Zotob Worms Target Windows 2000 Hole

Code attacks through Plug and Play hole that Microsoft addressed last week with a patch.

Less than a week after Microsoft patched a critical hole in a common Windows service, a new worm is circulating that exploits the hole in unpatched Windows 2000 systems and uses it to proliferate.

Two new variants of the worm, "Zotob.A," and "Zotob.B" appeared on Saturday and use code released on the Internet last week for attacking a hole Microsoft patched on Aug. 9 in the Windows Plug and Play service.

However, the new Zotob worm is not as virulent as close relatives such as Sasser and Blaster. The bigger threat may come from stealthier programs, known as "bots," which are using the newly disclosed Windows hole to gain access to unpatched systems, according to Mikko Hyppænen, manager of antivirus research at F-Secure Corp. of Helsinki, Finland.

F-Secure rated the Zotob worm variants a "level 2" threat, the companys second highest designation for viruses. However, Symantec Corp. and McAfee Inc. both rated the worm a "low" threat Monday.

The security hole affects the Windows Plug and Play (PnP) service, a common component that allows the operating system to detect new hardware on a Windows system. For example, when Windows users plug in a new keyboard or mouse, PnP detects it and allows Windows to load the software, or "drivers," that are needed to use the hardware on Windows.

A buffer overflow in PnP could allow a remote attacker to take complete control of Windows 2000 systems, installing their own programs and viewing, changing or copying data from the computers hard drive.

Microsoft issued a fix for the PnP hole, MS05-039, which the company rated "critical" with the monthly patches for August on Tuesday.

Code to exploit the hole, attributed to a group named "houseofdabus," appeared on a well-known security Web site on Wednesday. By late Saturday, somebody had cobbled that exploit code to freely available worm replication code and created Zotob.A, said Hyppænen. "Theres not a lot of new code here," he said.

The houseofdabus exploit code used by the worm can only be used to remotely attack unpatched Windows 2000 systems. An attacker would need to be able to log in to a vulnerable system using a user or administrator account to remotely exploit Windows XP or Windows Server 2003 systems, which lessens the impact of the exploit, Hyppænen said.

The worm looks for systems that have communications port 445 open then sends the attack code to the computer using that port. Once the worm has compromised a system, it installs a shell program that downloads and installs the full worm code, named haha.exe, using FTP (File Transfer Protocol.)

The exploit code for Zotob was written by the same individual or group that crafted the exploit code used in the Sasser worm. As with that worm, the exploit causes infected machines to reboot unexpectedly, which could tip off victims, Hyppænen said.

/zimages/4/28571.gifAOL, Microsoft recycle spammer loot. Click here to read more.

F-Secure collected some Zotob samples from the Internet on Sunday, but the new worm is not spreading quickly. However, organizations with a lot of Windows 2000 systems could be vulnerable, especially if an infected Windows 2000 system connects to such a network behind the corporate firewall, Hyppænen said.

Bots and other low-profile attack programs may be a bigger threat to enterprises than the Zotob worm is. F-Secure researchers have already detected traffic from variants of a large family of remote control "bot" programs called "Sdbot" that indicate the PnP exploit has been added to the pre-packaged exploits those programs use to gain access to victim machines, he said.

On Sunday, iDefense Inc., a security research company, said that it had discovered a new tool to automate exploitation of the PnP vulnerability, which it named Copa.A. The tool, which uses Visual Basic script, allows malicious hackers to automate exploitation of vulnerable Windows systems, given a list of valid IP addresses and the PnP exploit code, according to an iDefense e-mail statement.

The PnP vulnerability was discovered by a researcher at Internet Security Systems Inc. and reported to Microsoft. It is just the latest evidence of security holes in the code Windows uses to load third-party hardware and peripheral devices.

In July, SPI Dynamics Inc. reported buffer overflow vulnerabilities to Microsoft that could enable an attacker to circumvent Windows security and gain administrative access to the machine.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.