Warily Watching Worm Variants Variants of Zotob and 'Zotob Challengers' Proliferate Tim Gray
While security firms continue to debate the severity of the Zotob worm plaguing the Windows Plug-and-Play vulnerability, hackers have released a new wave of worms aimed at taking over PCs running the nearly ubiquitous operating system.
Among the latest is the Bozori worm, which attempts to eliminate infections by earlier versions of Zotob, so it can take control of a compromised computer for itself, according to several security firms.
Variants from both the IRC Bot and Bozori families that exploit the same Microsoft (MS05-039) Plug-and-Play vulnerability, are now busy deleting competing PnP bots, according to Finish security outfit F-Secure.
"It seems there are two groups that are fighting: IRCBot and Bozori vs. Zotobs and the other Bots," warns the F-Secure's security team on their Web
site. The group said there are 11 different types of malware in the wild exploiting the vulnerability.
F-Secure gave the virus a level 2 risk assessment, its second-highest threat level.
The Zotob virus, which surfaced earlier this month after Microsoft warned of the security flaw, has already hit media outlets including ABC, CNN, The Associated Press and The New York Times, among others. Microsoft issued a patch earlier this month as part of its monthly patch process; however, the bug has been hitting networks not properly protected.
In response to the fast-moving virus, Microsoft has made a no-cost, software-based cleaner tool available that customers can use to automatically remove the Zotob worm and its variants from infected PCs after deploying the security update.
"We are not aware at this time of a new attack, but are releasing this free tool to help any customers that may have been affected," the software maker said in a statement.
Vinny Gullotto, a vice president at McAfee AVERT, said the fast-spreading worms capable of launching Denial-of-Service attacks warranted a high-risk assessment because of several factors. Most notably, they are spreading without any human interaction action.
Shane Coursen, senior technical consultant at antivirus vender Kaspersky Labs, said once a worms hijacks a PC it can be used for launching spam, sending out malware, stealing personal data, and launching an extortion denial-of-service attacks.
However, the worms have yet to be a major concern outside of corporate networks where the attacks appear to be concentrated, said Coursen.
"It shouldn't be compared to Sasser outbreak," he said, noting there has not been any noticeable increase in network activity that could be pinpointed on Bozori. "That was the worse Internet virus seen. This isn't generating that kind of traffic."
What is being seen is large outbreaks within individual corporations where internal traffic has been going off the charts. These companies, with the number of machines ranging from anywhere from 20,000 to several hundred thousands, are getting hit hard, according to Coursen.
"The concentrated outbreaks aren't escaping outside," he said.
The SANS Internet Storm Center also shares Coursen's opinion and has lowered its general risk rating of the worm.
