Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12591

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worm - W32.Zotob.E

Release Date: 08/17/2005
Last Updated:

Print this alert

Overview

Worm W32.Zotob.E infects PCs running the Microsoft Windows 2000 operating system by exploiting the Microsoft Windows Plug and Play Service vulnerability. Additionally, the Zotob.E worm opens an FTP server for transferring worm components as well as a backdoor IRC client session to listen for remote attacker commands.

Details below describe the characteristics of the W32.Zotob.E worm as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.

Also known as: WORM_RBOT.CBQ

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

The W32.Zotob.E worm attacks vulnerable Microsoft Windows PCs by exploiting the "Microsoft Windows Plug and Play Service Vulnerability" on TCP port 445. W32.Zotob.E can run on, but not infect, computers running Windows 95/98/Me/NT4/XP. These systems are utilized to search for and infect vulnerable computers.

If the unpatched Windows PC is compromised by the Zotob worm, the following steps will occur:

1) Places a copy of the worm into the Windows system directory with the name of "wintbp.exe".
2) Updates the Windows registry on the compromised PC to restart the worm upon each Windows reboot.
3) Connects to an Internet IRC server on TCP port 8080 and waits for commands from a remote attacker.
4) Opens UDP port 69 in order to initiate TFTP sessions.
5) Generates random IP addresses using the first two bytes of the IP address from the compromised PC. The random IP addresses are then attacked in an effort to find other exploitable Windows PCs.
6) Opens a backdoor on TCP port 8594 to transfer worm components.



Threat Assessment

Network worms if not addressed through prudent remediation steps may degrade network performance, impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.

Trojans or backdoor listeners if not addressed through prudent remediation steps, can compromise network and host security. Additionally, trojans and backdoor listeners potentially allow theft of information, unauthorized remote access, and damage to critical files.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X
C-Series
X

Detection

The Dragon signature "ENSRT:W32-ZOTOB-A-B-001" which was originally released in order to detect the .A and .B variants of the Zotob worm, can also be used to detect this latest variant as it attempts to contact an IRC server. This signature can be retrieved via Dragon Live Update and is located in the Master Library within the ENSRT category. The signatures with the prefix "ENSRT:W32-ZOTOB-A-B" and can be copied into a custom library and deployed on all Dragon network sensors protecting end-user networks, data center networks, and Internet connections to successfully detect end-user class machines which have become infected with the worm.

Additionally, two signatures MS:UPNP-OVERFLOW and MS:UPNP-OVERFLOW2 have been added to the Dragon Beta library and can be used to detect attempts to exploit the universal plug and play service. These signatures were built to detect the DCE-RPC bind associated with the pnp service on port 139 and 445.

If utilizing Dynamic Intrusion Response (DIR), a Dragon Alarmtool policy that consists of an event group that contains the signatures with the prefix "ENSRT:W32-ZOTOB-A-B" should be used.

NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarantine VLAN or disabling the associated switch port for the user.

Internet or edge facing firewalls should be configured with a default 'Deny' policy and contain 'Permit' policies for only needed services and applications. Furthermore, careful inspection of firewall policies that allow TCP traffic streams to be initiated from the Internet into internal enterprise resources is required. These policies should only allow specific protocols to trusted servers thereby combating the increased use of random TCP ports by Internet Trojans and worms. For the W32.Zotob.E worm it is critical to not allow TCP port 445 traffic initiated from the Internet into the Enterprise network.

Repair

Scan all clients and servers for newly opened TCP ports that did not appear in previous TCP scans. For the W32.Zotob.E worm pay extra attention to TCP port 8594. If viruses are detected apply appropriate removal tools on each client and server that have the open ports (See your anti-virus solution for removal instructions).

Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 08/17/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers