Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Zotob Worms Target Windows 2000 Hole



 By: Paul F. Roberts
2005-08-15
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Code attacks through Plug and Play hole that Microsoft addressed last week with a patch.

Less than a week after Microsoft patched a critical hole in a common Windows service, a new worm is circulating that exploits the hole in unpatched Windows 2000 systems and uses it to proliferate.

Two new variants of the worm, "Zotob.A," and "Zotob.B" appeared on Saturday and use code released on the Internet last week for attacking a hole Microsoft patched on Aug. 9 in the Windows Plug and Play service.

However, the new Zotob worm is not as virulent as close relatives such as Sasser and Blaster. The bigger threat may come from stealthier programs, known as "bots," which are using the newly disclosed Windows hole to gain access to unpatched systems, according to Mikko Hyppænen, manager of antivirus research at F-Secure Corp. of Helsinki, Finland.

F-Secure rated the Zotob worm variants a "level 2" threat, the companys second highest designation for viruses. However, Symantec Corp. and McAfee Inc. both rated the worm a "low" threat Monday.

The security hole affects the Windows Plug and Play (PnP) service, a common component that allows the operating system to detect new hardware on a Windows system. For example, when Windows users plug in a new keyboard or mouse, PnP detects it and allows Windows to load the software, or "drivers," that are needed to use the hardware on Windows.

Resource Library:
A buffer overflow in PnP could allow a remote attacker to take complete control of Windows 2000 systems, installing their own programs and viewing, changing or copying data from the computers hard drive.

Microsoft issued a fix for the PnP hole, MS05-039, which the company rated "critical" with the monthly patches for August on Tuesday.

Code to exploit the hole, attributed to a group named "houseofdabus," appeared on a well-known security Web site on Wednesday. By late Saturday, somebody had cobbled that exploit code to freely available worm replication code and created Zotob.A, said Hyppænen. "Theres not a lot of new code here," he said.

The houseofdabus exploit code used by the worm can only be used to remotely attack unpatched Windows 2000 systems. An attacker would need to be able to log in to a vulnerable system using a user or administrator account to remotely exploit Windows XP or Windows Server 2003 systems, which lessens the impact of the exploit, Hyppænen said.

The worm looks for systems that have communications port 445 open then sends the attack code to the computer using that port. Once the worm has compromised a system, it installs a shell program that downloads and installs the full worm code, named haha.exe, using FTP (File Transfer Protocol.)

The exploit code for Zotob was written by the same individual or group that crafted the exploit code used in the Sasser worm. As with that worm, the exploit causes infected machines to reboot unexpectedly, which could tip off victims, Hyppænen said.

AOL, Microsoft recycle spammer loot. Click here to read more.

F-Secure collected some Zotob samples from the Internet on Sunday, but the new worm is not spreading quickly. However, organizations with a lot of Windows 2000 systems could be vulnerable, especially if an infected Windows 2000 system connects to such a network behind the corporate firewall, Hyppænen said.

Bots and other low-profile attack programs may be a bigger threat to enterprises than the Zotob worm is. F-Secure researchers have already detected traffic from variants of a large family of remote control "bot" programs called "Sdbot" that indicate the PnP exploit has been added to the pre-packaged exploits those programs use to gain access to victim machines, he said.

On Sunday, iDefense Inc., a security research company, said that it had discovered a new tool to automate exploitation of the PnP vulnerability, which it named Copa.A. The tool, which uses Visual Basic script, allows malicious hackers to automate exploitation of vulnerable Windows systems, given a list of valid IP addresses and the PnP exploit code, according to an iDefense e-mail statement.

The PnP vulnerability was discovered by a researcher at Internet Security Systems Inc. and reported to Microsoft. It is just the latest evidence of security holes in the code Windows uses to load third-party hardware and peripheral devices.

In July, SPI Dynamics Inc. reported buffer overflow vulnerabilities to Microsoft that could enable an attacker to circumvent Windows security and gain administrative access to the machine.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Zotob Worms Target Windows 2000 Hole
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}ks8q8cHS-ڱ-ě[HH"$e[wro7%dIR%<@h4I"nZ΄\ܦdÀ>CO$wB}NUQR #7,(bP<HwO7n[Y0Ra᳙,Q :':BPL5MΚMH}ٚ7'x2)X $8OմI.l,P8$x$ZB;$?*B4mG$*oqT|:XS=*2rНęO,}!*Ka>$e%S5ExLԤ#|xB'gxGdYW+ (ƻfՉziZgC2]pj:N`QFdn m`㥨H aP`\ 9t} ^ G&lw&"QcOZ$ӡ%q˝̢JKAtf>D>8zv v}jJ73g }KH;R@}k {>5I i1E 94cT4iu8DrH n> ՈyaOl+qtRe[7g0ml_k| tns<$s~3 CoZe؄j% =y7`JaCJ&5\_-׉E>7 ؗCY͢aE3l˸+:4 HS+VWR\m(ƑP|}l˙?Z^pg?//iҸ_uϯ $QwÑ;wV҃u5`*.'7~l@z;Q\`'H |'[oDV)UjT:(¤Ԙ:b= u+P%oPK(iv$1{P$hIcF/XTUi w;ǃSҹtnotNΏo3$oIJ5ZMӀH Zzf#=[ ֋۳ۗKiOz7{#)|r>5MP\ܱ¬8ڪV7`K6O|g6~l M u ôW+ I-idC!Ժp|=!IoK'|:8%8\^CJ ݖUL_*DȏKj,o0Hˤd&q, ߱n\S@`hoN\ hYKS7B u%Ϲu,5Hr Y@a)#8?S݇E pJq䨉k.XSl \OFo4| ~ަ,|y"b4rݢQs>M+&o#> yfRB(PHQ&&TRe6\aU<<~uwܬu"jԴ޹/~<Ҳ[wI|霒uO~K/364>hX.B2iK1.pK۫ZHT'Td~TJCU~X8ʕ85n!SGñA &s;,< P D>O;59'>D#ʠ:괉\ZVS4@!&maAi1[ mE9H_,}TaCkFYGIO t"&qsк&`1fàJ{t$4/f{@`^@48`88ʬE!1y@!X{fsĵ{ݲeǀԜG:0$w2Z}#%>] cRRR$S_MPԤv9DBB !B60 HV(FDBjւ+NDk@G҅;qjX)rFZ ׸~)Rٚ),'Lf X*?ȉ#"09X 4j h%ּ fiZZOG4mMǖaf#As6I`EuBrPC;.t+APC1!a]<V3,+X5{8qy`Y@{tӲyJ3ˁ 2$6WB>,˄F|\6`=϶Y$uXu[u`|d:.h>xB,naDhI/3_hy9e~>Ꭴm[_4@>V*z[.z8؍8r!O5kb$ӠCO 6 uPO ŕ4BЊOWmklTn-V,j?Ս݋0z9Tەi]jk-R:?!Ge[ol0Ԣ騬`|M(" !ڬsiʹ,C/P|]bH'^%ôkQHpSo{:!Kư^\탢K*+jS#VhVKְYMc; T 24 0p"wabBV1`Nz6xI?vl->u /(*'|x=JeכAS SO4,vFff9X[ 7@' ˖X c*9t̳tgys8X:žtՖүx泛Npu Q2fñeH׽iA̫u-АjE)jEl ؑq,YriT*wڶ>QȺ +JЦVȥC@ @Mqά3pPS@ bN,(t=(U+_z]9]F>n1 $DTe6f,T_\P-xJD5h\Rj&24ZȻ@Syv{2$u`m>(gpFl`^\|G BK Kg"^cEk ÖYCÖWیІ;иXTR=OuP-ODBScO}<6?fCU^oVSxw"ZTlOcCjvTVkovT9̓)3G ).b_ћz?3chͶ9{[J?CPt*rɵ`s||}j6N8edCe>fLFrdx\fl(JE=4g!