Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Worms Security The Internet

ZOTOB Not Quite as Bad as Expected? 407

Posted by CmdrTaco from the only-wrecks-a-zillion-computers dept.
GuitarNeophyte writes "Although the worm hasn't been in the wild for very long, ZOTOB and its variants have already propagated on the internet. Many people have been giving reports that it poses risks of infection to almost all Windows Operating systems, but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "
This discussion has been archived. No new comments can be posted.

ZOTOB Not Quite as Bad as Expected? More

ZOTOB Not Quite as Bad as Expected?

Comments Filter:

  • not minimal (Score:5, Funny)

    by plarsen ( 579155 ) on Thursday August 18, 2005 @12:08PM (#13348208)
    It is not a minimal risk for a Windows XP system to get infected. Not after Microsoft have changed their Windows Update program. I have alot of friends struggling with properly secureing their pirated version of XP.
  • Is that like h4cking teh gibson?

  • Aren't all media reports of internet viruses (Score:5, Interesting)

    by Trigun ( 685027 ) <<xc.hta.eripmelive> <ta> <live>> on Thursday August 18, 2005 @12:08PM (#13348213)
    overblown? I think it all started at the Michaelangelo virus, where the media was telling everyone to turn their computer off on Mikey's birthday? It's gotten worse since then.
    • I find it good that media is reporting virus-incidents as topnews, since then common non-computer interested people will read it, and get some ideas that their systems at home needs protection. To many have no clue about AV and Firewalls and asume a system should run safe connected to the internet aslong as they don't download files from suspicious websites.

    • WAZZUP (Score:4, Funny)

      by mary_will_grow ( 466638 ) on Thursday August 18, 2005 @02:12PM (#13349436)
      anyone remember the Wazzup virus? It attacked MS Word and would randomly place the word "wazzup" in your document when you saved it or printed it. God it was beautiful. So many book reports with "wazzups" circled in red ink....

      People wazzup arent creative like that anymore.

  • I have yet to experience Zotob... (Score:3, Funny)

    by Anonymous Coward on Thursday August 18, 2005 @12:09PM (#13348218)
    Anybody got a torrent?

  • propigated (Score:3, Funny)

    by Anonymous Coward on Thursday August 18, 2005 @12:09PM (#13348220)
    Our language is a wonderful thing. Please stop using it.

  • Warzone (Score:2, Interesting)

    by databyss ( 586137 )
    From all that I've read on the news lately, it looks like the various variants are battle each other... so they may be keeping their own numbers down.

    • Re:Warzone (Score:3, Funny)

      by Avohir ( 889832 )
      yep. Some of them will target each other. if you open them up, they write insults to each other in their binaries too (half the time it's in russian though so translations come out pretty comical)

    • Re:Warzone (Score:2, Funny)

      by hattig ( 47930 )
      One day virii will sign up for Everquest or WoW accounts automatically, and fight each other there. One day you will be marvelling at your +10 Sword Of Damocles and a horde of frickin' Win32 virii will come along and kill you for it.

      Worse, though, is that normal people will notice the EQ or WoW icon on their desktop, and also get trapped in the game.

  • really... (Score:3, Informative)

    by Megor1 ( 621918 ) on Thursday August 18, 2005 @12:10PM (#13348228) Homepage
    It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.

    • Patch available? (Score:5, Insightful)

      by Kelson ( 129150 ) * on Thursday August 18, 2005 @12:20PM (#13348330) Homepage Journal
      When was the last time a big Windows-based worm went around that didn't already have a patch available? Some of the biggest (say, Blaster) had been patched months before!

      What's happened is that the bad guys have gotten faster at exploiting the vulnerabilities once they're disclosed. Meanwhile, the vendors have been trying to convince everyone to update as quickly as possible. That's why it's hard to argue against automatic updates (or at least semi-automatic, as in timing it so that an admin is on hand to fix any problems that pop up).

      The story here is that a worm zoomed across the next less than a week after the hole it uses was patched. It's not the extent (which the media overstated) but the speed.

