Zotob Worm Hits CNN and Goes Global 522
securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."
Is your computer infected? (Score:5, Funny)
Re:Is your computer infected? (Score:4, Insightful)
If OS is Windows 95, No
If OS is Windows 98, No
If OS is Windows ME, No
If OS is Windows XP, No
If OS is up to date with security patches, no
Or just to make it easier
If ((OS != Windows 2000)&&(System.HasAllTheSecurityUpdates != True))
Then Could be.
Re:Is your computer infected? (Score:3, Informative)
If ((OS == Windows 2000)&&(System.HasAllTheSecurityUpdates != True))
Then Could be.
Re:Is your computer infected? (Score:4, Informative)
HKLM\System\CurrentControlSet\Control\LSA\Restric
There are some applications that will set this value at install time, so don't be confident you wont get hit because you are running Windows XP.
Re:Is your computer infected? (Score:3, Informative)
I've not verified this, but I don't have any reason to doubt it.
Re:Is your computer infected? (Score:4, Interesting)
Well, generally speaking it looks like that's not really a bad thing to do in this case. Check out the Symantec Security Response page (link in TFSummary), all it appears to do is remove spyware applications from the filesystem and their startup keys in the registry. Oh noes!!11!one!!
"gray-hat" worm?
Re:Is your computer infected? (Score:2, Informative)
According to Microsoft [microsoft.com], apparently not.
Re:Is your computer infected? (Score:5, Funny)
According to TFA's apparently not.
This just in: Windows 2000 is a variant of Windows. Pictures at 11.
SANS/ISC's take on the CNN infection (Score:5, Informative)
The Internet Storm Center's take [sans.org] on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:
Re:SANS/ISC's take on the CNN infection (Score:4, Funny)
Fastest spreading ever? Probably not. (Score:5, Informative)
People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.
It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions [brown.edu] on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.
Notebooks and viruses at my work (Score:5, Funny)
After class the computer goes back in the bag for a month, as he has a desktop in his office. The virus hibernates....
Our IT folks must love this..
Re:SANS/ISC's take on the CNN infection (Score:4, Funny)
MS says.. (Score:5, Insightful)
Re:MS says.. (Score:3, Insightful)
I don't run vulnerable versions of the Linux kernel either, do you?
Re:MS says.. (Score:5, Insightful)
Re:MS says.. (Score:4, Insightful)
Re:MS says.. (Score:3, Insightful)
I think the same can be said of many Windows 2000 users, who may not like a lot of the interface changes made to XP (and, yes, that goes beyond the Luna theme, which I realize is merely a default). Of course, as others noted
Win2k users, like banks, trusts, securities firms (Score:3, Insightful)
As much as they would like very much to have a stable OS (OS X, Linux, BSD. any stable OS, dag nabbit,) they have developped software on their own for their own purposes (Microsoft doesn't make everything, ya kno',) and their budgets don't allow for the kinds of redeployment costs associated with a new OS or even a new version of an old OS. (The roll out costs to Microsoft's clients dwarfs the cost of the OS. If only it wasn't a POS.)
I was working at a client's who were
Re:MS says.. (Score:2, Informative)
Microsoft has released patches for this that cover Windows XP as well as 2000 and 2003:
http://www.microsoft.com/technet/security/bulleti
Re:MS says.. (Score:5, Informative)
Re:MS says.. (Score:4, Informative)
Re:RTFM (Score:3, Informative)
Comment removed (Score:5, Funny)
Re:MS says.. (Score:3, Funny)
Re:MS says.. (Score:4, Funny)
Heil Webster!
Re:MS says.. (Score:3, Insightful)
If Zotob isn't infecting Windows XP, it's because of a failure of the authors to account for portability. Some later author could potentially fix this.
As always, it's recommended to patch your Operating System after a critical security patch. So, take the breather that you have if you're using Windows XP, to go out and patch the vulnerability out of your Windows XP box.
(opinions expressed are my own.)
All of a sudden (Score:5, Insightful)
Re:All of a sudden (Score:2)
They've usually reported on worms in the past.
What's different in this case is that they explicitly said it affects Microsoft systems. In the past, they would usually (but not always) say, "there's a new virus going around and every computer in the world is vulnerable." I would complain to them about not specifying the OS, comparing it to reporting on a new safety flaw in cars without naming the make and model.
