Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks Target Windows Vulnerability In Just Five Days

Just five days after Microsoft divulged a critical vulnerability in Windows 2000, several bot worms began attacking unpatched systems using exploit code released by the same group responsible for the code used to construct the Sasser worm.

Although some analysts said that the sophisticated nature of the bots could cause problems, most didn't expect this attack to reach the "meta-event" level of Sasser or 2003's MSBlast.

"We reverse engineered one of the bots yesterday, found the IRC channel used by the bot masters to communicate with their bots, and idled there for a while," said David Maynor, a researcher with X-force, the research arm of Internet Security Systems and the group credited with the original discovery of the Plug and Play vulnerability. "The count of infections wasn't all that high. A new system was infected about every 30 seconds. Sasser, in comparison, infected about 10 PCs every second."

Two of the bot worms, dubbed Zotob.a and Zotob.b by most anti-virus firms, are the most prominent, and were widely publicized by security vendors starting Sunday, August 14.

Zotob is technically a bot, which in simplistic terms is a combination of a self-propagating worm and a Trojan horse. The former spreads the malicious code, while the latter typically installs a backdoor through which additional code can be loaded onto the compromised PC by the attacker. Such infected and controlled machines are often used to send spam, conduct denial-of-service (DoS) attacks (or extort money on the threat of a DoS attack), and host phishing Web sites.

  • 1