    • Re:really... (Score:5, Informative)

      by Patoski ( 121455 ) on Thursday August 18, 2005 @12:32PM (#13348421) Homepage Journal
      It was just hyped big time by a few big media outlets. And really the patch was out, and you know Windows 2000 needs a firewall. I blame it more on crappy IT administration.

      Actually Windows 2000 does have a firewall. It just doesn't have a purdy gui.
      http://online.securityfocus.com/infocus/1559 [securityfocus.com]

      Anyhow, how does a firewall help one when an infected machine gets in the building (like a laptop)? You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.

      While we didn't get hit where I work I can sympathize with companies that did. When you're working in a large environment it can take some time to test patches to make sure they work as advertised (esp. on mission ciritcal servers). One week lead time is really intense.

      • Re:really... (Score:3, Insightful)

        by dkf ( 304284 )
        You cannot block port 445 (which zotob uses) since that is what is used in part for file and print sharing.

        Whyever not? Or are you claiming that file and printer sharing (as opposed to using one of the stronger client-server protocols for these things) is a good idea?
    • I blame it on crappy programming in the first place, why place the blame on overloaded Sys/Net Admins?

    • Re:really... (Score:4, Informative)

      by jwgoerlich ( 661687 ) on Thursday August 18, 2005 @01:10PM (#13348784) Homepage Journal

      I blame it more on crappy IT administration.

      And how! Almost all of my clients' machines are immune to this (though we patched anyways). Why? Because we disable anonymous connections (RestrictAnonymous registry key), which has been a recommended practice for YEARS.

      See the tech advisory: "Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users."

      http://support.microsoft.com/kb/q246261/ [microsoft.com]

      http://www.microsoft.com/technet/security/advisory /899588.mspx [microsoft.com]

      The same thing happened with Slammer. The MSSQL servers we setup were immune out of the gate because they were setup properly from the get-go.

  • not large penetration (Score:3, Funny)

    by jaypaulw ( 889877 ) on Thursday August 18, 2005 @12:10PM (#13348235)
    'The worm only spreads to systems running on Windows 2000, XP and Server 2003'

    this seemed funny to me. as if somehow not a significant portion of computers run those OSes

  • August: Season of the crashes (Score:5, Interesting)

    by Destoo ( 530123 ) <destoo@gmailLAPLACE.com minus math_god> on Thursday August 18, 2005 @12:11PM (#13348237) Homepage Journal
    I would like to name August the official Worm month.

    August 2003: Sobig
    August 2004: Sasser
    August 2005: Zotob

    What's next?
  • On the whole, this is probably the best thing that has happened to Microsoft lately - it'll encourage clueless managers to order that their company's systems be upgraded, with a release of Vista around the corner. It's amazing just how many businesses still rely upon W2k.
    • Queue up all the conspiracy theories about MS releasing the original sample exploit code in order to get people to migrate away from Server2000 and 2000pro. The -reason- companies still rely on win2k is because it a) works very nicely, b) can use most of the drivers released for XP, and c) is a lot lighter on system resources. Of course, finding out that major media outlets still don't have SP4 or a good antivirus solution makes me want to send out a few resumes...
      • Does SP4 give some degree of protection?

        Given that you have to do such a big song and dance just to get the patches (yeah, yeah, it is at work at for a legal copy), what are the chances of getting zapped while you are downloading everything?

        The other big hassle with Win2K patches is that some of the patches (835732 -- the Sasser patch -- and 889293 and some others) bolex up IE from working. So I am supposed to switch to Mozilla or whatever, but d'ya suppose Microsoft would like me to still use IE? Pat

    • Makes you wonder if Microsoft had a role in encouraging its release, doesn't it?

      It's striking how nice the virus writers are to the antivirus companies. Most viruses do just enough damage to require ongoing spending for antivirus tools and upgrades, but not enough to make users switch to, say, Linux. There are exceptions, like the virus that encrypts data on the hard drive and demands payment in E-gold, but those are very rare. Few viruses erase data. Few do things that would make removal impossible w

      • It's because the losers that write these things run Windows, and they don't update their systems regularly :) Don't wanna destroy your own stuff.

