The Internet worm Zotob, which recently attacked major corporations by exploiting a vulnerability in Microsoft’s Windows operating system, signals the rise of the “business worm,” or a new type of malicious software that targets enterprises rather than home users, security experts said Tuesday.
This new breed of worm is potentially more worrisome as it may be after information like corporate data and trade secrets, security pros said.
Previous worms like Blaster and Sasser have primarily sought to crash the computers of home users, conferring bragging rights on their hacker-creators in the murky world of security high jinks.
In its four-day run last week, Zotob infected computers at payment processing giant Visa, enterprises such as General Electric and UPS, and media companies including CNN, ABC, and theNew York Times. Security experts said they don’t know if Zotob managed to steal any information when it wormed its way into corporate networks.
General ElectricNew York TimesPrime Targets
But if Zotob didn’t help pilfer any data, it may be just a matter of time until worms do. Indeed, it appears Zotob may mark a shift, with businesses now becoming the prime targets.
“We definitely see business worms as a trend,” said Shane Coursen, senior technical analyst with Kaspersky Lab, a security software firm headquartered in Russia.
Zotob wasn’t the first of its kind this year, Mr. Coursen added, with worms like IRCbot and Rbot also written just to get user information. These Trojan horse programs connected to an IRC (Internet Relay Chat) server and waited for commands from the hacker. They could have been used to steal information like social security numbers, financial data, credit card details, and other proprietary information.
The Zotob worm was first detected on August 14, four days after Microsoft released a note detailing a vulnerability in its plug-and-play feature for Windows 2000 (See Zotob Virus Strikes Windows). It was an insidious worm, installing a backdoor entry into infected computers.
Zotob Virus Strikes WindowsThe worm spread quickly as many corporate users failed to download the vulnerability patch in time to prevent an outbreak in their networks (See Zotob Morphs Into 11 Variants).
Zotob Morphs Into 11 VariantsAt the last count, Zotob had 17 variants and had affected thousands of computers. Security experts said there are no statistics available on the precise number of Zotob infections but classified it as a “moderate”-risk worm.
Ding Dong, the Worm Is Dead
The good news for users is the virus is “dead,” as most users have patched their machines, security software company Trend Micro said.
“Most people don’t reveal that they have been infected by a virus,” said David Perry, global director of education for Trend Micro, which is based in Tokyo. “But based on the numbers that we are seeing, the Zotob worm is gone.”
Zotob caused considerable disruptions, sending some Visa employees home for the day when it hit the credit card giant. Although most corporate users blamed the yet-to-be-identified authors of the worm for the outbreak, a poll found a third of corporate users surveyed pointed the finger at Microsoft (See Microsoft Gets Flak for Zotob).
Microsoft Gets Flak for ZotobBut Zotob was found to be much less damaging in its spread than predecessors like Blaster and Sasser, which brought down thousands of web sites and clogged traffic on the Internet.
Zotob’s containment has been attributed to the fact that it only struck un-patched computers running Windows 2000, an operating system that Microsoft has been trying to phase out.
“It could have been worse if there had been more people on Windows 2000,” said Eric Yoshizuru, product manager at security software company, Panda Software, based in Madrid, Spain.
Further, Zotob did not become an epidemic on the Internet, as it confined itself largely to enterprise users.
“It seems to be confined to localized 'explosions' inside large corporations,” David Emm, Kaspersky Lab’s senior technology consultant for the United Kingdom, wrote in the company’s blog. “These organizations, typically made up of 'small Internets' behind heavily defended Internet gateways, have experienced infection.”
Beyond Data Thefts
Before Zotob-like worms, enterprise users mainly had to protect themselves from data thefts, which are targeted attempts on a company’s network to steal information.
For instance, in February 2004, details on 4.5 million subscribers were stolen from Japan’s largest broadband access provider, SoftBank. The company later said that it had restricted access to its databases and upgraded logging history.
Unlike data thefts, worms like Zotob are released by hackers without a particular target. Instead, the creators cross their fingers in hopes their worms will find their way to valuable information. And as shown by Zotob, worms do crack networks, exploiting holes that haven’t been patched.
“In many cases, even as the worms are removed from the systems, there are bots left behind that can mine the system for information,” said Mr. Perry.
Bolstering Security Is Key
For enterprises, the arrival of Zotob on the scene means they will have to tweak security policies. For starters, the regular patching cycles instituted to fix loopholes in machines have become obsolete.
With the time between the discovery of a vulnerability and a virus outbreak shortened significantly, enterprise users will have to institute new protocols to deal with worms and viruses of the future, Mr. Perry said.
In short, they will have to become more proactive, he said. To do this, they will need to take care of security problems before they reach users, or at the gateway or firewall level. To do this, ports must be blocked and users will have to be forced to update security programs with the latest patches, said Mr. Perry.
“Business users need to get out of thinking about patching and scanning,” he said.