Zotob MS05-39 Plug-and-Play vulnerability

Discussion in 'malware problems & news' started by Starrob, Aug 14, 2005.

Thread Status:
Not open for further replies.
  1. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This was quoted on the DLSReports forum. You can see how easily Zotob can be prevented from infecting:

    Any one with a properly configured firewall would stop this in its tracks.

    EDIT: LinkLogger on DSLR notes that Zotob is sending its probes to port 445 in pairs - the second one a few seconds later. I've confirmed this in my Kerio Log.

    An intrusion prevention/anti-execution protection w/whitelist would block this from unpacking/loading.

    Any good registry monitor would block the adding of a value in a Run Key; a lock-down system would wipe the entry and everything else the worm brought in, on a reboot.

    All of this done w/o worrying whether or not an AV program would catch it.

    So, unless some other unknown way of entering is discovered, this worm should never have infected anyone.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Aug 17, 2005
  3. www

    www Guest

    Would GRC's UnPlug n' Pray protect a computer from this threat? I have it installed on my computer and Plug and Play disabled.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That tool is for Universal Plug and Play - UPnP - different than PnP. See paragraphs 3 and 4 Here

    While disabling UPnP is fashionable, turning off the PnP service is not necessary- if you have the proper preventative measures in place - for you will lose the functionality of ease of installing new hardware. See PnP

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.