      • Re:This may not be an accident (Score:5, Informative)

        by DaHat ( 247651 ) on Thursday August 18, 2005 @12:47PM (#13348551)
        The reason that viruses are not as damaging today as they were long ago is because virus writers have learned, propagation is the goal, not destruction.

        Compare computer viruses to real world viruses and you'll see.

        Ebola, smallpox take your pick from the fast acting, horrific and deadly viruses, very contagious and extremely deadly. With such a rap, why they it killed off everyone on earth yet. The answer why they haven't is simple, they kill their hosts before they have much of a chance to spread.

        That is why HIV is such an evil bug, it takes it's time before killing its host, as well as taking plenty of time before an infection is apparent.

        Computer viruses are the same, one that destroys a PC or locks down files isn't going to get very far, while one whose sole job is reproduction will spread far and wide and cause havoc only because of it's level of penetration and infection.
        • But it would be truly easy to combine a fast propogation worm with a time delay and a format C: command. Infect, propogate, wait 30 min, format. It's all out there already, but it seems that no one has (or wants to?) put them all together...yet.

          That should make a lot of people tremble but, for some reason, people keep using an OS that allows this.
    • Yeah, best thing to happen to Microsoft, it's not like Apples market share has been increasing lately as the volume of spyware, viruses and worms increase.

    • Re:Irony (Score:3, Informative)

      by Knara ( 9377 )
      It's amazing that businesses rely on an OS that continues to do what they need it to do? Win2k is only half-way through it's support life-cycle, you realize (scheduled to be EOL in 2010 if I recall).

      This was a problem with IT admins not maintaining secure environments through patching and firewall administration. Where I work has 400+ machines in a mix of 2000 and XP, and I'd be surprised if half a dozen of them got infected (I didn't hear about even one, personally).

  • Perhaps not as bad, but it still is a problem. (Score:5, Informative)

    by marbike ( 35297 ) on Thursday August 18, 2005 @12:12PM (#13348253)
    This worm, while not as bad as some we've dealt with in the past (slammer/sapphire, code red, msblaster) is still a pain. It is still likely to cause huge spikes in network traffic for infected networks. I've already seen an intstance where hundreds of machines seemed to be infected and only the mitigation in place at the edge routing devices was able to stem the flow of traffic outbound.

    This type of traffic has the potential to knock over routers/firewalls. I've seen it before and I have seen it this time as well.
    • *Raising hand*

      Two idle windows computers prevented all of our Mac and Linux desktops from connecting out to our ISP. These two computers which sit around just for testing knocked out two of our routers (or maybe just the DSL modem). We pulled them off the network and now everything's fine.

      I used to complain when I used Windows. But it causes me problems even when I'm never using it! Hence my sig.

  • no big deal (Score:3, Funny)

    by ingo23 ( 848315 ) on Thursday August 18, 2005 @12:13PM (#13348267)
    The worm only spreads to systems running on Windows 2000, XP and Server 2003

    Lucky Windows 3.0 users can be at ease.

  • Actually... (Score:5, Interesting)

    by TimTheFoolMan ( 656432 ) on Thursday August 18, 2005 @12:15PM (#13348287) Homepage Journal
    It's been pretty hairy here, inside the walls of a Fortune 500 company. Probably because we have so many variations of Windows in our lab, it was all over the place. People who had kept up to date and patched weren't hit bad (I'm on XP SP1), but we were creating ad-hoc teams all afternoon yesterday trying to get things clean.

    In some ways, this was a bigger deal than Sobig.

    Tim
    • So you're saying you don't REQUIRE updates and patches at a fortune 500?

      • Re:Actually... (Score:3, Interesting)

        by grasshoppa ( 657393 )
        This was my thought.

        Whomever was asleep at the wheel should be fired. Of course they won't be, because they'll blame it on software breaking or MS or aliens for all I know. but the hard truth of the matter is, they should be.

