As of yesterday afternoon, users of computers running the Microsoft Windows 2000 operating system were feeling serious affects of network worms, thanks to a Plug-and-Play vulnerability known as MS05-309. Media outlets including CNN, ABC, the Associated Press and The New York Times have suffered computer shutdowns, and analysts said we haven’t seen the end of the drama yet.
Microsoft is downplaying the attack. Meanwhile, Finland-based F-Secure said big organizations that are getting hit have most likely introduced the infection to the internal network via infected laptops.
Computers running Windows 2000 with port 445/TCP open that did not have last week’s patches installed, or that have loaded the patches but haven’t rebooted, are vulnerable, according to security firms.
Bot War Heating Up?
Some security researchers and antivirus companies are calling it a battle between rival virus writers to see whose bots can do the most damage with a variety of worms.
F-Secure said there are now nine different worms or bots exploiting the week-old Plug-and-Play vulnerability. Most of the recent problems are caused by a worm the firm calls Zotob.D and two bots it calls IRCBot.es and IRCbot.et.
F-Secure is reporting 11 different samples of malware using the vulnerability, including three Zotob variants, one Rbot, one Sdbot, one CodBot, three IRCbots and two variants of Bozori. F-Secure said it seems there are two groups that are fighting — IRCbot and Bozori vs. Zotbots and other bots.
Ken Dunham, director of malicious code research at iDefense, a Reston, Va.-based threat intelligence firm, told TechNewsWorld his firm has seen at least 20 different bots emerge over the last three days to exploit the Plug-and-Play vulnerability.
“There’s some talk that there might be a worm war among bot authors. It’s too early to say for sure, but we do see a lot of bot activity,” Dunham said. “It’s almost like a race among different virus authors as to who can get to the vulnerability networks first.”
Analysts said each variant will have success in any vulnerable environment. They compare this incident to the MS03-26 in 2003. That critical Windows flaw was found in Microsoft DirectX, a group of technologies designed to make Windows-based computer run certain graphics, video, 3D animation and audio applications.
History Repeats Itself
“Similar to MS03-26, I expect this exploitation to hang around and become widely integrated in lots of code,” Dunham said. “Hundreds if not thousands of new bots and Trojan families will emerge from this code. We’ll continue to see it until all computers are completely patched or until the Windows 2000 operating system is retired.”
Microsoft is trying to close the book on the incident. The software giant issued a statement yesterday indicating that it rates the issue as a “low threat” for customers.
“Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack,” the statement read.