Page 2

By Ryan Naraine  |  Posted 2005-08-26 Print this article Print

By midday, senior executives including Microsoft Chairman Bill Gates and CEO Steve Ballmer were notified. The "Executive e-mail" is a key part of the response process, and it includes the use of a very specific, high-priority subject line to make sure the mail is read by the senior executives.

The security advisory that was first issued to warn of the attack was updated to confirm an attack was under way. Toulouse himself placed a warning on the MSRC Blog. A stand-alone Zotob incident page was created while Microsofts virus encyclopedia was updated to reflect the new threat.

"The stand-alone incident page is important," he said. "Once the word got out that an attack was under way, we need to have specific instructions to help people understand what was going on and how they could protect themselves. If someone got infected, they could find help to clean up."

Banner headlines were placed on the front page of The warning was duplicated on the companys security portal and on the Windows 2000 product page. E-mail blasts were sent with links to the incident page, patch download locations and other mitigation guidance.

Zotob was still a very low threat but, with businesses opening for work Monday, there was a likelihood that things would escalate.

"Although infection rates are low, it doesnt mean its not a bad situation," Toulouse said. "We want to make sure, not only are we providing information to make sure customers arent impacted, but to make sure they know how to get back to an operational state."

By Monday morning, the variants started squirming, refining the original Zotob code to get around anti-virus detections. The internal investigation team was back at work, analyzing the code, rushing to keep up with the virus writers.

By Monday evening, the virus encyclopedia was updated to add entries for Zotob.C and Zotob.C. "They [the virus writers] were changing the executables and changing the way they scanned for networks. As we find the new variants, were updating the stand-alone incident page," Toulouse said.

Next Page: CNN gets hit.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel