Sunday, August 14, 2005

A new worm using a new exploit

A new worm known as W32/Zotob using the MS05-39 Plug-and-Play vulnerability has been found.
This is nasty, as patches for this vulnerability have only been available for five days.
The worm is based on Mytob and might be using exploit code published by 'houseofdabus' four days ago.
This whole case has a nasty ring to it...the infamous Sasser worm was released two days after 'houseofdabus' released exploit code for the LSASS vulnerability.
However, Zotob is not going to become another Sasser. First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, majority of Windows boxes in the net won't be hit by it.
This worm replicates by scanning random machines at port 445/TCP. When a victim is found, the exploit code downloads the main virus file via ftp from the scanning machine, sets up ftp server on the infected machine and starts scanning for more targets.
Patch as quickly as you can or use some kind of buffer overflow technique with your soft- or hardware. It's a nasty one but we will not get a large outbreak of this one I think.