        Yes, I understand what's required before patches go live. I understand you have a lot of software you need to test before you can approve a patch. I also know how long that takes and how long it takes to make things work. A week, at most, is all you should ever be behind in patches

        • Re:Actually... (Score:3, Insightful)

          by TimTheFoolMan ( 656432 )
          The problem we have is not someone "asleep at the wheel." It's an issue of "this is my PC, and you are NOT going to push service packs and updates down to me whenever you like. I'll apply them when I'm good and ready."

          Our IT Admin's response was patient, up to a point. Then she started shutting off their VLANs, and people got serious about it.

          Yeah, I know. The idea of programmers and computer geeks thinking they're smarter than the IT Admin is hard to believe. Right?

          Tim
    • This is part of the first wave of "it's not so bad and it is the victim's fauly anyway" press releases which will be followed shortly with the 'any operating system is vulnerable to viruses' wave of press releases, followed by the 'Windows Vista is much more secure and everybody should upgrade' press releases. The only amazing part is that Windows users never seem to catch on. Somebody who bought three Ford Pintos and somehow manage to survive when they all burst into flames would probably think long and h
      • Windows users? Not a chance.

        Y'know, there's a fair few of us Windows users who have yet to catch a virus, or be infected with spyware, or get rooted.

        Sure, I see others crashing and burning, but then I've known people knocked down and killed crossing the road; yet I still cross. I just take sensible precautions, and take my chances.

  • Affects more than just windows machines (Score:3, Interesting)

    by thedogcow ( 694111 ) on Thursday August 18, 2005 @12:18PM (#13348315)
    Zotob is affecting more than Windows machines. Case and point, the network is really slow (via the Windows garbage) which is making Slashdot load slow for me and I am running Solaris. Grr.
  • "The worm only spreads to systems running on Windows 2000, XP and Server 2003"

    Why in the world is this listed as a mitigating factor? Is there really that large of an 95/98/NT base left?

  • Windows XP and Server 2003? (Score:4, Informative)

    by mranime ( 760760 ) on Thursday August 18, 2005 @12:21PM (#13348341)
    Both Symantec link [symantec.com] and F-Secure link [f-secure.com]

    States that only Windows 2000 machines were affected.

    F-Secure Writes: "The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected."

  • Surprisingly slow spread (Score:5, Interesting)

    by G4from128k ( 686170 ) on Thursday August 18, 2005 @12:25PM (#13348362)
    The Witty worm [slashdot.org] spread much faster despite the very small base of susceptible hosts (only about 12,000 total that had some old version of some firewall software). Witty had a doubling time of only a couple minutes and nearly saturated (infected all susceptible hosts) in less than one hour.

    A modern worm should be able to spread extremely quickly -- sending out hundreds of infectious packets per second if the payload is small (Witty's was only 637 bytes). If only 1 in 10,000 machine is susceptible, then a worm spewing 100 randomly addressed packets per second should double the number of infected machines every 100 seconds. I'd wager that the number of zotob-susceptible machines was much greater than only 1 in 10,000, so zotob should have spread faster. If anyone ever creates a worm that can infect even 1% of IP addys, it would double every second and saturate the net within the first minute or so.

    Why didn't zotob spread faster?

    • Re:Surprisingly slow spread (Score:5, Insightful)

      by Forseti ( 192792 ) on Thursday August 18, 2005 @12:49PM (#13348571)
      > Why didn't zotob spread faster?
      I'll tell you why: NAT and RFC1918.

      The worm (reportedly) only tries to spread to adresses with the same first 2 octets as the current machine. Even if it hit a machine through a static NATed public IP, once infected, it would detect only the private address of that host, and spread only within the company. It was poorly written to be able to spread quickly. It almost needs to be moved to another network manually! Witty went random, that's much smarter.

      In fact, we're generally lucky that most virus writers are inept. Otherwise, we would have seen some MUCH WORSE infections already.

  • it's okay, guys (Score:5, Funny)

    by kwoff ( 516741 ) on Thursday August 18, 2005 @12:25PM (#13348364)
    Once we control the spice, we control the worm.