Re:All of a sudden (Score:5, Funny)
Re:All of a sudden (Score:5, Insightful)
there was a 7.2 earthquake in Japan yesterday (Score:3, Insightful)
I'm not really surprised, just sad. Celebrities hold more interest in the US than most other news stories, and forget international news, unless it involves (some of the many) ongoing wars.
A sober second opinion... (Score:5, Informative)
As reported by Slashdot [slashdot.org] t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:
*Moderate* severity (Score:3, Interesting)
Or code Bert...
And Symantec says "Medium" (Score:2)
Instant karma's gonna get you (Score:5, Funny)
Hm, must be a Karl Rove plant.
Or else it's just another victory in the GWOT?
Typical liberals (Score:3, Funny)
NYT/CNN/ABC: "Yawn. We don't see any worms. Stop trying to scare us. It's acceptable to lose a few LANs so we don't have our right to pr0n infringed, or something."
Today: Worm hits.
NYT/CNN/ABC: "It's Karl Rove's fault!"
FOX: "Our networks are fine. Who's the dumbass now?"
Microsoft: "Good thing people too stupid to run Windows Update are also too stupid to run Linux."
Of course this is more important than... (Score:4, Insightful)
I doubt it - yet it's front page on CNN.COM...
I wonder... (Score:5, Interesting)
Re:I wonder... (Score:5, Funny)
Those wild and crazy mac rioters [wwbt.com]
Not enough! (Score:2)
Impact (Score:2)
"Low impact" in the sense of how low you would be if a meteorite impacted you crown-first.
Re:Impact (Score:3, Informative)
Then again, they don't hire people based on their qualifications, multiplying any estimated repair time by ~10 and you come close to the actual down-time time in our facility.
Cue wild speculation (Score:3, Interesting)
Media worm hype really sucks, is my point.
What I found amusing today were the two alert emails in my inbox. The first one was a warning about the new Acrobat flaw [which makes it a requirment to install a bad version of Acrobat, and then patch it *3* times to fix it!]. Then next email was one about this Zotob worm spreading through the PnP ethernet bug in Windows 2000 - but the information came via a
Payload (Score:5, Funny)
Downloading and executing files
Making queries to www.google.com
Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?
Re:Payload (Score:5, Funny)
Re:Payload (Score:2, Redundant)
Maybe they're from china or australia and it's the only way they can get uncensored searches.
Re:Payload (Score:3, Insightful)
Re:Payload (Score:3, Insightful)
It's only news because it hit CNN... (Score:2)
"CNN is heavily covering an outbreak of a worm in its own network. They are reporting that ABCNews and NYTimes are hit as well. All statements so far make this look like a Zotob variant, even though this variant appears to reboot the system. (Zotob.d ?).
Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior
FUD? (Score:2)
Microsoft says this virus has medium impact, not low as the submitter says. Is the submitter perhaps spreading some FUD of his own or did MS upgrade the threat?
Re:FUD? (Score:2)
Re:FUD? (Score:3, Funny)
From: W32.Zotob.D (Score:2)
Apple user says... (Score:3, Funny)
Re:Apple user says... (Score:2)
Re:Apple user says... (Score:3, Informative)
You think they do it for fun???? No.. it's to avoid OSX exploits.
Symantec link is wrong (Score:5, Informative)
The executable in this particular instance is "wintbp.exe". I thought at first it might be a randomly-named executable, but all 100+ systems I'm manually disinfecting at the moment have the same executable. It tries to connect to other systems via port 445, aka the "Magic Windoze Port"(tm).
Apparently all it's doing is rebooting systems, but I haven't done any kind of a postmortem so don't know. I haven't detected any other connection attempts either inside or outside.
Manual disinfection means disconnecting your NIC and then using regedit to delete this value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur
You must then reboot the machine to disable the executable which is:
C:\%systemroot%\System32\wintbp.exe.
Good luck. I'm glad my own systems are Linux....
Re:Symantec link is wrong (Score:5, Informative)
Re:Symantec link is wrong (Score:2)
Thanks for the clarification. I'm hit with the RBOT. Unfortunately, my company is partnered with Symantec so there's nothing at all I can do to change the antivirus our Windoze users run.
XM, internet time, and worm threats (Score:2, Informative)
Anyway, they kept saying only windows 2000 was affected, but the patch was for pnp on 2000/xp/2003. In a later report CNN did mention it might affect XP too.
This makes me wonder how seriously people (BHPs, IT guys, FireWall guys, etc) take worms. Where I work we have many FWs, push patches very of
AOL Call Centers (Score:2, Interesting)
Re:AOL Call Centers (Score:5, Funny)
I'm glad you found one of the few that is working so you could post to Slashdot.
I have to ask (Score:5, Insightful)
Re:I have to ask (Score:2)
> dollars in revenue is still running unpatched
> windows 2000 computers.
To that, I have to ask: What reason is there to run Windows XP, when you have perfectly valid licensed copies of Windows 2000?
I've not yet seen any valid need for running Windows XP, nor spending the money and time to "upgrade". What's the motivation to switch?
Ryan Fenton
Re:I have to ask (Score:2)
A better question to ask would be: Why do companies like CNN and ABC spend billions on Microsoft software when that use repeatedly results in global network-crushing superworms.
Windows directory worm (Score:2)
On the bright side, Linux and OSX operating system market shares would skyrocket.
I think the reason..... (Score:4, Interesting)
Re:I think the reason..... (Score:2)
Despite the fact that Microsoft has released a patch for Windows 2000 to plug the hole that the worms are exploiting.
It's the companies fault for not having patched. Microsoft released them as critical updates, and that they needed to be installed.
Also, Microsoft has Windows Server 2003, which is generally going to be a much better upgrade choice from 2000, than XP.
(Opinions expressed are my own.)
CNN, ABC, the New York Times (Score:5, Funny)
It was all at Capitol Hill (Score:2, Informative)
MS Windows Update Validation? (Score:3, Interesting)
Re:MS Windows Update Validation? (Score:2)
Re:MS Windows Update Validation? (Score:2)
Re:MS Windows Update Validation? (Score:3, Insightful)
Of course, don't forget the words in bold. I've had to validate my Windows XP box twice without changing any hardware. Fortunately my Linux boxes don't need any stinking validation to update via yum.
We need to re-think patching. (Score:4, Informative)
The answer is that Microsoft security patches have a reputation for causing things to break. Why this happens, I don't know -- Microsoft certainly has the resources necessary to test their patches before releasing them -- but for whatever reason, patches from Microsoft have developed that reputation. As a result, administrators of large networks have learned to not apply security patches immediately to all systems, but instead to test them on a few machines for some time first -- exactly the same way as other patches are handled.
The decreasing window between patch publication and widely distributed exploit code means that this approach simply doesn't work any more. Security patches must be applied to all affected systems immediately. Don't stop to test them; just apply the patches and reboot if necessary.
Of course, this means that vendors need to do a good job of testing security fixes before releasing them. I'm proud of the fact that in my time on the FreeBSD security team, we have never released a security patch which has caused new problems. While we don't officially recommend this, I know several people who have their systems automatically download and install FreeBSD security patches -- because they trust us to make sure that our security patches will never break anything.
After all... if you can't trust the security team of the operating system you're running, why are you running that operating system?
Re:We need to re-think patching. (Score:3, Insightful)
While you and I might agree that MS should stop developing Microsoft Office (which depends on undefined behavior, i.e. undocumented system calls) there are people dependent on Word and Excel for their daily work who would disagree.
Odd (Score:2)
When I try to read the informationweek article, my browser locks up and gives an SSL error (Error code: -12281). I'm running the latest FF and Slackware 10.
Anybody else having any problems with the article
From CNN's email updates: (Score:2)
States.
And that's IT. Ironically, I'm posting this from a Win2k machine. Sorry, all.
left out again (Score:2)
when are non-windows users going to get in on the fun?
or is the fun actually in watching the knuckleheads fix their boxes, share their stories, re-infect each other, etc?
