options

harrywaldron View Member Profile	Aug 14 2005, 01:02 PM Post #1
Microsoft MVP - Security Group: Admin - Forum Posts: 630 Calendar Posts: 4 Joined: 20-April 04 From: Roanoke Virginia Member No.: 609	The Mytob worm has been modified to include MS05-039 exploitation. F-Secure gives this a MEDIUM RISK rating (2 of 3 on the Radar scale). KEY LINKS MS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK) MS05-039: Zotob.A Worm - F-Secure WEBLOG MS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK) Zotob.A is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039). Spreading using Plug and Play service vulnerability The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. If the attack is successful, the worm instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.

harrywaldron View Member Profile	Aug 14 2005, 04:06 PM Post #2
Microsoft MVP - Security Group: Admin - Forum Posts: 630 Calendar Posts: 4 Joined: 20-April 04 From: Roanoke Virginia Member No.: 609	Symantec Info http://www.sarc.com/avcenter/venc/data/w32.zotob.a.html Internet Storm Center http://isc.sans.org/diary.php?date=2005-08-14 QUOTE Important facts so far: - Patch MS05-039 will protect you - Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon. - Blocking port 445 will protect you (but watch for internal infected systems) - The FTP server does not run on port 21. It appears to pick a random high port.

harrywaldron View Member Profile	Aug 14 2005, 04:28 PM Post #3
Microsoft MVP - Security Group: Admin - Forum Posts: 630 Calendar Posts: 4 Joined: 20-April 04 From: Roanoke Virginia Member No.: 609	McAfee Information http://vil.nai.com/vil/content/v_135433.htm Virus Information Discovery Date: 08/14/2005 Origin: Unknown Length: Varies Type: Virus SubType: Internet Worm Minimum DAT: 4558 (08/15/2005) Updated DAT: 4558 (08/15/2005) Minimum Engine: 4.4.00 Description Added: 08/14/2005 Description Modified: 08/14/2005 9:19 AM (PT) This self-executing worm spreads by exploiting Windows 2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm. On Demand Scans may detect this threat as New Malware.n with the 4451 DAT files or newer. METHOD OF INFECTION -- This worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

Haroldo View Member Profile View Member Blog	Aug 15 2005, 06:15 PM Post #4
Chief Suggestion Officer / Impresario Group: Admin - Board Posts: 10751 Calendar Posts: 842 Joined: 11-October 03 Member No.: 2	QUOTE NEW YORK --A computer worm emerged to strike machines running flawed versions of Microsoft Corp.'s (MSFT) Windows just five days after the software giant disclosed a "critical" vulnerability in the operating system and urged customers to patch their systems. The worm, dubbed "Zotob" by security software makers, appeared in two variants on Sunday. While neither variant is currently widespread, the speed at which malicious attackers launched a worm was notable. Moreover, attackers are likely to release improved attacks, if the past is a guide. Zotob moves directly between computers through Internet Relay Chat servers, rather than using email to spread. Security-software company Symantec Corp. (SYMC) rated both variants low risk and said the worm's spread was hindered because it moves easily only among machines running Windows 2000. "Regardless, users are urged to patch their systems to protect against this and future variants," said Oliver Friedrichs, senior manager at Symantec Security Response, in an emailed statement. Microsoft began offering patches for the programming flaw that Zotob exploits on Tuesday. The error is in Windows' Plug and Play service, which handles the installation and configuration of external devices. A successful attack can provide complete control over affected computers, allowing attackers to install other malicious programs, steal confidential information and burrow further into corporate networks. The Windows 2000, XP or Server 2003 operating systems are vulnerable to attack, but a default requirement for users of Windows XP and Server 2003 to authenticate themselves is limiting infections, Symantec said. The worm is able to use computers running Windows 95, 98, Me and NT4 to spread to other computers, but it cannot actually infect these machines. The Plug and Play flaw was discovered by researchers at Internet Security Systems Inc. (ISSX). The company said on Tuesday when it announced its findings that the flaw was trivial to exploit and that its researchers were aware of three publicly available hacker programs designed to exploit the flaw.

Haroldo View Member Profile View Member Blog	Aug 15 2005, 06:51 PM Post #5
Chief Suggestion Officer / Impresario Group: Admin - Board Posts: 10751 Calendar Posts: 842 Joined: 11-October 03 Member No.: 2	If one has an unpatched machine, generally speaking: What are the odds that their machine will get infected? How long before their machine gets infected, hours, days, weeks? Will this worm keep circulating in cyberspace, or eventually will it go away?

ColdinCbus View Member Profile View Member Blog	Aug 15 2005, 07:10 PM Post #6
The IceMan Fix-ith Group: Admin - Site Posts: 4680 Calendar Posts: 2304 Joined: 12-April 04 From: Ohio, USA Member No.: 596	It is going to depend on if you are behind a firewall or router or if you are putting the machine raw on the net. It could take minutes to days. It just depends on if there is another machine close by that has it or if your IP is in it's scanning range. It could be around for a log time. I still log 10 to 15 MS-SQL Worms aginst my IP every day.

YoKenny View Member Profile	Aug 15 2005, 07:27 PM Post #7
Contributor Group: Non-Member - Guests Posts: 3811 Calendar Posts: 324 Joined: 26-November 03 From: Oshawa, Ont. Canada Member No.: 57	QUOTE A computer worm emerged to strike machines running flawed versions of Microsoft Corp.'s (MSFT) Windows Isn't "flawed" a poor choice of words Wouldn't "vunerable" be MUCH better Oh how the media love to sensationalize everything.

Haroldo View Member Profile View Member Blog	Aug 15 2005, 07:48 PM Post #8
Chief Suggestion Officer / Impresario Group: Admin - Board Posts: 10751 Calendar Posts: 842 Joined: 11-October 03 Member No.: 2	"An imperfection, often concealed, that impairs soundness" the machines are vulnerable, because of the flaw.

Phantom Bronco View Member Profile View Member Blog	Aug 15 2005, 09:51 PM Post #9
Spyware Assassin Group: Member - Contributor Posts: 74 Calendar Posts: 24 Joined: 7-June 05 From: Rochester N.Y. Member No.: 1499	QUOTE(Haroldo @ Aug 15 2005, 02:15 PM) QUOTE NEW YORK --A computer worm emerged to strike machines running flawed versions of Microsoft Corp.'s (MSFT) Windows just five days after the software giant disclosed a "critical" vulnerability in the operating system and urged customers to patch their systems. The worm, dubbed "Zotob" by security software makers, appeared in two variants on Sunday. While neither variant is currently widespread, the speed at which malicious attackers launched a worm was notable. Moreover, attackers are likely to release improved attacks, if the past is a guide. Zotob moves directly between computers through Internet Relay Chat servers, rather than using email to spread. Security-software company Symantec Corp. (SYMC) rated both variants low risk and said the worm's spread was hindered because it moves easily only among machines running Windows 2000. "Regardless, users are urged to patch their systems to protect against this and future variants," said Oliver Friedrichs, senior manager at Symantec Security Response, in an emailed statement. Microsoft began offering patches for the programming flaw that Zotob exploits on Tuesday. The error is in Windows' Plug and Play service, which handles the installation and configuration of external devices. A successful attack can provide complete control over affected computers, allowing attackers to install other malicious programs, steal confidential information and burrow further into corporate networks. The Windows 2000, XP or Server 2003 operating systems are vulnerable to attack, but a default requirement for users of Windows XP and Server 2003 to authenticate themselves is limiting infections, Symantec said. The worm is able to use computers running Windows 95, 98, Me and NT4 to spread to other computers, but it cannot actually infect these machines. The Plug and Play flaw was discovered by researchers at Internet Security Systems Inc. (ISSX). The company said on Tuesday when it announced its findings that the flaw was trivial to exploit and that its researchers were aware of three publicly available hacker programs designed to exploit the flaw. Is there a patch for 98se, or no because it's not supported by microsoft?

hewee View Member Profile View Member Blog	Aug 15 2005, 10:50 PM Post #10
hewee Group: Member - MVC Posts: 3740 Calendar Posts: 3 Joined: 12-May 04 From: Rio Linda, Ca., USA Member No.: 660	Run the Shields Up test and see if your blocking all the ports. And Blocking port 445 as Harry posted in the 2nd post. https://www.grc.com/x/ne.dll?bh0bkyd2

Donna View Member Profile View Member Blog	Sep 10 2005, 08:59 PM Post #11
Solar Group: Admin - Site Posts: 12021 Calendar Posts: 8743 Joined: 11-October 03 From: Macau Member No.: 1	QUOTE The hackers who unleashed Mytob and Zotob may be behind bars, but variants of their work continue to appear. Security firm MessageLabs says it has detected a new variant of the Mytob worm and intercepted 72 copies since early Wednesday. While similar to previous Mytob variants, the latest worm appears to have been compiled using more recent code than that used by its creator, the hacker known as Diabl0, according to MessageLabs. http://www.internetnews.com/security/article.php/3531336

« Next Oldest · Alerts · Next Newest »

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 29th August 2008 - 03:21 AM

Licensed to: Dozleng, LLC
Disclaimer: While Dozleng.com uses reasonable efforts to include accurate and up-to-date information, we make no warranties or representations as to the accuracy of the content and assume no liability or responsibility for any error or omission in the content. Dozleng.com does not represent or warrant that use of any content will not infringe rights of third parties. Dozleng.com has no responsibility for actions of third parties or for content provided or posted by others.
All services are subject to the Dozleng Terms of Service.
Except where otherwise stated, all content Copyright © 2003 - 2008 Dozleng, LLC