Worms Hit High-Profile Targets
- By Scott Bekker
CNN, The New York Times, the U.S. Congress and the Caterpillar Co. are among major organizations reporting system downtime from worms stemming from the Plug and Play vulnerability in Windows 2000.
Other sites reported to have suffered serious problems included ABC and an administrative office at San Francisco International Airport.
A state of general alarm has existed in security circles since last Thursday, when exploit code first appeared for the Windows Plug and Play vulnerability that Microsoft released a patch for two days earlier. While that patch, MS05-039, also applied to Windows XP and Windows Server 2003, it was only considered critical for Windows 2000. The first worm based on the flaw, called Zotob, appeared on Sunday.
The worst round of outages began Tuesday evening and coincided with the appearance of two new variants of the worm, dubbed Zotab.D and IRCBot.KB. According to security researchers at Panda Software, the Zotab.D variant was prone to cause system crashes because of a behavior that attempted to uninstall adware, causing a cycle of system reboots.
Behavior common to the Zotob family of worms is scanning TCP port 445 for vulnerable systems, installing themselves on unpatched systems and opening backdoors to listen for commands from attackers.
Because Windows 2000 is primarily a corporate product, the issue has not had a major impact on consumers.
Microsoft continued to assess the worm as a low threat. In a statement released Wednesday, the company said, "Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack."
"All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation," the company said.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.