Zotob worm highlights security failings

The lesson of Zotob for UK businesses: keep the patching process up to date, consider upgrading some of your older software, look at intrusion-detection systems, and close port 445

It was the speed of the Zotob worm's attack that took businesses by surprise this week rather than any particular sophistication in the assault itself, experts said on Wednesday.

There were just a few days between Microsoft issuing a patch for a critical vulnerability in Windows 2000 and the first reports of a piece of malware — the Zotob worm — exploiting that flaw. It then took just another day for widespread attacks to break out.

Experts agreed that while Zotob was not as widespread or as damaging as some other worms it highlighted the need for regular patching. Zotob has also underlined the potential problems of not upgrading older software — Zotob is mainly an issue for Windows 2000 users, although it can cause problems for other users too.

Some in the security industry are impressed by the speed with which Zotob was created. "This was bad because the worm came out so quickly after the vulnerability became known," said John Anderson, a penetration expert with Portcullis Computer Security. "We hadn't seen that before. It has taken weeks in the past."

This was bad new for companies who were still testing Microsoft's patch before rolling it out across their systems, according to Les Fraser, a member of the security group at the British Computing Society (BCS) .

"If you run a large network, you'll want to test everything before you run a patch on the live system. Any problems could days a major disaster," said Fraser. "It's a dilemma; do you install the patch right away, because you know you're vulnerable, or do you test the patch first, so you don't bring down your network?"

Another problem was that Zotob is an unusual worm that exploits a particular vulnerability in an older piece of software, Windows 2000. Anderson explained that the vulnerability sits in a particular register that when it is set at '0' — the default setting for Windows 2000 — makes the system vulnerable. When it is set at '1' as it is in Windows Server 2003 and XP, the system is more secure.

According to Anderson, the age of the software is an issue. "Windows 2000 is not as well supported [as newer software] which makes things worse," he said. Poor system management is also an issue in attacks, according to Anderson. "It attacks through port 445 and that should not be open,” he said. “You shouldn't have any ports open unless you know what they do".

Anderson said that all ISPs will have the port closed, which explains why most of the attacks have been on commercial sites and home users have been largely spared.

The BCS' Fraser believes that the speed of the spread of the virus suggested IT professionals should take a close look at their systems.

"Perhaps antivirus isn't enough — companies need to be looking at intrusion-detection and intrusion-prevention systems too," Fraser said.

As previously reported, computers running Windows 2000 across the US were hit overnight by a wave of viruses, including those at cable news station CNN, television network ABC and The New York Times.

Many different versions of Zotob have being detected, and security experts are also concerned about the appearance of new variants of the Rbot worm.

ZDNet UK's Graeme Wearden contributed to this report