August 15, 2005
(IDG News Service)
New worms have surfaced that attack a critical vulnerability in Microsoft Corp.'s Windows 2000 Plug and Play service. Over the weekend, two variants of a new worm, dubbed Zotob, have begun circulating, though neither variant has become widespread, researchers say.
The worms spread using the TCP/IP Port 445, which is associated with Windows file sharing, and take advantage of the Plug and Play system bug to seize control of the operating system. Infected computers are then told to await further instructions on an Internet Relay Chat channel, meaning that they could then be used to attack other systems, according to Johannes Ullrich, chief research officer with the SANS Institute, a Bethesda, Md., security training company.
The Zotob family also disables the Windows Update service and blocks access to certain Web sites, including eBay.com and Amazon.com, Ullrich said.
Because Zotob can generally affect only unpatched Windows 2000 systems, which also have an open Port 445, it is unlikely to be widespread, Ullrich said. "It doesn't seem to be spreading fast," he said.
Microsoft released a patch for this Plug and Play vulnerability last Tuesday.
Trend Micro Inc. today had reported the existence of two Zotob variants, called Zotob.a and Zotob.b. The antivirus vendor referred to Zotob as "a failed attack," in a statement on its Web site, but cautioned that further variants could be forthcoming.
Users of Windows 95, 98 and ME are not susceptible to Zotob. Windows XP and Windows Server 2003 systems could be vulnerable in certain rare circumstances, however. In order for this to happen, the system's registry file would have to be altered to allow the computer to list system resources without requiring a login, a practice called "enabling Null sessions."
Null sessions are not enabled by default in Windows XP or Windows Server 2003, Ullrich said, and SANS has published instructions on how to check if they are enabled.
Samples of code that could be used in a Plug and Play attack began surfacing late last week, just days after Microsoft disclosed the vulnerability, so the emergence of the Zotob worms does not come as a surprise. Exploit code for another recently disclosed vulnerability in the Internet Explorer browser was also published last week, but SANS has not yet seen this software used in attacks, Ullrich said.