  • This outbreak hit media outlets (Score:3, Interesting)

    by ewg ( 158266 ) on Thursday August 18, 2005 @12:28PM (#13348388)
    This malware outbreak received disproportionate media coverage, because it hit media outlets first and hardest.
  • 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.'

    Isn't that like saying, "Aids only infects those people having sex, and the possibility is minimal?" Sorry, in Risk Management, a risk is still a risk that needs to be mitigated. We've all seen examples (whether in our workplaces or in the news) of times when users have had this lackadaisical attitude about viruses that have brought a

  • Not minimal here (Score:3, Interesting)

    by Stanistani ( 808333 ) on Thursday August 18, 2005 @12:40PM (#13348483) Homepage Journal
    San Diego County Government had 12,000 workstations crash.
    People couldn't do ANYTHING connected to the county.
    They had 3,000 systems up today.
    Wonder if I can apply for the sysadmin job?
  • Kneel before ZOTOB!

  • Pretty Bad Here (Score:3, Informative)

    by GizmoToy ( 450886 ) on Thursday August 18, 2005 @12:41PM (#13348496) Homepage
    I don't know if it was "minimal" elsewhere, but it hit GE Transportation really hard. We had two sites go down completely (no network, no computers), including HQ in Cincinnati. The sites went completely offline around 3pm, and I can only assume the poor techies had to stay all night to patch each computer on campus manually (because they won't stay on, always rebooting). When I got to work the next day, we all had a specific set of instructions to do to complete the patching process. They really lost a fortune on this one.

  • unpatched machines? (Score:2, Interesting)

    by shimmin ( 469139 )
    Microsoft's decision to no longer patch pirated installations has a few unintended consequences. There is now a base of unpatched machines that any new worm will likely be able to exploit. If a greater fraction of machines are unpatched, a greater fraction of infection attempts will succeed, and the worm will spread faster. A faster-spreading infection means a more legitimate Windows users will be infected before they patch (although the auto-updating feature of Service Patch 2 will help with this).

    And o

    • Re:unpatched machines? (Score:4, Informative)

      by sriram_2001 ( 670877 ) on Thursday August 18, 2005 @12:46PM (#13348545)
      Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks
      • Sorry - not true. Windows Genuine Advantage has nothing to do with security patches. All users will get security patches, without going through any checks

        That used to be the case. Now with the latest version of Windows Update, you must pass genuine advantage in order to download patches. I know this as I've one machine that fails to get past the check on windows update despite the valid licence number on it. I believe autoupdate is still working, but for how long?

  • Ofcourse it's not as bad... (Score:4, Informative)

    by GillBates0 ( 664202 ) on Thursday August 18, 2005 @12:42PM (#13348508) Homepage Journal
    It even removes your spyware for you, as several /. comments noted in the last Zotob story: http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html [symantec.com] It could be that problems (reboots, etc) that people experienced were caused by inadequate testing than purely malicious intent...but then it's a worm, so it is implicitly malicious.

    Deletes the following registry values:
    "MyWebSearch"
    "WINDOWS SYSTEM"
    "Zotob"
    "MyWay"
    "WeatherOnTray"
    "Apropos"
    "IBIS TB"
    "TBPS"
    "Toolbar"
    "Hotbar"
    "CMESys"
    "NavExcel"
    "ViewMgr"
    "eZula"
    "EbatesMoeMoneyMaker"
    "Ebates"
    "AutoUpdater"
    "Gator"
    "Trickler"
    "QuickTime"
    "GatorDownloader"
    "eZmmod"
    "Viewpoint"
    "TkBellExe"
    "180"
    "WinTools"
    "Real"
    "QuickTime Task"
    .
    .
    .

  • article is wrong. (Score:3, Informative)

    by Suppafly ( 179830 ) <slashdot@s[ ]afly.net ['upp' in gap]> on Thursday August 18, 2005 @12:48PM (#13348556)
    but accorning to this article, the claims are a tad overzealous. FTA, 'The worm only spreads to systems running on Windows 2000, XP and Server 2003, and even then, the possibility of the worm affecting Windows XP and Server 2003 are minimal.' "

    The article is wrong, zotob has variants that infect 9x thru 2003. You can look at the summaries on symantec. As a pc support person at a very large company (one of the ones mentioned on cnn when they talked about zotob), this is certainly the worse virus I've had to deal with.

