Wednesday, August 17, 2005

F-Secure: Major botwar increases in scale and force

Via the F-Secure website.


Growing infection rates from worm variants based on three virus families: Zotob, Bozori and Ircbot are putting large organizations on the alert around the world.

Helsinki, Finland - August 17, 2005

On Tuesday the 9th of August, Microsoft released the monthly security patches for Windows. This included several critical patches, with one closing a vulnerability in Microsoft’s Plug-and-Play service (MS05-039).

On Wednesday the 10th of August, a Russian individual who goes by the name ‘Houseofdabus’ released working exploit code that could be used to take over Windows 2000 machines with the Plug-and-Play vulnerability.

On Sunday the 14th of August, the Zotob.A worm was found. An unknown party had incorporated the Houseofdabus exploit code to a worm that would spread automatically over the Internet. A very similar development happened in May 2004, when virus writer, Sven Jaschan incorporated Houseofdabus’ LSASS exploit code into his infamous Sasser worm.

By Wednesday the 17th of August, F-Secure has found nine more malware using the same exploit code to spread, including variants of the Ircbot, SDBot and Bozori families.

Together, these continue to infect Windows 2000 computers which have either failed to be patched or has not been rebooted after patch installation, and are not protected by a firewall.

Infections continue to be reported from large organizations, especially from the USA. In these, infection has most likely originated from infected laptops carried inside an organization’s perimeter firewall.

These new Plug-and-play worms only infect Windows 2000 machines that are not protected by a firewall. This worm replicates by scanning machines at port 445/TCP and, when a victim is found, uses the exploit code to download the main virus file via ftp. At this point it sets up an ftp server on the infected machine and starts scanning for more targets continuing its spread. “We seem to have a botwar on our hands. There appears to be three different virus writing gangs turning out new worms at an alarming rate – as if they would be competing who would build the biggest network of infected machines,” comments Mikko Hypponen, Chief Research Officer at F-Secure. “The latest variants of Bozori even remove competing viruses like Zotob from the machines!”

0 Comments:

Post a Comment

<< Home