Panda Virus Alert: Zotob.D and IRCBot.KB

- Two new worms strike down systems exploiting the Plug and Play (PnP)
vulnerability, reports Panda Software-
- Virus Alerts, by Panda Software (http://www.pandasoftware.com )​

Several media, like CNN, ABC and The New York Times, affected

Madrid, August 17 2005 - PandaLabs reports attacks from two new worms, Zotob.D and IRCBot.KB, that exploit a vulnerability in Plug and Play (PnP) service, which Microsoft recently published on its Security Bulletin MS05-039, that could allow a remote attacker take control of the affected system. Several media, like CNN, ABC or The New York Times have been affected.

To exploit the vulnerability mentioned above, both generate random IP addresses to which they try to connect through port 445, searching vulnerable systems. If found, they will send instructions to download a copy of the worm by TFTP (a simplified version of the traditional FTP protocol). They both get installed on the systems, modifying a registry key to ensure its execution on every system startup, and initialize a backdoor component which is available through IRC, awaiting orders in a specified channel, which could allow a remote attacker take control of the system. It only spreads to systems having operating systems Windows 2000, XP and Windows Server 2003.

In addition, Zotob.D, searches for the most popular adware programs to delete their files and directories. The visible effects which these worms caused in the affected machines are the repeatedly shutting down and rebooting, so that it could be very dangerous in corporate environments.

Panda Software recommends users to download the patch offered by Microsoft which appeared just some days ago. The web page to download this patch is available at: http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

More information about these and other threats is available in Panda Software's Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

 

Trend Micro Virus Alert: WORM_ZOTOB.D and WORM_RBOT.CBQ

Dear Trend Micro customer,

As of August 16, 2005 5:12 PM (Pacific Daylight Time; GMT-7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_ZOTOB.D and WORM_RBOT.CBQ. TrendLabs has received several infection reports indicating that this malware is spreading in Brazil and the U.S.A.

WORM_ZOTOB.D is a memory-resident worm that drops a copy of itself in the %System%\wbev folder as WINDRG32.EXE.

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

It takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, refer to the Microsoft Security Bulletin MS05-039 found in the following Web page:

http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

(Note: This propagation routine works only on NT-based systems (Windows NT, 2000, XP, and Server 2003), because the Microsoft Windows Plug and Play vulnerability exists only on these platforms.)

It also has backdoor capabilities, and may execute commands coming from a remote malicious user. This provides remote users virtual control over affected systems, thus compromising system security.

As a form of an anti-debugging technique, this worm also gathers Web sites from RSS feeds, then randomly sends these sites as messages in the IRC channel it is connected to. It does this in order to confuse or mislead anyone who is monitoring the IRC channel from the real IRC commands it issues.

================

WORM_RBOT.CBQ is a memory-resident worm that drops a copy of itself in the Windows system folder as WINTBP.EXE.

This worm also takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. This propagation routine works only on Windows NT and 2000, as the Microsoft Windows Plug and Play vulnerability exists only on these platforms.

This worm also connects to an IRC server, joins a specific channel and then sends the following messages:

• {Random} :ER DL FH
• {Random} :ER DL IF


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 183
Official Pattern Release 2.787.00
Damage Cleanup Template 638


For more information on WORM_ZOTOB.D and WORM_RBOT.CBQ, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.D
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.CBQ

 

- ORANGE VIRUS ALERT: The Zotob and IRCBot worms are perpetrating
a large scale combined attack against companies and users around the world-
- Virus Alerts, by Panda Software (http://www.pandasoftware.com )​

Madrid, August 17 2005 - According to data from PandaLabs, new variants of the Zotob and IRCBot worms continue to appear, confirming the intention of the creators to spread numerous malicious codes across the Internet, increasing the probability of computers being affected by one of them. Given this situation, the company has declared an Orange virus alert status.

"The creators of these malicious codes want to exploit, as quickly as ossible, the recently discovered Plug and Play vulnerability in Windows. To achieve this they will try to catch users unaware by spreading as many variants as possible. In this way, even if users have just updated their antivirus software, it is quite possible that new variants, not included in the update, could enter their systems", explains Luis Corrons, director of PandaLabs. "The solution against this type of attack involves having proactive technologies which can detect malware by themselves with no need for previous updates. Our TruPreventTM technologies have blocked all these new worms, so ystems with these installed have been protected from the outset."

The main characteristic of these worms is that they are designed to exploit the Plug and Play vulnerability, chiefly affecting Windows 2000. This means they are able to install themselves directly on a computer from the Internet, without the need to use propagation channels such as email and without needing users to run the infected file. Once this is done, they create a backdoor in the system that allows an attacker to take remote control of the computer. Because Windows 2000 is a platform widely used across corporate environments, businesses are more susceptible to infection from any of these new examples of malware. According to Netcraft, 18 of the Fortune 100 companies and 36 of the FTSE companies have this Microsoft operating system installed.

