Exploit code for recently patched Windows flaws has swiftly evolved into a new series of worms, labelled Zotob, now spreading on the Internet.
The worms attack a critical vulnerability in Windows 2000 Plug and Play service. They spread using the TCP/IP port 445, associated with Windows file sharing, and seize control of the operating system. Infected computers are then told to await further instructions on an IRC channel, meaning that they could then be used to attack other systems, according to Johannes Ullrich, chief research officer with The SANS Institute.
The Zotob family also disables the Windows Update service and blocks access to certain websites, including eBay.com and amazon.com, Ullrich said. Because Zotob can generally only affect unpatched Windows 2000 systems, which have also have an open port 445, it is unlikely to be widespread, Ullrich said. "It doesn't seem to be spreading fast," he said.
Trend Micro has since reported two Zotob variants, called Zotob.a and Zotob.b. The anti-virus vendor referred to Zotob as "a failed attack", in a statement, but cautioned that further variants could be forthcoming.
Users of Windows 95, 98 and ME are not susceptible to Zotob. Windows XP and Windows Server 2003 systems could be vulnerable in certain circumstances, however. In this case, the system's registry file would have to be altered to allow the computer to list system resources without requiring a login, a practice called "enabling Null sessions".
Null sessions are not enabled by default in Windows XP or Windows Server 2003, Ullrich said, and SANS has published instructions on how to check to see if they are enabled.
Samples of code that could be used in a Plug and Play attack began surfacing late last week, just days after Microsoft disclosed the vulnerability, so the emergence of the Zotob worms does not come as a surprise. Exploit code for another recently disclosed vulnerability in the Internet Explorer browser was also published last week, but SANS has not yet seen this software used in attacks, Ullrich said.
Microsoft has put out an advisory on the Zotob worm.