Zotob fizzles while new worm emerges

Was it the worm that wasn't or the worm that was?

That seemed to be the big question last week when the Zotob worm appeared just three days after Microsoft released patch MS05-039 to close a vulnerability in the plug-and-play feature in various flavors of the Windows operating system, with Windows 2000 the most vulnerable.

Early reports indicated that the worm could be ready to bust out and make Sasser, which at one point during its 2004 rage raised Internet traffic 40%, look like a non-event. By the end of last week, Zotob and its seven variants proved they had more bark than bite, and attention turned to a new vulnerability in Internet Explorer that the SANS Institute's Internet Storm Center had labeled a major threat.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Was it the worm that wasn't or the worm that was?

That seemed to be the big question last week when the Zotob worm appeared just three days after Microsoft released patch MS05-039 to close a vulnerability in the plug-and-play feature in various flavors of the Windows operating system, with Windows 2000 the most vulnerable.

Early reports indicated that the worm could be ready to bust out and make Sasser, which at one point during its 2004 rage raised Internet traffic 40%, look like a non-event. By the end of last week, Zotob and its seven variants proved they had more bark than bite, and attention turned to a new vulnerability in Internet Explorer that the SANS Institute's Internet Storm Center had labeled a major threat.

Zotob established a record turnaround from the time Microsoft released a patch until the worm began appearing, says Lisa Myers, a researcher at McAfee.

The quick strike hit some major companies, including CNN, The New York Times and ABC News, but in the end, the assessment was that Zotob and its variants had been a blip. The Internet Storm Center said: "Likely this is an isolated event, which became newsworthy because CNN got infected."

Security experts cited a number of factors, including that many home users have upgraded from Windows 2000, Zotob's main target, to XP or are using older systems such as Windows 95.

"The way that these things spread the fastest is when home users get hit," says John Pescatore, an analyst with Gartner. He added that the infection also was low among corporate users because the worm used port 445 as its entry point, which many users have closed on their firewalls since last year's Sasser worm. He also noted intrusion-protection systems helped, because many vendors had filter updates available two days after Microsoft issued the MS05-039 patch Aug. 9.

"Patching is faster since 2003; we saw the typical large enterprise get down to five business days to patch 95% of their machines," Pescatore says. "But since there hasn't been a major worm in 18 months, we saw a lot of enterprises slack off." He also noted users were slow to patch internal Windows 2000 servers.

In fact, statistics from Web analytics firm Netcraft show that the Zotob outbreaks were internal. Netcraft, which collects statistics on Web site traffic, says the U.S. Fortune 100 Web sites showed no "unusual outages, including the 18 companies in the index hosted on Windows 2000." The company also says Britain's FTSE 100, with 36 sites running on Windows 2000, showed "no suspicious performance problems, either."

The worms spread using TCP/IP port 445, which is associated with Windows file sharing, and took advantage of the plug-and-play system bug to seize control of the operating system. Infected computers were then told to await further instructions on an Internet Relay Chat channel, meaning that they could then be used to attack other systems, according to Johannes Ullrich, chief research officer with the SANS Institute.

Some experts say that while the Zotob spread was low, there might be another storm brewing because the variants are beginning to attack each other.