Zotob Worm Could Squirm on Windows XP

 
 
By Ryan Naraine  |  Posted 2005-08-24
 
 
 

Microsoft late Tuesday warned that the Zotob worm could start squirming through certain configurations of Windows XP SP1 (Service Pack 1).

The worm, which squirms through a flaw in the Windows PnP (Plug and Play) service, has wreaked havoc on unpatched Windows 2000 machines, but new information suggests some Windows XP users could also be at risk.

Late Tuesday, Microsoft Corp. issued a new advisory that confirmed the expanded threat and recommended that users implement workarounds to thwart a new worm outbreak.

Users of Windows XP SP2 are not vulnerable to remote attacks.

Microsoft also noted that the risk of infection on Windows XP SP1 systems remains low because the exploit will not affect default configurations of the operating system.

According to the advisory, a feature known as Simple File Sharing and ForceGuest must first be enabled to expose users to a potential Zotob exploit.

The new attack vector, which was discovered by Symantec Corp.s DeepSight Threat Analyst Team, manifests itself when the "Guest" account is both enabled and removed from the "Deny access to this computer from the network" entry in the "User Rights Assignment" Security Policy.

Read more here about the first wave of Zotob worm exploits.

"While performing further investigations into this vulnerability, weve been able to carry out anonymous remote exploitation against certain non-default configurations of Windows XP SP1. This can happen when Simple File and Print Sharing has been enabled, for example by sharing a folder or a printer with the local network," the DeepSight team warned in a note posted online.

"It is important to note that Simple File and Print Sharing is only available on Windows XP machines that are not part of a Windows Active Directory Domain. However, configuring a Windows XP SP1 host to share network resources prior to joining an Active Directory Domain will leave it in the vulnerable state even after the Domain is joined," the company warned.

Microsoft noted that there is no change to the MS05-039 bulletin that provides patches for the flaw, making it clear that the patches provide full protection to all affected versions of Windows.

Read more here about Microsofts updated worm removal tool.

The company also downplayed the severity of the new attack vector, noting that on Windows XP SP2, the impact is limited to privilege escalation and only exploitable if a user has the ability to log on locally to the system.

"Simple File Sharing is not available on Windows XP systems that are joined to a domain. Domain-joined systems use standard file sharing, which does not enable the Guest account or give it permissions to access the system through the network. Windows XP Service Pack 2 is not vulnerable remotely in domain-joined systems or in workgroup-joined systems," Microsoft said.

Workarounds:

Microsoft is recommending that Windows XP Pro customers that cannot disable the Guest account should change the default password on the Guest account.

This will require all systems on your network to provide this password to connect to each other.

"Configuring a password on the Guest account will help prevent these systems from becoming remotely vulnerable to issues that attempt to authenticate using the Guest account credentials," the company said.

Windows users should also consider blocking TCP ports 139 and 445 at the firewall.

"These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability."

Microsoft has also shipped an update to its malware removal tool to detect and delete the Zotob worm family.

The update provides protection for 10 mutants to help with the cleanup process.

According to Finnish anti-virus vendor F-Secure Corp., at least three Zotob mutants and several IRC (Internet Relay Chat) bots have been squirming through unpatched Windows machines.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Rocket Fuel