For the last few days, no doubt, you've been hearing about one or more computer worms wreaking havoc on major companies worldwide. It appears that this wasn't a coordinated attack, which would have been brilliant, but rather an Internet turf war waged by two or three rival virus writers staking out territory--with corporate systems falling victim as collateral damage. Although these worms targeted a specific flaw in the way Windows 2000 handles Plug and Play (the ability to add hardware to a system and have Windows recognize it) and should not have amounted to much, collectively, they do provide a few lessons for how companies handle their antivirus defenses.
Media as targets?
Late Saturday, August 14, 2005, the first traces of Zotob appeared. Zotob was easily modified from the Mytob family of worms to exploit flaws in MS05-039 Windows 2000 Plug and Play; it was an off-the-shelf worm. No skilled programming involved. Any script kiddie (that is, any unskilled programmer) could have morphed Mytob. Apparently, there's no shortage of script kiddies.
Within a few hours of Zotob.a, there was another variant, Zotob.b, and by Monday, a third, Zotob.c. Also by Monday, it appeared that the three worms were vastly limited in reach. All of the variants required Windows 2000 systems, which are in limited supply these days, and the systems had to be unpatched and without firewall protection. Such rare circumstances made Zotob infections scarce--this despite the fact that Zotob.c added e-mail as an attack method.
Then late in the afternoon on Tuesday, August 16, 2005, I happened to be on the phone with a CNN producer in New York who told me that his company had just been hit. This was the first I'd heard of it. In fact, for the next few hours, I struggled to find the name of the worm responsible for the attacks that had suddenly hit CNN, the New York Times, the Financial Times, and ABC News; my antivirus sources were contradicting themselves about whether this was a new version of Zotob or something else. All afternoon, BugTraq had been humming with posts about a new virus or worm--something that was not Zotob--so I wanted to believe that what hit these companies was not, in fact, Zotob. Then my colleague, Joris Evers at News.com, sent me e-mail from Microsoft.
Unless we were witnessing a constantly morphing Rbot worm, something else was afoot. Turns out, I was right.
Microsoft identified the attacks as something they called Rbot.ceq. Rbot was a known, relatively minor worm; the CEQ part meant this was the latest variation of that worm. The note from Microsoft ominously warned that any organization hit with this new worm should contact the FBI immediately. Still, I wasn't sure that Rbot was capable of remote access, downloading code from IRC servers, stealing personal information, and causing denial-of-service attacks on random sites. Unless we were witnessing a constantly morphing Rbot worm, something else was afoot. Turns out, I was right.
It's a bot war!
Early on Wednesday, August 17, 2005, Mikko Hypponen, Chief Research Officer at F-Secure, announced that he'd identified up to 11 different worms exploiting MS05-039, including variations of Zotob, Rbot, IRCbot, and Botzori. Moreover, Hypponen detailed how some of the new worms were designed to remove traces of competing worms. Aha! The Internet was witnessing a bot war, where virus writers were trying to control as many infected computers as they could. Remotely controlled computers, or botnets, can later be used to launch denial-of-service attacks on specific Web sites, serve spam, or act as a foundation for launching another, even larger worm attack.
But we'd seen all this before. Early in 2004, MyDoom, Bagle, and Netsky were all intertwined in an intricate dance: first spreading themselves, then removing traces of the others. In the case of Netsky, its author, Sven Jaschan, was convicted of creating a computer worm and sentenced to probation (this, after accepting a job at a computer security company). The authors or MyDoom and Bagle have not been caught, despite a quarter-million dollar reward offered by Microsoft. I suspect, however, that the culprits behind the latest wave of attacks are new players.
New paradigm needed
Since the Plug-and-Play worms infect only Windows 2000 machines that are unpatched and unprotected by desktop firewalls, where did these worms find their victims? Within corporate firewalls. Despite pressure from Microsoft, companies have been reluctant to upgrade from Windows 2000 to Windows XP for a variety of reasons. Secondly, burned by past Microsoft patches gone bad, companies are hesitant to roll out the latest Microsoft patches without first testing them. And finally, most companies do not bother protecting individual desktops inside their corporate firewall, nor do they have aggressive policies in place regarding corporate laptops operating outside their perimeter. That needs to change.
Most companies do not bother protecting individual desktops, nor do they have aggressive policies in place regarding corporate laptops operating outside their perimeter. That needs to change.
Here was one easily exploitable vulnerability, with several groups of rival virus writers quibbling over how best to exploit it. All it took was one laptop brought in from outside the firewall, and suddenly all the desktops within a given organization or corporation were infected, which is what happened--back in 2003 with MSBlast. Apparently, we haven't learned our lesson yet.
Not all of the updates from Microsoft are considered critical, and even those that are don't always have exploits freely available on the Internet. The Plug-and-Play vulnerability did have exploits available, and in the days preceding Zotob, Microsoft and other computer security agencies warned that a worm attack was possible sooner rather than later. Maybe next time, we'll be better prepared.
Were you affected by the MS05-039 group of worms last week? Share your experience in the TalkBack section below.