, SecurityFocus 2005-08-17
More than a dozen different worms have been created from the latest Microsoft Windows vulnerability and readily available bot software and have started attacking each other's compromised systems, security experts warned on Wednesday.
The worms--which appear to come from three families of code dubbed Zotob, Botzori and IRCBot--started spreading on Sunday without much fanfare. However, on Tuesday, computers at CNN and the New York Times became infected by one or more variants of the worm, and the public profile of the programs increased a notch.
The worms are all based on versatile attack programs, known as bot software, which have added the ability to spread via a flaw in Microsoft's Windows Plug-and-Play functionality. Several bot programs had incorporated the code to exploit the flaw late last week, and starting with the Zotob worm, began adding the ability to automatically find and infect systems by last weekend. As of Wednesday morning, at least 12 versions of bot software were using the exploit to spread, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.
"The situation is very complex because there are so many worms," said Hyppönen, who described the worms as "bots set to self replicate." Moreover, the worms have started targeting each other, he said. "These latest worms are actually fighting each other, like MyDoom, Netsky and Bagle. We are seeing the same thing (as those attacks), but with bots--it's a big bot war."
On Wednesday, F-Secure had captured a dozen different variations of the worms based on bots. Several versions, including two based on IRCBot and three on Botzori, attacked earlier versions of the worm based on the Zotob code. Symantec, which owns SecurityFocus, tallied seven variants of Zotob, two variants of Esbot, a version of Bobax and a version of Spybot that used the most recent Microsoft flaw. Antivirus firms frequently use company-specific names for the same threat.
The dozen variants of the Plug-and-Play worms are the first major programs since the Sasser worm to target a vulnerability in Microsoft Windows computers to spread. The Sasser worm started spreading on April 30, 2004, using a vulnerability in a Windows component known as the Local Security Authority Subsystem Service, or LSASS. While it's unknown how far the worm spread, a week into the outbreak Microsoft said that 1.5 million users had downloaded a cleaning tool for the worm. The Blaster worm had infected about 10 million users, according to Microsoft estimates.
The Zotob worms are versions of the Mytob worm that has been modified to use a flaw in Microsoft Windows' Plug-and-Play capabilities. The software giant had patched the issue on August 9, five days before Zotob started spreading.
The latest incarnations of the worm point toward competition between the groups, known as bot herders, that illegally create and manage the networks of compromised systems, or bot nets. Moreover, its no surprise that the groups have quickly latched onto the latest exploit, said Joe Stewart, senior threat researcher for security firm Lurhq.
"These guys have been pretty desperate for a new exploit for a while," Stewart said. "They had been using LSASS for too long, and been scraping the bottom of the barrel for exploits, so now everyone and his mother is now going to use this instead."
The Zotob worms compromises systems by sending data on port 445. If a computer is infected with the program, the worm starts a file-transfer protocol (FTP) server and attempts to spread further. The worm still has some bot functionality: Computers infected with the worm will join an Internet relay chat (IRC) session at a predefined addresses. An attacker who knows the IRC channel password can command the bot to disconnect or reconnect to the IRC channel, obtain system information, clean itself from the system, modify security settings, and download or execute files, according to an analysis of the Zotob.B worm.
The worms contain acknowledgments and a half-hearted threat aimed at antivirus firms:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3. MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
A side effect of a worm infection is that the compromised systems, almost exclusively Windows 2000 computers, frequently hang or crash. Multiple sources on security mailing lists described disruptions caused by the worm crashing computers.