In fact, media companies such as CNN, ABC and The New York Times, as well as the US Congress and the company Caterpillar have already felt the effects of these malicious codes. Nevertheless, bearing in mind that new variants of Zotob and IRCBot could continue to appear, this list could increase if the necessary measures are not taken.

However, home users must keep their guard up as well, as the vulnerability also affects Windows XP. Although on this platform certain conditions must be met in order for the vulnerability to be exploited.

For users to protect themselves against these new malware specimens, Panda Software advises users to download and install the update provided by Microsoft -at http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx- to fix vulnerability. To prevent these new variants of Zotob or IRCBot from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these new malicious codes.

Panda Software clients that don't yet have TruPreventTM Technologies already have the updates available to install them along with their antivirus and ensure they have preventive protection against unknown viruses and intruders such as Zotob or IRCBot. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is updated, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

More information about these and other threats is available in Panda Software's Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/

 

-ORANGE VIRUS ALERT: Panda Software offers free tools
for eliminating the Zotob and IRCBot worms-
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, August 17 2005 - To prevent the Zotob and IRCBot worms from continuing to spread, above all through computers that do not have effective anti-malware protection installed, Panda Software has made its free PQRemove applications available to all users, which detect and eliminate all known variants of Zotob, as well as IRCBot.KC and KD from any computer that could be affected. These tools can be downloaded from http://www.pandasoftware.com/download/utilities/

Proof of the threat posed by these new malware specimens is that over the last few hours, companies and media like DaimlerChrysler, Kraft Foods, UPS, General Electric or the Financial Times, have joined those initially affected, like CNN, ABC, The New York Times, Caterpillar or the US Congress. The fact that the ABC TV network had to use electric typewriters to finish their World News Tonight news program shows the seriousness of these attacks.

In order to protect yourself against these new malware specimens, it is highly advisable to download and install the update released by Microsoft, at http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx. To prevent these new variants of Zotob or IRCBot from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these new malicious codes.

TruPreventTM proactive detection technologies from Panda Software block these worms without the need for previous updates, so systems with these technologies installed have been protected from the moment that each of these malicious codes appeared. Panda Software clients that don't yet have these technologies already have the updates available to install them along with their antivirus and ensure they have preventive protection against unknown viruses and intruders such as Zotob or IRCBot. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the antivirus is updated, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent/ To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions) and complete the corresponding form.

More information about these and other threats is available in Panda Software's Encyclopedia at:http://www.pandasoftware.com/virus_info/encyclopedia/

 

-ORANGE VIRUS ALERT: Computers protected by Panda Software's TruPrevent(TM)
Technologies did not become infected by Zotob and IRCBot worms-
Virus Alerts, by Panda Software (http://www.pandasoftware.com)​

Madrid, August 18 2005 - Before any security company was able to generate a vaccine to detect and eliminate the Zotob, and IRCBot.KC and KD worms -which yesterday were able to affect numerous large companies and institutions, especially in the USA- Panda Software clients who had TruPreventTM proactive protection technologies installed were already immune to the attacks from these malicious codes.

A proactive technology should protect systems before a threat even appears. Panda Software's proactive technologies observe and analyze behavior, establishing, in real-time and transparently to users, if processes started on a computer could represent a threat to the system and blocking them if they are suspicious. This means they are able to prevent attacks from malicious code such as Zotob and IRCBot. For this reason, TruPreventTM Technologies do not need to be updated every time a new example of malware appears in order to block it. Dangerous malicious code such as Sobig, MyDoom and Netsky, were also blocked effectively by TruPreventTM.

Luis Corrons, director of PandaLabs, explains "Our proactive technologies operate on the basis of a correlation algorithm that we have developed after years of research. This is why they don't need signature files to be able to detect a new species of malware. Since the launch of these technologies in August 2004, they have proved to be highly effective, proactively blocking more than 18,000 samples of unknown malware of all types: bots, spyware, Trojans, worms, viruses, etc. The real proof of their effectiveness is that these technologies now protect more than one and a half million PCs -both
corporate and consumer- across the world."

Independent tests confirm the effectiveness of TruPreventTM Technologies

TruPreventTM Technologies underwent an exhaustive study by ICSA Labs1 Premier Services Group, one of the world's most prestigious IT security laboratories, which made evident their effectiveness against new Internet-borne threats. The tests carried out by ICSA Labs confirm the following aspects of the functionality of TruPreventTM Technologies.

- The ability to protect against a wide range of unknown malware (viruses, Trojans, adware, etc.)

- Absence of false positives.

- Ultra-low impact on the system.

Similarly, a study carried out for PC Magazine by another important security laboratory, AV-Test (http://www.av-test.org), demonstrated how TruPreventTM Technologies were able to detect two thirds of the unknown malware used for the analysis. This fact was acclaimed by PC Magazine as "highly impressive for a solution based solely on behavioral analysis".

