Zotob Worm Slams News Networks
Despite overall global infection rates remain low compared to viruses such as Sober, Windows 2000 systems at several news networks were hit hard by the Zotob worm on Tuesday, prompting CNN to break into regular programming to announce its computers were under attack and constantly rebooting.
Machines at the New York Times, ABC and a number of other organizations were also infected by Zotob, which copies itself into the Windows System folder and modifies a user's "hosts" file to prevent access to antivirus Web sites. The worm initiates an FTP server on port 3333 and scans IP addresses using port 445 for other vulnerable systems.
The critical vulnerability in Windows 2000 that opens the door for Zotob was actually patched by Microsoft last week, but system administrators claim they did not have enough time to roll out the update.
Microsoft on Friday chided security researchers for breaching "the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code."
Although Zotob itself does not have a destructive payload, variants of the worm are reported to cause computer shutdowns. The worms also include backdoor capabilities, which connect the infected computer to an Internet Relay Chat channel to await remote instructions from a malicious user.
"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later," the news organization said. Although most corporate networks are protected from outsiders, it is believed internal users were to blame for the problems by connecting already infected laptops.
Microsoft responded by downplaying the severity of the worm, calling it a "low threat for customers."
"News reports had indicated that there was potentially a new worm. We are not aware at this time of a new attack; instead our analysis has revealed that the reported worms are different variations of the existing attack called Zotob," Microsoft said in a statement.
"Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack."