Attacks Target Windows Vulnerability In Just Five Days

Just five days after Microsoft divulged a critical vulnerability in Windows 2000, several bot worms began attacking unpatched systems using exploit code released by the same group responsible for the code used to construct the Sasser worm.

Although some analysts said that the sophisticated nature of the bots could cause problems, most didn't expect this attack to reach the "meta-event" level of Sasser or 2003's MSBlast.

"We reverse engineered one of the bots yesterday, found the IRC channel used by the bot masters to communicate with their bots, and idled there for a while," said David Maynor, a researcher with X-force, the research arm of Internet Security Systems and the group credited with the original discovery of the Plug and Play vulnerability. "The count of infections wasn't all that high. A new system was infected about every 30 seconds. Sasser, in comparison, infected about 10 PCs every second."

Two of the bot worms, dubbed Zotob.a and Zotob.b by most anti-virus firms, are the most prominent, and were widely publicized by security vendors starting Sunday, August 14.

Zotob is technically a bot, which in simplistic terms is a combination of a self-propagating worm and a Trojan horse. The former spreads the malicious code, while the latter typically installs a backdoor through which additional code can be loaded onto the compromised PC by the attacker. Such infected and controlled machines are often used to send spam, conduct denial-of-service (DoS) attacks (or extort money on the threat of a DoS attack), and host phishing Web sites.Microsoft acknowledged the danger by quickly updating the security advisory it first posted Friday when news of out-in-the-wild exploit code against the Plug and Play vulnerability began circulating.

"Our initial investigation has revealed that the worm remotely attacks Windows 2000-based systems," said the updated advisory. "Other versions of Windows, including Windows XP Service Pack 2 and Windows Server 2003, are not remotely impacted by Zotob.a. However, there may be ways for these operating system versions to become infected through local user interaction or through other malware that may already be installed on the system," Microsoft warned.

Microsoft's referring to possible attacks on non-Windows 2000 machines which have NULL sessions enabled (Zotob relies on NULL sessions to exploit Windows 2000 PCs). Some server roles, noted the SANS Internet Storm Center (ISC), require NULL functionality, including Exchange and SQL servers.

"If you have permitted NULL session access on your managed systems, you may be at risk of infection by one of the Zotob variants," warned ISC handler Joshua Wright in an online alert.

The Zotob worms are closely related to the Mytob family, one of the most prolific lines of malware ever."Hackers took the Mytob worm code, which was derived from MyDoom, and replaced the e-mail function in Mytob with the exploit of the MS05-039 vulnerability," said Ken Dunham, senior engineer with VeriSign iDefense.

Dunham expects to see a slew of Zotobs and related bots appear soon as hackers mimic the constantly-changing variations of Mytob. "We'll see lots of bots emerge, and in short order," he said.

In part that will be because hackers know they have to act fast before users patch vulnerable Windows 2000 systems. That's happening, Dunham said, who said that iDefense has analyzed as many as nine different pieces of exploit code, including the two Zotobs and four new variations of Rbot.

"If something more sinister is going to come along, it's going to have to come out in the near future," added Dunham. "The first 10 days or so are critical. After that most enterprises have patched or are actively patching. If this had come out three or four weeks after [the release of the vulnerability bulletin], it wouldn't be nearly as critical."

Dunham didn't see this attack morphing into a Sasser or MSBlast, even though the exploit code carried the name "houseofdabus," which was also tied to the exploit code released in 2004 prior to the appearance of Sasser."I don't think we'll see this as a meta-event. A bot attack is totally different than a meta-worm like Sasser. Bot attacks are generally much lower profile. It's all a numbers game, but bots hammer away over a long period of time." Bot authors want control of machines, which means they want to work in as much secrecy as possible.

Even the publicity this first-round attack will get, said Dunham, will work against the hackers, since the news will cause some unpatched users to patch pronto.

Researchers at the Helsinki-based anti-virus vendor F-Secure agreed that it doesn't look like Zotob and its kin poses a major threat. "Zotob is not going to become another Sasser," wrote the company's prime researcher, Mikko Hypponen, on the firm's blog.

Still, Zotob can be virulent, said ISS' Maynor. Although the bot makes use of the Plug and Play vulnerability, it also includes code for exploiting other Windows' bugs, including 2004's LSASS vulnerability, the one which Sasser exploited. That means some of the new bots can infect not only Windows 2000 PCs, but other unpatched Windows machines.

"The most likely scenario is that the bot would use the Plug and Play vulnerability to break through the outer defense at the network border," said Maynor. "Inside the perimeter, most companies have a lot of unpatched systems, which the bot could then attack using other exploits."That means it's imperative users patch. Microsoft, for instance, continued to urge customers to apply the patch provided Tuesday, August 9, in the MS05-039 bulletin.

If that's not possible, Microsoft recommended that companies block ports 139 and 445 at the firewall.