Warily Watching Worm Variants

While security firms continue to debate the severity of the Zotob worm plaguing the Windows Plug-and-Play vulnerability, hackers have released a new wave of worms aimed at taking over PCs running the nearly ubiquitous operating system.

Among the latest is the Bozori worm, which attempts to eliminate infections by earlier versions of Zotob, so it can take control of a compromised computer for itself, according to several security firms.

Variants from both the IRC Bot and Bozori families that exploit the same
Microsoft (MS05-039) Plug-and-Play vulnerability, are
now busy deleting competing PnP bots, according to Finish security outfit
F-Secure.

“It seems there are two groups that are fighting: IRCBot and Bozori vs.
Zotobs and the other Bots,” warns the F-Secure’s security team on its Web
site. The group said there are 11 different types of malware in the wild exploiting the vulnerability.

F-Secure gave the virus a level 2 risk assessment, its second-highest
threat level.

The Zotob virus, which surfaced earlier this month after Microsoft
warned of the security flaw,
has already hit media outlets including
ABC, CNN, The Associated Press and The New York Times, among others.
Microsoft issued a patch earlier this month as part of its monthly patch
process, however the bug has been hitting networks not properly protected.

In response to the fast-moving virus, Microsoft has made a no-cost,
software-based cleaner tool available that customers can use to
automatically remove the Zotob worm and its variants from infected PCs
after deploying the security update.

“We are not aware at this time of a new attack, but are releasing this
free tool to help any customers that may have been affected,” the software
maker said in a statement.

Vinny Gullotto, a vice president at McAfee AVERT, said the fast-spreading
worms capable of launching Denial-of-Service attacks warranted a high-risk
assessment because of several factors. Most notably, they are spreading
without any human interaction action.

Shane Coursen, senior technical consultant at antivirus vender Kaspersky
Labs, said once a worms hijacks a PC it can be used for launching spam,
sending out malware, stealing personal data and launching an extortion
denial-of-service attacks.

However, the worms have yet to be a major concern outside of corporate
networks where the attacks appear to be concentrated, said Coursen.

“It shouldn’t be compared to Sasser outbreak,” he said, noting there has
not been any noticeable increase in network activity that could be
pinpointed on Bozori. “That was the worse Internet virus seen. This isn’t
generating that kind of traffic.”

What is being seen is large outbreaks within individual corporations
where internal traffic has been going off the charts. These companies, with
the number of machines ranging from anywhere from 20,000 to several hundred
thousands, are getting hit hard, according to Coursen.

“The concentrated outbreaks aren’t escaping outside,” he said.

The SANS Internet Storm Center also shares Coursen’s opinion and has
lowered its general risk rating of the worm.

News Around the Web