Robot wars

Zotob failed in its attempt to be ‘this year’s Sasser’ but security experts have identified chilling trends in the make-up of the virus.

  • E-Mail
By  Simon Duddy Published  August 28, 2005

|~|samirdude_m.jpg|~|“The original code is written and posted to a public web site; other writers then modify the code, adding functionality, such as more advanced seeding and propagation techniques, to make the malware more destructive.” - Samir Kirouani, technical manager for Trend Micro Middle East.|~|On August 13, several instances of the Zotob worm emerged on the internet. The worms exploited a critical Microsoft vulnerability, which the vendor Microsoft acknowledged only four days earlier on August 9. The bot worm had less impact than feared as it was targeted at machines with the Windows 2000 operating system, which represents a relatively small proportion of PCs worldwide. In addition, many end users had introduced better patching procedures and closed un-used network ports in the wake of Sasser and this also slowed the worm’s progress. It is the lightning response of more than one group of virus writers to the announced exploit that has alarmed security experts. The four days response time eclipsed Sassser’s arrival 18 days after the publication of the vulnerability it exploited. Virus writers are able to exploit vulnerabilities this quickly as they use ready-made code for the bulk of their worms, simply tailoring them to specific vulnerabilities as they become known. “This is common among malware writers. The original code is written and posted to a public web site; other writers then modify the code, adding functionality, such as more advanced seeding and propagation techniques, to make the malware more destructive,” says Samir Kirouani, technical manager for Trend Micro Middle East. The mist important lesson for the end user is that critical vulnerabilities are being exploited faster than ever before and are approaching ‘zero day’ status. This makes the fast and effective patching of OS and other software vulnerabilities of the utmost importance in the enterprise. “The growth of bot networks has been documented in the last two Symantec Internet Security Threat reports and should be taken seriously in areas of rapidly growing PC penetration, such as the Middle East,” says Kevin Isaac, regional director for Symantec MENA. “Protecting your systems with integrated security software is an important step, but it is also critical that users ensure their systems are updated regularly to download patches from all vendor software that they have installed on their machines,” he explains. There are limits to how quickly network professionals can work in providing patches. Even taking into consideration 24/7 availability of staff, if an enterprise has hundreds, or thousands of machines to patch, this is a difficult task, especially when factoring in necessary compatibility testing. Although Internet Security Systems (ISS) has introduced proactive patching, where enterprises can gear up for possible vulnerabilities before they are officially released, it still has issues. First, the enterprise is dependant on the vendor to spot the vulnerability and also IT teams have to be convinced of the need to devote valuable time to patching a ‘vulnerability’ that has not been officially acknowledged. This means that end users cannot rely entirely on patching and need to take a layered approach to combat this kind of attack. The advantage of multi-tiered defences is that if a perimeter-based firewall or antivirus fails to intercept a threat, then there is a chance that client-based products, or intrusion protection systems might spot it. Trend Micro predicts that bot worms will develop further in the future with techniques such as RSS feed hijacking set to lead the way. Kirouani reckons this will become important as Internet Explorer 7 is released as it will have built-in support for RSS feeds. These allow websites to inform readers when new content has been posted. However, the feed can potentially be hijacked by virus writers to feed worms and other malware to PCs. As ever, new software functionality not only opens up benefits for users, but also presents opportunities for hackers and virus writers to exploit.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code