After creeping through computer networks at some of the largest U.S. media organizations, a variant of the Zotob worm attacked hundreds of computers at Visa International’s processing headquarters in California on Wednesday, forcing the company to send employees home as it scrambled to sanitize its computers. “Like a lot of businesses, we were impacted, too,” said Colin Baptie, a spokesperson for Visa. “We did apply the security patch and there has been no impact on our business.” Visa declined to give any further details on the extent of the impact or why the firm was affected. Microsoft released a security patch for the worm on August 9, but it wasn’t clear what variant of the worm hit the Visa network. Visa International is the world’s largest payment system, with more than 1 billion credit and other payment cards in circulation and 22,000 member banks. Visa was impacted by one of the six variants of the Zotob worm that has been in circulation since Sunday. Noticing the increasing havoc that the Zotob worm and its variants have been wreaking, Symantec raised the threat level on the worm and its relatives on Wednesday. Specifically, Symantec raised the threat levels on two variants of Zotob, W32.Zotob.E and W32.Esbot.A, to category 3 threats from category 1, on a scale of 1 to 5 with 5 being the most severe. Symantec has also raised its “ThreatCon” alert level to Level 2, which is based on a 1-4 rating system with a level 4 being the highest threat level, and provides an overview of the current Internet landscape. The outbreak at the Visa office has raised questions about the security of major financial institutions that are using Windows software but do not have their systems updated to tackle the latest threats.“If everyone applied the latest service packs and security patches to their operating systems, this virus wouldn’t be making headlines,” said Carmi Levy, an analyst at the Info-Tech Research Group, a consultancy firm for mid-sized companies. “As we have seen, even some high-profile companies are being caught with their pants down.” More Businesses At RiskAnalysts warned that the worm and its variants may not have run their course yet and could strike many more enterprises, with particular impact on small- and medium-sized companies. “Many enterprises don’t always have the properly documented and universally applied security processes,” said Mr. Levy. “Security is an end of the line thing for them.” Mr. Levy said that the key to minimizing the damage from worms such as Zotob is to ensure timely security updates and close loopholes within hours, rather than days or months. Media ImpactSince the first Zotob worm was detected Sunday, the virus and its variants have spread to hundreds and possibly thousands of computers around the world. On Tuesday, media companies including CNN, ABC, and The New York Times reported that their computers had been infected by a variant. Like the original worm, analysts said variants attack a problem in Microsoft’s Plug and Play feature for Windows, for which the Redmond giant posted patches August 9. The worm has continued to spread, as many users have still not downloaded the security patch. “A variant just means that someone took advantage of the underlying structure of a released worm and modified it a little to do slightly different sort of damage,” said Mike Murray, director of vulnerability and exposure research for San Francisco-based nCircle Network Security, which makes vulnerability management systems for enterprises.Security PatchZotob potentially exploits a vulnerability in Windows 98/ME/NT/2000/XP/Server 2003, but Microsoft has issued a security bulletin saying that only users of Windows 2000-based systems are susceptible. Zotob affects computers by causing them to continually crash and reboot. It functions by installing a program inside a user’s Windows system and initiates an FTP (file transfer protocol) server on the user’s machine. Using that session, it then downloads a copy of itself and scans IP addresses for other machines that do not have a security patch to block it. Once the worm finds another unprotected machine, the process repeats itself. Zotob also opens a back door to the user’s PC and adds several lines of code into a machine to prevent it from accessing certain antivirus web sites. “The really interesting thing here is how quickly an exploit to take advantage of the hole was created and released,” said Matt Watchinski, director of vulnerability for Sourcefire, a Columbia, Maryland-based company that offers intrusion-prevention systems. “Normally, it takes a couple of days or weeks before a worm or virus is released but this time there’s just been four days from the release of the patch to the spread of the worm.” Nothing Like SasserExperts at SourceFire and F-Secure, an antivirus and encryption firm based in Helsinki, Finland, said that Zotob will not inflict the kind of widespread damage that Sasser did in April 2004. Nearly 1 million computers worldwide were estimated to have been infected with that virus.
“To an extent, Zotob exploits the same kind of vulnerabilities that Sasser did but this time the playing field is different,” said Mr. Watchinski. “There are not as many users of Windows 2000 out there and the firewalls have changed since the release of Sasser, which could help prevent the spread of the worm.” To protect their computers, Windows users will have to update their security patches from the Microsoft site. Machines that run Windows XP with Service Pack 2 installed will have some existing protection against the vulnerability baked in, while computers with firewalls will also be somewhat protected. Windows users who proactively installed August’s security updates will also be protected.