Worms Exploit Plug and Play Vulnerabilities

 
 
By Paul F. Roberts  |  Posted 2005-08-21 Email Print this article Print
 
 
 
 
 
 
 

New Analysis: The Zotob outbreak has put a spotlight on ongoing security woes and is forcing IT departments to find better, quicker ways to distribute patches.

In 2003, the blaster worm infected as many as 10 million computers just three weeks after Microsoft Corp. issued a patch for the hole the worm exploited. Today, IT administrators would love to have even a week to patch their systems before a worm appears to exploit a new flaw.

A mob of malicious programs knocked down networks across the country last week, using a powerful, remote exploit of the Windows Plug and Play service that appeared just a day after Microsoft issued a patch for the hole Aug. 9.
The fast-closing window to patch vulnerable systems is putting pressure on IT departments everywhere to find better ways to distribute patches. But some experts warn that worm and bot outbreaks distract attention from a deeper and darker problem: undiscovered or undisclosed vulnerabilities in software running on critical systems.

By late last week, there were 19 worms that exploit the Plug and Play flaw, including new worm families such as Zotob and Dogbot and variants of Rbot, officials for security vendor Sophos plc. said.
Read more here about Zotob and PnP worms slamming 13 DaimlerChrysler plants. The flood of malicious programs, coming so soon after the Microsoft patch, made it hard for IT staff members at many companies to patch vulnerable systems in time.

The worms knocked 13 of DaimlerChrysler AGs U.S. manufacturing plants offline for as long as 50 minutes on Tuesday, idling as many as 50,000 workers, said spokesperson Dave Elshoff in Detroit.

Customer support workers at SBC Communications Inc. also were idled as variants of the recent Zotob and Rbot worms raced through the companys computer network last week, causing Windows 2000 systems to reboot and hampering the ability of staff to assist customers, said spokesperson Wes Warnick in San Antonio. SBC was still evaluating the Microsoft patch when the worms hit, Warnick said.

"A large enterprise like SBC has to do testing to make sure that those patches are compatible with existing systems," he said.

Zotob proves that patch management isnt enough. Click here to read more. Microsoft and others recommend a "defense in depth" approach for customers that includes a desktop firewall, anti-virus software, intrusion detection technology and patch management tools, said Stephen Toulouse, security program manager at Microsofts Security Response Center, in Redmond, Wash.

A combination of those technologies kept Windows 2000 systems at Principal Financial Group from being hit with Zotob or its cousins, said Corey Null, who works in the information services group at Principal, in Des Moines, Iowa. The company usually requires a lot of time to test patches, but the company makes an exception for high-risk threats such as the Plug and Play flaw, Null said.

But some experts warn that worm and malicious-code outbreaks can be somewhat of a smoke screen.

"Whatever Microsoft reports is only the tip of the iceberg," said Nand Mulchandani, vice president of business development and founder of Determina Inc., a security vendor based in Redwood City, Calif. "In most of the [hacking] underground, if somebody finds a vulnerability, theyll use it, not write a worm for it."

Window of vulnerability
  • Aug. 9 Microsoft releases patch for vulnerability in Windows Plug and Play service
  • Aug. 10 Security experts warn of potential for a worm
  • Aug. 11 Exploit code appears
  • Aug. 14 Zotob, a worm and backdoor Trojan, appears
  • Aug. 15 Reports surface of companies and universities hit with the worm; new bots and worms using the Plug and Play hole, such as IRCbot, SDbot and Dogbot
  • Aug. 16 Reports of widespread disruptions caused by the Plug and Play worms at CNN, ABC, The New York Times, SBC and others Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
  •  
     
     
     
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...

     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Rocket Fuel