  • Well at least its not all versions of Windows... (Score:3, Funny)

    by idiotism ( 849327 ) on Thursday August 18, 2005 @12:49PM (#13348566)
    just the ones that 90% of people that use windows, use. dont worry your computers running DOS, Windows 3.1, 95, 98 and the wonderful ME, cannot be infected.

  • Early Bird Gets the Worm (Score:4, Insightful)

    by Doc Ruby ( 173196 ) on Thursday August 18, 2005 @12:56PM (#13348624) Homepage Journal
    How odd that this worm should attack W2K so severely, and W2K3/WXP not so severely, just as Microsoft is dropping sales of W2K, and urging W2K users to upgrade, including draconian herding techniques like discontinuing W2K automatic update support.

    Now, even if MS hasn't created this worm, or released it into the wild, or deprioritized fixing bugs in W2K for it to exploit, or overhyped its danger to create "relief" that its favored W2K3/WXP products aren't at as much risk... don't you think the people over at the "W2K extinction department" in Redmond are very happy about this bad news? That's an incentive to neglect security. Like the sheepdog carpooling with the wolf [dogtimes.com.br].

  • Dr. It hurts when I do this (Score:3, Interesting)

    by wardk ( 3037 ) on Thursday August 18, 2005 @12:58PM (#13348639) Journal
    hard to feel sorry for the people still running windows, how many times does the car have to break down on the freeway before you trade the SOB in for something reliable?

    what is it called when you continue the same behavior and expect different results?

  • Depends a lot on your point of view (Score:5, Interesting)

    by Thumper_SVX ( 239525 ) on Thursday August 18, 2005 @01:00PM (#13348661) Homepage
    Myself I ended up at work 20 hours on Monday this week patching servers. Given that we have about 500 servers in our environment with one person doing the patching this wasn't so bad.

    We ended up with a lot of problem because of this worm... less because it actually caused problems with the machines but more because we could see machines constantly trying to infect one another. It wasn't pretty. Our workstations were most at risk, being the largest installed base but also running Windows 2000 SP3 (not SP4 unfortunately). No patch has been generally released for SP3 WS's, but a custom patch IS available from Microsoft if you request it. Due to other factors in play, we have elected to upgrade to SP4 and install the appropriate hotfixes. This is not going to be pretty over about 10,000 workstations.

    See, what some people miss when they say that any infection may be due to bad administration is simply that we're dealing with huge numbers of machines, both servers and workstations that are potentially vulnerable. Due to application compatibility and tested standardized platforms we often don't even get the option to keep stuff up to date. The only reason we even have Windows 2003 servers in place today is because we forced the issue with our Corporate guys when we implemented Active Directory; we informed them that we had a need for functionality not provided by Windows 2000 AD (which was true). There is a project currently under way to test Windows XP for rollout, but honestly chances are that Vista will be shipping by the time we even reach 50% rollout mark.

    So, why the rant? Well, it must be understood that jumping on the latest patches is not always an option in the corporate environment. Also, jumping on the operating system bandwagon is rarely an option because there's a lot of regression testing that has to be done. Hell, there are some instances where we're having to push the application vendors to support Windows 2003 Servers in our Citrix environment because they've never tested it. Welcome to the realities of Corporate IT.

    Are there solutions? Sure! However, none of them are acceptable to most corporations. Linux is not an option, neither is OSX. In both cases we come back to the legacy support issue. Citrix to share the applications? Great... but you're only redirecting the problem to the server farms, not eliminating it. Real world Corporate IT is not as black and white as people would like it to be, myself included.

    This virus gained traction because most corporations work this way. It wasn't helped by the fact that McAfee and Symantec both waited two days after the virus was discovered to release a signature update that recognized it.

    One positive thing though; this virus is forcing the management to finally listen to my department's complaints that we need to be more proactive about patch management, and this time stuff might get done. We've got a long way to go, but this should be the start of something better.

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close