- BlackBerry Storm vs. the iPhone
- 2008 IT industry graveyard
- Top 10 worst uses for Windows
- Economic crisis means double duty for IT pros
- BlackBerry Storm, RIM's first touchscreen device, rolls in
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
New worms have surfaced that attack a critical vulnerability in Microsoft 's Windows 2000 Plug and Play service. Over the weekend, two variants of a new worm, dubbed Zotob, have begun circulating, though neither variant has become widespread, researchers say.
The worms spread using TCP/IP port 445, which is associated with Windows file sharing, and take advantage of the Plug and Play system bug to seize control of the operating system. Infected computers are then told to await further instructions on an Internet Relay Chat channel, meaning that they could then be used to attack other systems, according to Johannes Ullrich, chief research officer with The SANS Institute, a Bethesda, Md., security training company.
The Zotob family also disables the Windows Update service and blocks access to certain Web sites, including eBay.com and amazon.com, Ullrich said.
Because Zotob can generally only affect unpatched Windows 2000 systems, which have also have an open port 445, it is unlikely to be widespread, Ullrich said. "It doesn't seem to be spreading fast," he said.
Microsoft released a patch for this Plug and Play vulnerability last Tuesday.
On Monday, Trend Micro had reported the existence of two Zotob variants, called Zotob.a and Zotob.b. The anti-virus vendor referred to Zotob as "a failed attack," in a statement issued Monday, but cautioned that further variants could be forthcoming.
Users of Windows 95, 98 and ME are not susceptible to Zotob. Windows XP and Windows Server 2003 systems could be vulnerable in certain rare circumstances, however. In order for this to happen, the system's registry file would have to be altered to allow the computer to list system resources without requiring a login, a practice called "enabling Null sessions."
Null sessions are not enabled by default in Windows XP or Windows Server 2003, Ullrich said, and SANS has published instructions on how to check to see if they areenabled.
Samples of code that could be used in a Plug and Play attack began surfacing late last week, just days after Microsoft disclosed the vulnerability, so the emergence of the Zotob worms does not come as a surprise. Exploit code for another recently disclosed vulnerability in the Internet Explorer browser was also published last week, but SANS has not yet seen this software used in attacks, Ullrich said.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment