Friday, August 19, 2005

Cisco - ZOTOB and WORM_RBOT.CBQ Mitigation Recommendations

Via UNIRAS (UK Gov CERT).

Cisco customers are currently experiencing attacks due to new worms and bots that are active on the Internet. The signature of these worms and bots appears as TCP traffic to port 445 as well as traffic to several secondary TCP ports depending on the variant of the worm. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to, high CPU and traffic drops on the input interfaces. This document focuses on both mitigation techniques and affected Cisco products that need software supplied by Cisco to patch properly.

These worms and bots have been referenced by the name ZOTOB in multiple variants, WORM_RBOT.CBQ in multiple variants, and by several other names. These worms and bots exploit a vulnerability previously disclosed by Microsoft, details of which can be found at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Cisco has made free software available for the affected products listed in this Notice that require Cisco-distributed updates.

0 Comments:

Post a Comment

<< Home