Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Fast-Moving Worms Slam Media, Enterprise Networks

    By
    Paul F. Roberts
    -
    August 17, 2005
    Share
    Facebook
    Twitter
    Linkedin

      A gang of new, fast moving Internet worms spread quickly across the Internet on Tuesday and Wednesday, using a recently disclosed hole in Windows systems to infect computers belonging to leading companies, including the New York Times and Cornell University.

      At least 11 different kinds of malicious software have been identified that exploit a hole Microsoft patched on Aug. 9 in the Windows Plug and Play service, including five variants of an Internet worm called “Zotob” and new versions of malicious programs called IRCbot, Bozori, and SDbot, according to F-Secure, an antivirus software firm in Helsinki, Finland.

      The new malicious code, which includes worms and remote control programs called “bots,” is believed to be responsible for computer woes at CNN and ABC, according to published reports. The outbreaks call attention to the vulnerability of corporate networks, which are heavy users of Windows but cannot deploy software patches quickly enough to prevent infections, experts agree.

      The new malicious programs all rely on code to exploit a hole in the Windows Plug and Play (PnP) service, a common component that allows the operating system to detect new hardware on a Windows system.

      Microsoft issued a fix for the PnP hole, MS05-039, which the company rated “critical” with the monthly patches for August on Tuesday, Aug. 9.

      The next day, code to exploit the hole in Windows 2000 systems appeared on a well-known security Web site. By late Saturday, somebody had cobbled that exploit code to freely available worm replication code and created Zotob.A, said Mikko Hyppõnen, manager of antivirus research at F-Secure.

      The picture darkened late Monday and on Tuesday, as more malicious programs joined the hunt for vulnerable Windows systems.

      In Redmond, Microsoft mobilized its emergency response team and has been issuing guidance to its customers that have been hit by the malicious programs. The company is also working with law enforcement to look into the source of the attacks, according to a company spokeswoman.

      An unknown number of Windows systems at the headquarters of the New York Times, in New York, were hit with a virus Tuesday afternoon, causing computers to reboot and disrupting work across the company, including in the newsroom, according to Catherine Mathis, a spokeswoman for the company.

      Around 3,000 people work in the companys headquarters, and infections were sporadic throughout the building, Mathis said. However, production of the paper was not affected and information technology staff at the Times removed the infections by patching affected computers late Tuesday, Mathis said.

      The Internet Storm Center has seen evidence of infections at a number of enterprises, universities and local governments, but fewer infections from home users who own the bulk of computers connected to the Internet, Ullrich said.

      Microsoft claims that only Windows 2000 systems are affected by the outbreak—a contention that other security experts dispute.

      Researchers at Computer Associates International Inc. have seen infections of Windows NT, Windows XP and other Windows versions from a program the company named TPBot.A, said Stefana Ribaudo, a product manager in CAs threat management group.

      At Cornell University in Ithaca, N.Y, administrators got hit with variants of IRCbot on Monday. New versions of the ubiquitous remote control program, also known as SBot, has adopted the PnP exploit and used to attack machines running Windows 2000, Windows XP and other versions of the operating system, said Stephen Schuster, director of IT security at Cornell.

      New infections at Cornell have stopped, but the staff there is rushing to clean up infected systems before students begin returning at the end of this week, Schuster said.

      “We got hit hard, but were on top of it,” he said.

      The spike in infections may be due to a slight modification to the Zotob worm that appeared in the latest variant, Zotob.e, which allowed it to target a number of corporate networks that earlier versions overlooked, according to Johannes Ullrich, of the SANS Institutes Internet Storm Center.

      The unusual number of news organizations hit may have been due to a Zotob variant, Zotob.C, that spread over e-mail and disguised the worm file as a picture attachment. One or more reporters used to receiving photos via e-mail may have been the source of the infection, which then spread to vulnerable machines on the corporate networks of those companies, and through stolen e-mail contacts to other news organizations, according to an e-mail from Alan Paller, director of research at SANS.

      The PnP vulnerability and exploit has created a land rush by malicious code writers, whose creations are now competing for vulnerable machines.

      /zimages/5/28571.gifSophos PhishAlert spots ID theft bait early. Click here to read more.

      F-Secure researchers have evidence that variants of IRCBot and Bozori are deleting variants of Zotob and other bots.

      Ullrich of the Internet Storm Center watched 10 different worms and bots fight each other to infect a “honey pot” decoy system that ISC uses to collect samples of malicious code.

      “There are so many different variants, its getting hard to categorize them and see whats going on,” he said.

      The small window of time between the release of Microsofts patch on Aug. 9 and the first appearance of a worm to exploit one of the patched holes put IT administrators in a difficult position.

      “Its tough with that short a turnaround, and with our distributed support structure on campus,” Schuster said.

      Microsoft is telling customers to apply the critical Microsoft patch that fixes the PnP vulnerability as soon as possible.

      Antivirus software companies also recommend patching vulnerable systems and say that customers should do frequent antivirus signature updates in the coming days to make sure they have up-to-date protection for the latest variants.

      /zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Paul F. Roberts
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×