Fast-Moving Worms Slam Media, Enterprise Networks

Security firms detect at least 11 variants of worm targeted at Windows 2000 Plug and Play vulnerability.

A gang of new, fast moving Internet worms spread quickly across the Internet on Tuesday and Wednesday, using a recently disclosed hole in Windows systems to infect computers belonging to leading companies, including the New York Times and Cornell University.

At least 11 different kinds of malicious software have been identified that exploit a hole Microsoft patched on Aug. 9 in the Windows Plug and Play service, including five variants of an Internet worm called "Zotob" and new versions of malicious programs called IRCbot, Bozori, and SDbot, according to F-Secure, an antivirus software firm in Helsinki, Finland.

The new malicious code, which includes worms and remote control programs called "bots," is believed to be responsible for computer woes at CNN and ABC, according to published reports. The outbreaks call attention to the vulnerability of corporate networks, which are heavy users of Windows but cannot deploy software patches quickly enough to prevent infections, experts agree.

The new malicious programs all rely on code to exploit a hole in the Windows Plug and Play (PnP) service, a common component that allows the operating system to detect new hardware on a Windows system.

Microsoft issued a fix for the PnP hole, MS05-039, which the company rated "critical" with the monthly patches for August on Tuesday, Aug. 9.

The next day, code to exploit the hole in Windows 2000 systems appeared on a well-known security Web site. By late Saturday, somebody had cobbled that exploit code to freely available worm replication code and created Zotob.A, said Mikko Hyppõnen, manager of antivirus research at F-Secure.

The picture darkened late Monday and on Tuesday, as more malicious programs joined the hunt for vulnerable Windows systems.

In Redmond, Microsoft mobilized its emergency response team and has been issuing guidance to its customers that have been hit by the malicious programs. The company is also working with law enforcement to look into the source of the attacks, according to a company spokeswoman.

An unknown number of Windows systems at the headquarters of the New York Times, in New York, were hit with a virus Tuesday afternoon, causing computers to reboot and disrupting work across the company, including in the newsroom, according to Catherine Mathis, a spokeswoman for the company.

Around 3,000 people work in the companys headquarters, and infections were sporadic throughout the building, Mathis said. However, production of the paper was not affected and information technology staff at the Times removed the infections by patching affected computers late Tuesday, Mathis said.

The Internet Storm Center has seen evidence of infections at a number of enterprises, universities and local governments, but fewer infections from home users who own the bulk of computers connected to the Internet, Ullrich said.

Microsoft claims that only Windows 2000 systems are affected by the outbreak—a contention that other security experts dispute.

Researchers at Computer Associates International Inc. have seen infections of Windows NT, Windows XP and other Windows versions from a program the company named TPBot.A, said Stefana Ribaudo, a product manager in CAs threat management group.

At Cornell University in Ithaca, N.Y, administrators got hit with variants of IRCbot on Monday. New versions of the ubiquitous remote control program, also known as SBot, has adopted the PnP exploit and used to attack machines running Windows 2000, Windows XP and other versions of the operating system, said Stephen Schuster, director of IT security at Cornell.

New infections at Cornell have stopped, but the staff there is rushing to clean up infected systems before students begin returning at the end of this week, Schuster said.

"We got hit hard, but were on top of it," he said.

The spike in infections may be due to a slight modification to the Zotob worm that appeared in the latest variant, Zotob.e, which allowed it to target a number of corporate networks that earlier versions overlooked, according to Johannes Ullrich, of the SANS Institutes Internet Storm Center.

The unusual number of news organizations hit may have been due to a Zotob variant, Zotob.C, that spread over e-mail and disguised the worm file as a picture attachment. One or more reporters used to receiving photos via e-mail may have been the source of the infection, which then spread to vulnerable machines on the corporate networks of those companies, and through stolen e-mail contacts to other news organizations, according to an e-mail from Alan Paller, director of research at SANS.

The PnP vulnerability and exploit has created a land rush by malicious code writers, whose creations are now competing for vulnerable machines.

/zimages/5/28571.gifSophos PhishAlert spots ID theft bait early. Click here to read more.

F-Secure researchers have evidence that variants of IRCBot and Bozori are deleting variants of Zotob and other bots.

Ullrich of the Internet Storm Center watched 10 different worms and bots fight each other to infect a "honey pot" decoy system that ISC uses to collect samples of malicious code.

"There are so many different variants, its getting hard to categorize them and see whats going on," he said.

The small window of time between the release of Microsofts patch on Aug. 9 and the first appearance of a worm to exploit one of the patched holes put IT administrators in a difficult position.

"Its tough with that short a turnaround, and with our distributed support structure on campus," Schuster said.

Microsoft is telling customers to apply the critical Microsoft patch that fixes the PnP vulnerability as soon as possible.

Antivirus software companies also recommend patching vulnerable systems and say that customers should do frequent antivirus signature updates in the coming days to make sure they have up-to-date protection for the latest variants.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.