Win32/Zotob – Why proactive detection is essential when worms exploit vulnerabilities.
By Andrew Lee, CTO. ESET LLC.
There are cycles of activity in the Malware world, times when certain types of threats rise and fall against other types. In recent months, successful worms have not seemed as prevalent as they once were. However, announcements of vulnerabilities in Microsoft’s Operating systems can often provoke flurries of activity. So it was with the recent spate of Win32/Zotob worms. In the course of a few days, between the 14th and 18th of August, at least six variants of the Win32/Zotob worm appeared. Not all of them spread rapidly. Partly this was due to the fact that the exploit code they carried would only work on exposed Windows 2000 systems, and partly due to having no mass mailing capabilities. However, despite this, many sites were hit, particularly in the government and education sectors, where machine lifecycles tend to be stretched to the maximum. There were also several major
The fact that these worms were ‘successful’ serves only to highlight the fact that major vulnerabilities will be exploited by malicious intent. It also shows that the patch and mend solution offered by traditional antivirus – and indeed software vendors in general – is not sufficient to prevent such exploitation.
So what was Win32/Zotob, and how did it work?
The Zotob worms (called Bozari by some companies) were evolutions of the Win32/Mytob family of worms – of which there have been hundreds of variants. The differences – significant enough to warrant naming as a separate family – were that the early Win32/Zotob worms used only a vulnerability to spread. The mass-mailing capabilities were removed (or at least disabled), and exploit code added.
The method of spread was fairly simple, and did not require any user intervention.
An infected machine would generate random IP addresses, and would attempt to connect to port 445 on the IP generated, using code designed to exploit a vulnerability in Microsoft’s Plug and Play service (MS05-039 http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx). If the code successfully compromised the remote machine, it would execute some further code, causing it to connect back to the originating machine, and retrieve a copy of the worm from a server installed by the worm on the originating machine.
Once the worm was retrieved from the infected source, it would be executed on the new machine. This drops the worm code into the system directory, as well as creating 2 registry keys, so that the worm would load at start-up. Then an FTP server would be created on the system, listening on port 33333 and the whole process would repeat. To attempt to protect itself from anti-virus programs finding it (if the anti-virus was not proactive) Win32/Zotob worms overwrote the hosts file. The hosts file then contained incorrect IP’s (127.0.0.1) for most anti-virus sites. This means that once the worm is active, the machine could no longer download updates for the anti-virus. The worm also blocked several other commercial sites. The final act of the worms was to open up a backdoor on the machine. This would contact an IRC (Internet Relay Chat) channel, and allow a remote user to use the machine for their purposes, for instance, running executables, rebooting the machine, providing FTP services etc.
Lists of such compromised machines are often traded to criminals who use them to perform fraudulent activities such as Phishing attacks, sending spam or hosting Warez (pirated software).
Despite the fact that only certain types of machines (Windows 2000 systems) were vulnerable to the attack, this worm still made an impact. This shows two things – one is that there are a lot of older systems still out there, not everyone can upgrade. Unfortunately, it also shows that there is still a lot of ignorance of how to protect systems. A simple personal firewall running on the system would have meant that this worm could not infect. In a business situation, the corporate firewall should have been enough to do the trick.
When malicious software exploits vulnerabilities in this way, the reaction time of Anti-virus companies is a very important factor, because the worm is completely automated - and so can spread very fast, relentlessly tracking down and infecting vulnerable systems. This can significantly reduce the amount of time that an anti-virus company has to respond to the threat. In the case of Win32/Zotob, once infection had occurred, it effectively disabled the anti-virus by preventing further updates. Thus the ideal time to prevent the attack was before it occurred.
Ideally, systems could be better protected with Firewalls or such, but this is not always a ‘cure all’ sometimes systems need to have certain ports open, and if a vulnerability is discovered which can use that port, a Firewall will not stop it.
Often, Anti-virus software is the last line of defence, which is why it is so critical that it is proactive. Waiting for an update can greatly increase the risk of infection – an often costly and always unwelcome event.
Proactive defences such as Eset’s ThreatSense™ technology allow that window of vulnerability to be closed, preventing new threats without having to know specifically what they are, even systems vulnerable to the exploit were protected by NOD32 from the Win32/Zotob worms.
Below you can see a chart showing the detection times of various companies - in some cases, there is more than a day difference between the times companies detected these worms. Perhaps it’s not so surprising that worms like Win32/Zotob still manage to find systems to compromise!