Asia escapes Zotob attack fairly unscathed

Although the impact worm variants had on the region was minimal, industry watchers say companies today have less time to respond to security attacks.

SINGAPORE--Zotob variants, which plagued over a thousand systems in the United States last week, did not have much impact on Asia, according to security companies.

Although there were no figures available on the estimated number of companies affected in the Asia-Pacific region, Trend Micro's regional manager Ang Ah Sin described the impact as "pretty small".

He told ZDNet Asia that around 2,000 systems worldwide had been cleaned by the company's free scanning and cleaning system--negligible compared to the Sasser attack, which infected over a million systems worldwide last year.

Ken Low, 3Com's senior manager for enterprise marketing in the Asia-Pacific region, estimated that "a couple of hundreds" of systems in Singapore were affected. Low added that to his knowledge, there had been altogether 13 Zotob variants identified in the attacks which exploited the plug-and-play feature in Windows.

The worm was at first described as harmless, but its variants caused more significant damage. Media organizations CNN, ABC and The New York Times were among those infected.

The Zotob effect
In terms of the number of reports, Zotob was not as widespread as "high profile" viruses such as Netsky, Bagle, and Sasser, noted Charles Cousins, managing director of Sophos Anti-Virus Asia. In terms of high visibility damage, however, they rank on a similar scale.

"One reason may be because the news media themselves were visibly affected and therefore they were able to bring it to world attention so quickly," explained Cousins.

ZDNet Asia's sister publication ZDNet Australia reported last Thursday that Amex and Visa were among the organizations hit by the variants.

Microsoft, which offered a free software tool to help affected companies a few days later, rated the worm attack as low to moderate. Security vendors also did not rate the attack beyond the mid-range: Trend Micro gave it a "yellow" rating, while Symantec, on a scale of one to five rated the risk as two, with five being the worst.

Security companies claimed that as a result of flaws in the code, the damage was not as severe as it was intended to be. Processes that were running terminated and PCs reportedly shut down on users.

Ironically, something "good" seemed to have come out of the attacks, according to Trend Micro's Ang.

He pointed out that subsequent versions of the Zotob worm that affected some Windows 2000 users last week did not only terminate processes running on computers--they caused harmful programs, and even earlier versions of itself, to be removed from the systems.

Ang said the phenomenon was "not unusual", but added the number that Zotob.D deleted was "amazing". He said that there had been extensive deletion of registry entries from prominent spyware and adware.

Who's at risk?
Ang also noted that organizations that have large numbers of users tend to be at higher risk of such attacks, as ensuring that patching and testing do not interfere with current programs require a longer time. Tertiary institutions, he added, was another vulnerable group, as they have difficulty ensuring students adopt the right security practices.

According to Sophos' Cousins, large organizations often "wait and see", or take a "if it ain't broke, don't fix it" approach to patching operating systems and updating antivirus definitions.

3Com's Low pointed out that beyond this wrong mind-set, there is also the "conflict in interest" issue between the system owners and the IT department. "The system owners do not want the critical processes--for example, Internet banking --to be down because it's a money issue, but the MIS people are saying 'Microsoft said the vulnerabilities are critical too'," he said.

According to Low, 3Com subsidiary TippingPoint supplied filters to its host intrusion prevention system (IPS) customers, addressing all six vulnerabilities on Aug 9--the day Microsoft released its security bulletin.

Smaller window
Industry watchers also noted that the time taken for a virus to surface, from the time a detection of vulnerability is announced, is getting shorter.

"The window is getting smaller and smaller," said Ang. "Four, five years ago, we were looking at a year. Now, it's four days."

Willie Low, IDC's analyst for software research in the Asia-Pacific region, concurred with Ang. He noted that enterprises are aware of the short turnaround required.

Market projections also point to more vigilance on the part of businesses to minimize security risks.

According to IDC's findings, the region's security and vulnerability market, which includes policy enforcement, vulnerability remediation and patch management software, is expected to grow at a compound annual growth rate of 19.4 percent to reach US$114.3 million in 2009, said Low.

"This (projected growth) suggests that enterprises are taking steps to reduce their window of exposure," he added.