Microsoft Issues Zotob Cleaning Tool

Microsoft late Wednesday rushed out a new version of its Windows Malicious Software Removal Tool as one response to a bot worm attack that began earlier this week.

The updated tool -- which can be run from the Web or downloaded separately -- now detects and deletes 10 variations of the Zotob bot that's been probing for vulnerable Windows 2000 PCs since Sunday.

Normally, Microsoft updates the free tool the second Tuesday of each month, the same day it releases its monthly batch of security bulletins and patches. But it's also reserved the right to release it "as needed to respond to security events."

This is the first time that Microsoft has revised and re-released the tool outside of that monthly schedule.

"We are not aware at this time of a new attack, but are releasing this free tool to help any customers that may have been affected," said a Microsoft spokesperson.At the same time, however, Microsoft continued to characterize the week-long attack as a "low rate of infection." In a statement, it credited this to users switching to newer, more secure operating systems.

"Microsoft attributes this lower impact to customers who have taken on more of a 'maintenance mindset' -- practicing good security behaviors and using newer and more secure versions of software," the Redmond, Wash.-based developer continued in the statement.

The Zotob bots, as well as others that take advantage of a critical vulnerability in Windows' Plug and Play technology, are only able to easily attack Windows 2000 PCs. Those running Windows XP SP1, XP SP2, and Windows 2003 Server, for example, are safe from the current generation of bots; only an attacker with valid log-on credentials (and in the case of XP SP2 and Windows 2003 Server, physical access to the machine as well) can exploit the vulnerability on those platforms.

Microsoft also continued to beat the drum about applying the patch it delivered August 9 for the bug, and added comments about the success of its automatic update technology in deflecting the attacks from most users.

"The more than 200 million customers who have followed the steps to enable Automatic Updates should already be protected against these emerging threats, as they should have received MS05-039 automatically," the company said. Several anti-virus vendors beat Microsoft to the punch by delivering free detection and deletion tools before the Malicious Software Removal Tool was updated. Symantec, for example, first posted its Zotob cleaner -- it now removes Zotob.a through Zotob.g -- on Monday, August 15.The number of bots exploiting the Plug and Play bug has stabilized for the moment at around a dozen (anti-virus vendors and security services have slightly different counts). By Thursday, however, it was a little clearer which bots were battling for control of vulnerable and/or compromised computers.

According to Helsinki-based F-Secure, it appears that two, not three, competing bot families are engaged in a tug-of-war. In a simple illustration, F-Secure outlined how both the IRCbot and Bozori bots are killing ongoing processes of Zotob, Rbot, and Sdbot that they find on already-infected PCs.

"There are two groups fighting: IRCBot and Bozori versus Zotobs and the other bots," said F-Secure on its labs' blog site.