ݥrI4S˰6O*GS%+nr4 q\3@$7zǰ&k}YTZ^Rk{=m򂠱7⬸cD H!S#2!Z Gk0hLw*n1_$PS*m𳛳CĮP_*3=@7_)5S UӓU=4. /+bI뛗љGozmvf3"-_do퀁ؘY#"@:e۴q:i&G2165"j` |=rU*,TΩ"2fDeϺVߦ} |OܽtF OCuEN:Ɠcݸ{?,WE:&}{`ouɛ(.xg@5sgDcK:jC-'E&'tEk4FUk5W}zGdCzez%~ ~{qw;I L#e{ZT*JZճ(*I$ {2t9t=d}kO?tyOUUAS^F;:9&_@ڨO( ] 8ỸĤX'CU"O[1dy lSrV/BЃ`I##Ȋ@G?FV!ɍ: !Ie\\S*.?6CU\+Ԋ?EXᐫiI#xC`t>VX8'?lgH #npL+SoA!RD#+#I UZI gwPDR n Gzssb~f>Q+oR@/It6 \C.:Ղ_ ݘ3atׄe#4hQ{:8?$%cY{+ѕ^;y0N 0+޿W Ї_irD`SއS{~WY^9f!K R#bw}Wsz^^OOW^6J "[)U9 K}{%d}һzG{ՑҽN zעΓ!G*E!B='Mty)qfm2H<2~qaxk-Tq@چ Vһ9pbA%jNZ _/k=W'7,U88jkoM1w}mXL/ސPV# (ʑ=`` Ɉn)c/z4BL0B_XH!)W$fe+H;nڜ(6F_gE'k'\-g[M7s+dID_q+ kNz<\3[5ntHzLp l_tEcr!:,-D3?Gq"Tc(L-ӤNL)gT8ٖPxi'sgx!um0q%ӝr0BٺCO ̫mmg̐s$SѤX BgJȄa{e5a5R!MLCYOC/D$a;Bz{ giMO.m2ϼ+Kwn+G7; VH_8_`tOB HY)o9yb}@N^KKhUMV.< R̄0O" F®({h7RF&̱¹OH1¢;{WT@)3^EX 2k7v-̳,d]9@!loYM2CZ/ȄZԍ)A0x;GR0x&4.tEWy/("+,;Jn-Y2OКkð"#KIܷEb9I4ݙn98?r#Wi_ :7}ipbw`}%H@2`@OL4b5~ÿ|TfOf 95C/rBej*=lGt?Ko{ѧce4 tģVRkf{i2$BUU+j;AZDVeΜt՗^|3<:kd7YM(fd~Z:pCʤ%sccf}ݸw[1riÉfeoHP Q>]awP({<_a}[t]"ekF_SE+KT7IzmzSDmחF}޿ȿ LĴxBw2h덧w̷L֘&&xL :6yo :l0̰@ b@vV7v\8 8S1</ [euw+[ccc;ȯF%xo,6-l@|Prh,0yancZoIq8|+؊wf_ϒ4oNOւ1v̙[ʈ1gcϵ;VK1-[K/௱ !]sQg=n"7(S/4 F[[V}:lOo -~ Й.Ͷ.C^|4*jEib߶mr&k߸3 M V Yu=۵R9&RI{F}[L /t4/`<[&GL~Gg,r6hJjf+tg4q_1&?8xc(?ZQ|ɮޗ`Z)DeFe֥ɜFW˰:Rrl1viMxe+5ez?ů{ЙR_!oRqQ8w*ƶ*1wsH1н20h@OaɈ. ^{N˭|2Zd,3d΁3 EVZ`f:mQʵI=(B&c"62ja4pW'jENZ~MJs'Dg.4|p,^["Q*ǎX?ζRˡ~tδ8},3 N:X)GYjt\K-B4)nv<$=7 F%iS-W$~ᢘVJ]//iZrQlc6-&"ztY,{"C0[㱉7͓l@C@mC 9$^b6$WSI*iʍ&`O.->BٳPbO kĩ#tr}*?# j3N(#ԹMf1췜]jEBI!a2r\%&-vXY|$K|"qnú>)XP׉8r/R c##Kb,"C,hJ.vtk«.oҮHJ]Էv9=̞ =P ݑ#aK4/q JV7 g" 8VkmSj'JJCRKےEɢ;ҵza0m ]*R֓R52$9E[7k=Ub'jP%-A_ ]\jO7XZcZTnrh$J8PPK@.y V"< gTڝVyuz/f:tʐn $X\C@}IVϡؒE 뢫]G[e)N37DЙ'0_d@Ɲ IZCm(J2$ĀZC =..RzR"|쎃U>|`fɊq{64jd}R9 0h)8Yvc n?7I iX#؜~M#'3z^]m$>3Nf]o$"7y77775yJz&D6s";O=H]sIK;a Zn ;.ObITAAʠ3/on(pHV]a0(l['cDyAY[V_z(k-,,?@=]٩lBҘru S诽 '0#=qeR|#4pXD"HKs,w҄~!R|e UmKz5XҭH8A%6 B.aDPD&m3f@ZӷW~̼\$Dͦ䄢LRi09@w$wwmvXo C ٩͍u,fFR om[oF?6௶eqla} pj&|`Ymsm-6ә{OWhe!X -_ߩ}9t:y,DSXubCP4tF87g3ƚy<"mg&#J x > 5>Kj νko:g^_VBMii='y0>Rw2 [x.j=-Dw߁\<@EM!vyW+řn.;&ߣ4{*e ][Ef@9 ek7j_A'-g5ǬhgP.?=XNqγtqE(u4dZv(Bz7Q3@a]IYf~y',6EoCf`iOiNto}3d?}?A~f뇺}=ME8/XdR( $BPRlAUU&[Q{Vꮞ_ÌVS\>fFk5mǖAS׈1<⵽ eA.9Q*Z@(iYr'o&gG>Ϧo/?QHՕGoh}mxJ rG-9c:&zW J ')MБ ܟޔj@*oIlgO^8zm@ "6 ?KirK/~m#k%N H3v\hvn+ nU1p4*pejT KD6L 2@k85Aߟo}9M1- ‚5"t B[ccߝ6#Tw9ZOwC!ۻ"ǝ-^d¶-j=uN??u:7ݫAufzv>49ۼ6/ i/H]/;LOSʙhSg¥,%E:w"fyQ̑:jS#uR@BJs@AC|\tNw)"Je@9@/9B979 A~/')}9pp?gasy:nZӜ|_7h^C9_h6_ڵ.s3K{Ke~.a9̡KDG9_BeN>U^\U@rOK/G\}\5ԿΩsC?}?g}?gA ؜C}}y09[ȿ͡[h6[KuA~;׸qzy;29ɯZ9Rȫ_~ˇ-YN~sYUzvCU^Z*3*௟Uߧdlڽ>靦BR; +]q-3-{☴[˚rsWe|:,Y& )htWYdSrlb{De?~VRR枌u]CZLz.!{]We[M')>|k(s3gio{dZ+m"̃Qò/s=h60+.ǐ2ۿ?K2yi8? g m`JW#ah0.: 7X.[ZӇ7|';TumaPkqdm8oCdx$ݕٟzÀ;}W}(<-u&n\ef(/@FA@1 FFsU?a69p|b=ssվ^wX35K쓭/¦>ga3f^*B8DCw_aɡ1zI=v?Jk>jWJ==vu'а-!i7IղVJZ8~O+aq@s1|1̈ɪ"+uW9 8]V*J0X^&(d@#غ̏|'C7"i\ x+M!'\HHtb؎UYmRph 0lyN؛Nx@ ?oq;Xrj-$2>gˉ]<| ŝC+7fLA݆j/)c+FUݷp\';]gP&M;,T~f.gmcb:rߣ^W'C B~22VHg'^bԽtPL$pgB-k˻!>BPe!#˦':h~ snw\AaƘS{DMIC&qCWD`|,"g9IRhe.Y?0<cCPСt)': &I pge_Lw}n3-&7Ɲg1{/ p}3 #SubL!I ЎI[D|n+r-{vs&oF"g}#oavf͘%]R/# x^;Hm@,q?g>ibr]6M b ه%?^03dq{ ϮlNԄQmrH*_l x$,)Rvא$q.Nip@y0r]5srCė%BaL:LĞ =gߞRsY D֣cq:4%XbFlwN[Q%^ lM]5n]{.ۃ[ rȟ0`wv U ^{3D3$(z<@SW++*55qn:F߭Uh#MXB㙸z򼮉D Y8[^V"?ԫz)LJ)@b݊ΥrvM }c*u ^ba?0z!$K0VT^6pa#, |w,Gwfgs% #]ϠbO_w?vԷeŎ&M5-®c)HpiEȤIG, ;"%3mPmq,%O\ %{6`DRw}F0I'.}Nu;J'"O j7;1Te]ZaiѶY ZQ/~l(#k 'L,>>d[P0Ry4 *>`HA1<;Z~q*F2N_v{[/ৢ``WEY@G6AF|LoA(7(Na2)1D'`E_2~%L=-\/ <O]E Ta1e76K-Pϰl\3Ca : ";FU$]Vs/uOׂ}QdzFa|d[t-kGz§!ЮT)v#ʕ.Sbܞ?CƗa҇fF/_X ($LM 8u PѺN" a|"AЧn-/$9@ R2=֏*ufel6r) XGڦFmQ`WAib=y꾉=ve+{B760* <mo+@>{~w)Ǹ 02czwY?קg[K Ӷcd&'XI@ IKl"/Mn4Mb5"[ݑ'^IYdž gRv؃5E,@a+5ZBOsP+0RO |-\`s{X\e,8LDxZ]H,`!F,ӊ`v"VTHKLΡnbqQ!eVF7"5P!yXD]n-n_B@: 5εCg>+ } ݗ{ >ŗ$NSX`0X :+7K+B Sqk>]tV+Z_̅w5ڗ݋Oܥ|;hyt(ډ3Jebqx'ɾtߟd.z7 X7uO~ypu*EmEMBݜv T>V}zڽz.u+ߴkF5<#Dg˳̦UZ$4)zҢpL岞4rջ{7r^–mJHU&s.cKM՗