What you should remember (Score:2)
In this case Microsoft have really done everything any vendor can ever do in this kind of situation. They got the patch out there be
It's not really that bad.. (Score:2, Interesting)
Kind of anyway:
[http://securityresponse.symantec.com/avcenter/ven c/data/w32.zotob.d.html%5D [symantec.com]
Searches for the following files and folders to delete the files and the contents of folders:
%SYSTEM%\pnpsrv.exe
%SYSTEM%\winpnp.exe
%SYSTEM%\csm.exe
%SYSTEM%\botzor.exe
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRA
Is it just me... (Score:5, Interesting)
Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:
Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the
It ain't a white-hat worm, I'm pretty sure (Score:3, Interesting)
But having just spent an all-nighter in the office cleaning up the B variant, this new D doesn't do nearly enough to actually fix the damage.
What really pisses me off about Windows, is that this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.
Microsoft: please, for the love of god, imple
Re:It ain't a white-hat worm, I'm pretty sure (Score:3, Interesting)
SBC (Score:4, Interesting)
One of the SLOWEST spreading infections in history (Score:3)
Or perhaps the story summary is just making up stuff. The links provided have no quote from TM saying such silliness.
HAH! Looks like it cleans out spyware! (Score:5, Interesting)
# Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\Common Files\CMEII
Re:HAH! Looks like it cleans out spyware! (Score:3, Insightful)
That was my first thought too. Although it probably will end up to BE spyware that's just eliminating the competition.
the real news story is (Score:5, Insightful)
Honestly Zotob is a joke. I work IT for a major university thats 95% win 2k and xp, and so far we've had 0 zotob infections. I wouldnt be surprised if we eventually got 1 or 2 here and there with old boxes that arent tied into the domain, but the vast majority of the workstations auto update themselves and hence this is a non issue for any properly run network.
Anti-annoyanceware virus? (Score:3, Interesting)
Too bad it also opens an FTP, IRC connection, and many others, but I do wonder if it's a variant on code originally intended to clean rather than infest?
I also quite like how MS directs you to complain to the Internet Fraud Complaint Center Web site [ifccfbi.gov], I'm sure they really appreciate all the extra phonecalls about infected operating systems...
LATE BREAKING NEWS on CNN Right Now (Score:5, Funny)
MS authored? (Score:4, Insightful)
Clearly, MS is implying the solution is to upgrade to XP. From their site: If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants.
How convenient! Really, why do I think the first answer to Bill's brainstorming marketing session on "How do we get people to move off 2000?" was some smart-ass saying "Well, we could always write a virus or worm for it."
After all, any notion of "irreperable harm" from security threats has vanished in the onslaught on the Windows hegemony. One little, "not so bad" worm wouldn't really hurt the Windows reputation any more than it already has been, and it sure would be a nice kick-in-the-pants for those businesses sitting on the 2000 fence.
Just saying^H^H^H^H^H^Hpostulating.
Comment removed (Score:3, Insightful)
FUD alert.... (Score:3, Interesting)
Seeing as Microsoft stopped supporting Windows 2000, wouldn't this seem like a nice co-incidental way of "encouraging" users to upgrade to Windows XP??
Of course, one could always go to a pirated version of XP... Why pay for a simple security upgrade, after all?
Removes spyware? (Score:3, Interesting)
Re:Removes spyware? (Score:5, Insightful)
All these worms are written by spammers who want to turn the machines into zombied SMTP servers. They want to disable other exploitive processes.
If all major ISPs filtered port 25 traffic (like AOL does) from anyplace other than their in-house SMTP gateways, you'd see worm activity drop to almost nothing. It's all about spamming. And the feds don't seem to care. Sooner or later, the major broadband providers will act responsibly and stop their clients from becoming spam zombies, then there won't be much of a need for these worms to be released. That's what they're all about: spamming.
Really good advice (Score:5, Funny)
Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.
Ummm...
"Hello, FBI? Yeah, hi. This is Pat. Listen, I've noticed my computer has been running a little slow lately. Yeah, more so then usual... Well, I heard about this new worm virus on the news... Yeah, I know I should run a virus scanner... Yes, I'm aware that the FBI does not troubleshoot and provide support for PCs... No, I don't expect you to launch a huge investigation because I suspect I *might* have been infected... Of course I'm aware that even if I was infected, there's really nothing the FBI can do about my particular case. . . . What do you mean 'Why am I calling you'?? Microsoft said I should!!"
Re:I feel left out (Score:2, Funny)
I've come up with an awareness slogan to help us remedy the situation: "It's not the applications, it's the infections."
Re:Zotob proves patching of "Windows" nonexistent (Score:2, Funny)