|
|
|
|
| Read more articles on: |
|
|
 |
|
BANGALORE: Fortinet, a the confirmed market leader in unified threat management and said to be the only provider of ASIC-accelerated, network-based antivirus firewall systems for real-time network protection, recently released its review of malicious code activity across the globe in August 2005, focusing particularly on the Zotob worm - the most significant threat since Sasser and MsBlaster worms that wreaked havoc in 2004.
W32/Zotob worm and related variants
This network worm appeared last weekend after a vulnerability in Windows Plug and Play service was announced (MS05-039). W32/Zotob spreads through the network scanning random IP addresses for systems vulnerable to (MS05-039). Upon finding a vulnerable system, the exploit is triggered, and the newly infected system downloads its own copy of the worm from the originally infected system.
The worm is then executed and starts scanning for new targets.
Fortinet has also examined Zotob variants that propagate through mass-mailing and other Windows vulnerabilities. Zotob opens a backdoor and functions as a bot - listening to owners' commands through an IRC channel. Some systems infected by Zotob become unstable, rebooting continuously.
There are a few characteristics that make this family of worms a serious threat. First, like MsBlaster and Sasser worms, Zotob requires no user interaction and spreads to all vulnerable machines automatically. Second, the worm's footprint is quite small (10KB) and it can simultaneously connect to hundreds of target computers so it spreads very rapidly. Third, the worm exploits a vulnerability that affects Windows 2000, Windows XP and Windows Server 2003 -- all potential victims as these systems make up a large percentage of Internet-connected computers. Lastly, it can spread to a wide array of networks by randomly guessing IP addresses.
According to Fortinet Threat Response Team Leader - France, Guillaume Lovet: "Zotob spread all over the news faster than over the Internet itself, and two facts helped hype the buzz. First of all, Zotob infected the media networks of CNN, ABC and the New York Times. Seemingly, it could have got in by plugging laptops into these networks, hence bypassing firewalls and infecting unprotected Windows 2000 boxes from the inside."
He continued: "Secondly, the exploit-oriented nature of Zotob's propagation, which does not require any user interaction, and the fact it appeared "in the wild" less than a week after Microsoft released a patch for the PnP vulnerability, tremendously reminded us of the MsBlaster (Aug 2003) and Sasser (Apr 2004) threats, which caused a reasonable amount of havoc in their time."
Protection against Zotob and other evolving threats
In light of the Zotob mass-mailing worm, where the malware was brought in by infected laptops, deploying antivirus/firewall technology at the network edge is not always sufficient. Network security appliances paired with user education, consistent update policies and desktop antivirus software is nowadays mandatory to avoid being trapped by mobile vectors of intrusion (laptops, USB keys, PDAs etc.)
Fortinet's Manager of Antivirus Research Nick Bilogorskiy advises: "To be safe from the emerging lightning-fast network worms, spreading quicker than antivirus patterns are distributed, networks also require proactive methods of threat protection -- such as behavioral analysis or well-honed heuristics. Only such methods allow for blocking of new undetected threats, truly providing zero-day protection."
|