According to Bernardo Quintero, Technical Coordinator at the VirusTotal suspicious file analysis service at the Hispasec security laboratory, "The use of a traditional antivirus, based exclusively on signatures, is not enough. There is always a time lag between the detection of the threat, publication of the specific solution and update of antivirus products which leaves systems vulnerable. This problem is exacerbated by worms that exploit vulnerabilities to spread automatically to other systems, such as the recent IRCBot and Zobot, as they do not require user intervention and can infect numerous systems in a question of minutes. The use of proactive technologies, such as TrupreventTM, offers an additional security layer, complementing traditional reactive technologies. Analysis of suspicious behavior patterns instead of using specific identifiers, allows new malicious code to be detected generically without having to rely on reactive updates."

Combination of reactive and proactive technologies: the key to security against Internet-borne threats

TruPreventTM Technologies are not designed to replace traditional antivirus solutions -which are still highly effective against known malware -but act as the perfect complement. They represent a first line of defense to prevent attacks from unknown malware, sending blocked files to PandaLabs, where the corresponding vaccine is generated and later included in signature file updates for traditional antivirus solutions.

Panda Software corporate products include TruPreventTM Technologies to achieve the highest levels of security against Internet threats through the integration of a wide range of technologies implemented as a layered strategy. Panda EnterpriSecure and Panda BusinesSecure include, among others, signature-based detection technologies, anti-spyware technologies, content filtering, anti-spam, Web filtering, and TruPreventTM Technologies. This integration of technologies avoids the need to buy specific solutions for each threat, reducing excessive costs and incompatibility problems and ensuring optimum system performance.

Evaluation versions of the Panda Software corporate solutions can be downloaded at http://enterprises.pandasoftware.com/download/

 

- Zotob - IRCBot: In-depth analysis of an infection -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

Madrid, August 19, 2005 - The attacks that several companies and users worldwide suffered yesterday, especially in the USA, could have been launched from three separate sources, according to the analysis of graphs carried out by PandaLabs. Graphs are a commonly-used way of giving graphic representation in programming in order to explain the flow of processes run by a program. It is constructed using nodes, which represent the processes and connections or axis which describe the flow of the different processes run.

The malware graphs showing the main variants to appear over the last few days are the following:

http://www.pandasoftware.com/resources/des/bck_ircbot_JZ.zip
http://www.pandasoftware.com/resources/des/ircbot_KC.zip
http://www.pandasoftware.com/resources/des/ircbot_KD.zip
http://www.pandasoftware.com/resources/des/zotob_A.zip
http://www.pandasoftware.com/resources/des/zotob_B.zip
http://www.pandasoftware.com/resources/des/zotob_C.zip
http://www.pandasoftware.com/resources/des/zotob_D.zip

The graph shows the flow chart or malware graph of the processes carried out by each worm, arranged identically, representing the 'fingerprint' or 'genetic signature' of each worm. This gives a graphic idea of the make up and complexity of each one and the relationship they could have with other variants.

The comparative of the malware graphs for the different variants shows that while the A, B and C variants of Zotob, which caused the alert last weekend, are almost identical to one another, they are very different from the rest, which caused infections throughout yesterday.

What's more, the variants launched over the last 48 hours are slightly more complex, but again, there seems to have been two developments in parallel, one consisting of Zotob.D and IRCBot.JZ, and the other of IRCBot.KC and IRCBot.KD, as shown in the malware graphs. The almost exact match between these when compared two by two, demonstrates very strong parallels in the construction of their code, suggesting that the developer or developers are the same but different from those of the first variants of Zotob. This means that although the functionality achieved is largely the same, the source code of the different families is very different.

Other data supports the idea of three authors, such as the fact that some of them include functions to delete those that do not belong to their 'family'. For example, Zotob.D includes functions to end the processes associated to the previous variants, Zotob.A, Zotob.B and Zotob.C.

The fact that they are all developing in the same direction could be due to the fact that they are all built on the same base code, available from proof of concept tests of an exploit of the vulnerability reported by Microsoft last week in the bulletin MS05-039, to which they made modifications, related to its means of propagation (scanning random IPs) or ending alternative processes, for example.

Why is it affecting large companies?

One of the questions arising about these attacks is why the victims have been large companies. In the last hours, there have been reported infections on companies like CNN, The New York Times, UPS or Caterpillar.

This could be for two reasons: On the one hand, the complexity of migrating IT systems in companies means that companies are more likely to have kept the operating system Windows 2000, the main target of the attack. A less evident reason is that although the vulnerability also affects Windows XP and 2003 Server, the ability to exploit the vulnerability in these systems is dependant on the administration rights in these systems.

On the other hand, large companies, including media companies (another of the main victims of these attacks) have a large number of mobile employees, making it difficult to control the security of their computers when they hook up to the corporate network along with the rest of the systems, after getting through the protection implemented in the network gateway.

"The infections we have dealt with were successful for several reasons; on the one hand the attacks exploited a fairly recent vulnerability and therefore, not all systems had been patched. What's more, the difficulties involved in controlling mobile computers could also have helped them to spread," explains Luis Corrons, director of PandaLabs. "Our TruPreventTM Technologies kept users out of danger at all times, demonstrating the huge advantage of using proactive technologies when this type of unknown, fast-spreading threat emerges."