Network Engines' Issues Prescriptive Security Alert and Recommendation Re: Zotob, Seven New Threats Uncovered

Business Wire, August 18, 2005

CANTON, Mass. -- Network Engines, a leading OEM appliance partner for Microsoft security solutions, in partnership with its NICE technology partners, has identified two more versions of Zotob. We are now tracking seven (7) Zotob permutations that are exploiting the PnP vulnerability. The worms are all based on versatile attack programs, known as bot software, which have added the ability to spread via a flaw in Microsoft's Windows Plug-and-Play functionality. Several bot programs had incorporated the code to exploit the flaw late last week, and starting with the Zotob worm, began adding the ability to automatically find and infect systems by last weekend. As of yesterday morning, at least 12 versions of bot software were using the exploit to spread. It is also important to note that not all PnP exploits are characterized as Zotob, and some may escape AV detection all together. Several new bots, including two based on IRCBot, three on Botzori, two variants of Esbot, a version of Bobax, and a version of Spybot may escape AV detection.

Zotob.A

Executable size: 22,528 bytes

Executable Name: botzor.exe

Ports: TCP - 445,8080,33333

Aliases: Zotob.A (F-Secure), W32/Zotob.worm (McAfee), W32/Zotob-A (Sophos), WORM_ZOTOB.A (Trend)

Other details - Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.B

Executable size: 27,648 bytes

Executable Name: csm.exe

Ports: TCP - 445,8080,33333

Aliases: Zotob.B (F-Secure) W32/Zotob.worm.b (McAfee) W32/Zotob-B (Sophos) WORM_ZOTOB.B (Trend Micro)

Other details - Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.C

Executable size: 41,984 bytes

Executable Name: per.exe

Ports: TCP - 445,8080,33333

Other details - Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.D

Executable size: 51,326 bytes

Executable name: windrg32.exe

Ports: TCP - 6667,1117,445

Other details - Opens FTP server on port 11173, attempts to end a variety of processes, Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.E

Executable size: 10,366 bytes

Executable Name: wintbp.exe

Ports: TCP - 8594,8080,445, UDP - 69

Aliases: WORM_RBOT.CBQ (Trend Micro)

Other details - Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.

Zotob.F

Executable size: 10,878 bytes

Executable name: wintbpx.exe

Ports: TCP - 445

Other details - Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%\(NUMBER) which if successful contains TFTP scripts to download additional files.

Zotob.G

Executable size: 73,728 bytes

Executable name: windrg32.exe

Ports: TCP - 445,6667,1171

Aliases: W32.Drudebot.A

Other details - Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes. Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%\(NUMBER) which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zytob exploits MS05-039 by generate random IP addresses to which they try to connect through port 445, searching for vulnerable computers. When a computer is found, they will send instructions to download a copy of the worm by TFTP. Once installed on a system, the worm modifies a registry key to ensure its execution on every system startup, and initializes a backdoor component made available through IRC, and awaiting orders in a specified channel. The intent is to allow a remote attacker to take control of the system. It only spreads to systems having operating systems Windows 2000, XP and Windows Server 2003

RECOMMENDATION:

1. Disable TCP/IP Port 445 - Among the new ports introduced in Windows 2000, Windows XP and Windows Server 2003, is port 445. TCP Port 445 is often exposed to the Internet because the Microsoft-DS Service uses port 445 for resource sharing on Windows 2000, XP, 2003, and other samba based connections. It is difficult to describe the usage of Port 445 in simple terms. Essentially it is used by the Server Message Block (SMB) protocol for file sharing. It is also used for NetBIOS Services over TCPIP, described as NBT. When file sharing is required and NBT is enabled, a connection to the remote computer is tried simultaneously on both port 139 and 445. If there is a response from port 445, it continues its SMB session on port 445 only. If there is no response from port 445, it will continue its SMB session on port 139 if that responded. If there is no response from either of the ports, the session will fail.