Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12590

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worms - W32.Zotob.A and W32.Zotob.B

Release Date: 08/15/2005
Last Updated:

Print this alert

Overview

Worms W32.Zotob.A and W32.Zotob.B infect PCs running the Microsoft Windows operating system by exploiting the Microsoft Windows Plug and Play Service vulnerability. Additionally, the Zotob worms open an FTP server for transferring worm components as well as a backdoor IRC client session to listen for remote attacker commands.

Details below describe the characteristics of the W32.Zotob.A and W32.Zotob.B worms as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

The W32.Zotob.A and W32.Zotob.B worms attack vulnerable Microsoft Windows PCs by exploiting the "Microsoft Windows Plug and Play Service Vulnerability" on TCP port 445. If the unpatched Windows PC is compromised by the Zotob worms the following steps will occur:

1) Places a copy of the worm into the Windows system directory with the name of "botzor.exe" for the "A" variant or "csm.exe" for the "B" variant.
2) Updates the Windows registry on the compromised PC to restart the worm upon each Windows reboot
3) Connects to an Internet IRC server on TCP port 8080 and waits for commands from a remote attacker.
4) Opens an FTP server on TCP port 33333 to transfer worm components.
5) Generates random IP addresses using the first two bytes of the IP address from the compromised PC. The random IP addresses are then attacked in an effort to find other exploitable Windows PCs.
6) If another targeted machine is exploited, a remote shell on TCP port 8888 is opened to perform the FTP script required to copy the worm components.
7) The Windows HOSTS file is modified to redirect traffic of certain Internet security sites to the loopback address of the infected PC.

Threat Assessment

Network worms if not addressed through prudent remediation steps may degrade network performance, impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.

Trojans or backdoor listeners if not addressed through prudent remediation steps, can compromise network and host security. Additionally, trojans and backdoor listeners potentially allow theft of information, unauthorized remote access, and damage to critical files.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X
C-Series
X

Detection

Dragon signatures to detect both the W32.Zotob.A and W32.Zotob.B worms can be retrieved via Dragon Live Update and are located in the Master Library within the ENSRT category. The signatures with the prefix "ENSRT:W32-ZOTOB-A-B" and can be copied into a custom library and deployed on all Dragon network sensors protecting end-user networks, data center networks, and Internet connections to successfully detect end-user class machines which have become infected with the worm.

Additionally, two signatures MS:UPNP-OVERFLOW and MS:UPNP-OVERFLOW2 have been added to the Dragon Beta library. These signatures were built to detect the DCE-RPC bind associated with the pnp service on port 139 and 445.

If utilizing Dynamic Intrusion Response (DIR), a Dragon Alarmtool policy that consists of an event group that contains the signatures with the prefix "ENSRT:W32-ZOTOB-A-B" should be used.

NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarantine VLAN or disabling the associated switch port for the user.

Internet or edge facing firewalls should be configured with a default 'Deny' policy and contain 'Permit' policies for only needed services and applications. Furthermore, careful inspection of firewall policies that allow TCP traffic streams to be initiated from the Internet into internal enterprise resources is required. These policies should only allow specific protocols to trusted servers thereby combating the increased use of random TCP ports by Internet Trojans and worms. For the W32.Zotob.A and W32.Zotob.B worms it is critical to not allow TCP port 139 and 445 traffic initiated from the Internet into the Enterprise network.

Repair

Scan all clients and servers for newly opened TCP ports that did not appear in previous TCP scans. For the W32.Zotob.A and W32.Zotob.B worms pay extra attention to TCP ports 33333 and 8888. If viruses are detected apply appropriate removal tools on each client and server that have the open ports (See your anti-virus solution for removal instructions).

Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 08/15/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers