Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Zotob causes carnage in corporate networks

  • 31 August, 2005 11:27

<p>Fortinet's review of malicious code activity for August revealed that Zotob/MS05-039 was the most serious threat to hit global users since Sasser and MsBlaster in 2004.</p>
<p>The month's highlights:</p>
<p>* Zotob/MS05-039 flaw - the most significant threat in August 2005
* Zero Day Exploit - Msdds.dll
* Web Controlled Botnet - W32/Dumador.DH-tr
* eBay mimic - rise of the phish continues
* User protection against Zotob and other evolving threats</p>
<p>August, by numbers:</p>
<p>Top 10 threats caught by Fortinet's FortiGate security appliances in August 2005:</p>
<p>1 W32/Netsky.P-mm 13%
2 W32/MyTob.EK-mm 3%
3 W32/Zafi.B-mm 3%
4 W32/Zafi.D-mm 3%
5 HTML/Ebay-phish 2%
6 W32/MyTob.fam-mm 2%
7 Possible_MyTob.G 2%
8 Possible_Netsky.P 2%
9 W32/Mitglieder.CD.gen-tr 2%</p>
<p>Top 10 countries reporting infections in August 2005:</p>
<p>1 United States of America 17%
2 Korea, Republic of 9%
3 Taiwan, Province of China 8%
4 Chile 6%
5 China 6%
6 Mexico 5%
7 Japan 4%
8 India 4%
9 Thailand 3%
10 Italy 3%</p>
<p>Zotob/MS05-039 flaw - the most significant threat in August</p>
<p>The big hit for this month is clearly Zotob which, with fellow worms (Bozori, IRCBot, RBot, Lebreat) exploiting since August 14th the now famous Microsoft PnP MS05-039 flaw, spread all over the news faster than over the Internet itself. However, their aggregated prevalence has never topped 1% of the global virus activity, because of two major mitigating factors in MS05-039:</p>
<p>First, it only affects Windows 2000 unpatched machines. Last week Microsoft announced there is a similar flaw in Windows XP too, whereby worms are likely going to exploit Windows XP as well in the near future. However, this Windows XP exploit is not yet confirmed.</p>
<p>Secondly the PnP service goes through port 445. Since this port is used for "network neighborhood" connections, it is typically firewalled on the gateway of corporate networks and Internet Service Providers (ISPs).</p>
<p>According to Fortinet Threat Response Team Leader - France, Guillaume Lovet, "Zotob spread all over the news faster than over the Internet itself, and two facts fanned the hype. First Zotob infected the media networks of CNN, ABC and the New York Times. Seemingly, it could have got in through people plugging laptops into these networks, bypassing firewalls and infecting unprotected Windows 2000 boxes from the inside."</p>
<p>Lovet continued: "Secondly, the exploit-oriented nature of Zotob's propagation, which does not require any user interaction, and the fact it appeared "in the wild" less than a week after Microsoft released a patch for the PnP vulnerability, reminded us of the MsBlaster (Aug 2003) and Sasser (Apr 2004) threats which caused havoc in their time."</p>
<p>Fortinet's Threat Research team noted an evolution in the motives of authors behind the three infamous mass-mailing worms:</p>
<p>* MsBlaster was merely a subtle hint ( "bill gates, stop making money and fix your software" ) paired with a grandiose love poem ("Love you San")</p>
<p>* Sasser's writer admitted he created this worm to generate some work for his mother, who worked at a computer security firm</p>
<p>* Zotob embeds a bot similar to the one in MyTob, clearly aimed at generating profit, through the rental of the Botnet created for criminal activities (spamming, hosting illegal content, performing ddos...)</p>
<p>Some versions of the Bozori and IRCBot mass-mailing worms attempted to kill Zotob, which is reminiscent of last year's "Virus War" involving Netsky, MyDoom, and Bagle.</p>
<p>Finally, two suspected authors of Zotob and Mytob worms were arrested last week by Moroccan and Turkish authorities.</p>
<p>More information can be found within Fortinet's related advisory: Zotob Advisory</p>
<p>Zero Day Exploit - Msdds.dll</p>
<p>On Aug 17, FrSIRT released a zero day exploit affecting Microsoft's COM object in Msdds.dll, which potentially leads to a full compromise of victims' computers. Although there are mitigating factors (not all configurations are vulnerable), Fortinet's Threat Response team believes that some worms might resort to this flaw to propagate. More information can be found within Fortinet's related advisory: Msdds Advisory</p>
<p>Web Controlled Botnet - W32/Dumador.DH-tr</p>
<p>Early in August, Fortinet's Threat Response team spotted what seemed to be a typical spyware program with keylogging abilities. Upon analysis, it appeared that this malware was not only a reasonably featured Trojan, but also a spam relay in which instances were organized in a botnet, controlled through a simple and publicly available Web interface. This user-friendly interface would allow anyone knowing its location to perform various actions on all the infected computers at once, which are constantly polling the Web server for a command sequence file.</p>
<p>According to Fortinet Threat Response Team Leader - France, Guillaume Lovet, "The botnet concept is not new, but the ease of use provided by the Web interface with W32/Dumador.DH-tr is somewhat scary. This 'all HTTP' system also has a tremendous advantage over IRC based botnets because while IRC ports are usually firewalled, which prevents bots to "phone home", the HTTP traffic goes through in most cases. In Dumador's case, remote control is still possible even when a 'cache' proxy is enforcing HTTP traffic only out of the corporate network."</p>
<p>eBay mimic - rise of the phish continues</p>
<p>Among our top regular threats HTML/Ebay-phish, the phishing threat that mimics eBay's Website, rose to the 5th most prevalent threat caught this month. Because of HTML/Ebay-phish, phishing attempts reached 3% of total fraudulent and virus-related activity - an unprecedented score.</p>
<p>Detected since July 2005, emails that include HTML/Ebay-phish usually urge users to log into eBay's site, to either confirm or update their profile (e.g. deleting inactive accounts, maintenance, etc.). The links point to a fake "eBay login" Web page hosted on a rogue server which collects the stolen credentials. Since the malicious page perfectly mimics the real one on, unaware users might not notice the fishy URL in their browser's address bar, and disclose their login/password info.</p>
<p>User protection against Zotob and other evolving threats</p>
<p>In light of the Zotob mass-mailing worm, where the malware was brought in by infected laptops, deploying antivirus/firewall technology at the network edge is not always sufficient. Network security appliances paired with user education, consistent update policies and desktop antivirus software is nowadays mandatory to avoid being trapped by mobile vectors of intrusion (laptops, USB keys, PDAs etc.)</p>
<p>Fortinet's Manager of Antivirus Research Nick Bilogorskiy advises: "To be safe from the emerging lightning-fast network worms, spreading quicker than antivirus patterns are distributed, networks also require proactive methods of threat protection - such as behavioral analysis or well-honed heuristics. Only such methods allow for blocking of new undetected threats, truly providing zero-day protection."</p>
<p>About Fortinet (</p>
<p>Fortinet is the confirmed leader of the Unified Threat Management market. The company's award-winning FortiGate™ series of ASIC-accelerated multi-threat security systems, winner of the 2004 Security Product of the Year Award from Network Computing Magazine and the 2003 Networking Industry Awards Firewall Product of the Year, are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from e-mail and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time - without degrading network performance. FortiGate systems are the only security products that are certified five times over by the ICSA (antivirus, firewall, IPSec, SSL, NIDS), and deliver a full range of network-level and application-level services in integrated, easily managed platforms. Named to the Red Herring Top 100 Private Companies, Fortinet is privately held and based in Sunnyvale, California.</p>
<p>For more information:</p>
<p>David Frost, PR Deadlines Pty Ltd (02) 4341 5021
Yvonne Cheong, Fortinet (65) 6838 5226</p>

Most Popular