Comprehensive Protection Against the Zotob Worm

Date: 2005-08-17

The Zotob worm variants are continuing to gain momentum and popularity, even being covered by CNN after an attack hit their own network. The Sourcefire VRT has continued to stay on top of this activity and verified that all variants are currently detected by the original rules released on August 12, 2005. These rules have now been released free of charge to Registered Snort Users at http://www.snort.org/pub-bin/downloads.cgi#VRT.

To ensure detection/prevention of all variants of the worm and additional potential attack vectors, the VRT recommends using Snort v2.3.x or higher. This will ensure the latest detection capabilities are being utilized. In addition, Snort v2.3.x users are advised to make a configuration change to snort.conf. Read the full advisory for complete details.

VRT Analysis

In addition to the VRT research and standard feeds, the early warnings provided by the open source community give the Sourcefire VRT insight and access to vulnerability data well before exploits are available.  This enables them to proactively focus on the underlying vulnerability, rather than reacting to known attacks.  By leveraging the flexibility of the Snort rules language, the VRT is able to provide Snort users with detection/prevention capabilities well in advance of an actual threat.

To ensure comprehensive coverage in this case, the Sourcefire VRT did extensive analysis of the Zotob worm. Below are several graphs produced using Sourcefire RNA that were used during that analysis. We thought these might be of interest for Snort users.

Visualizing a Zotob Attack with Sourcefire RNA

The flow detection and mapping capabilities of Sourcefire RNA provided the VRT with an immediate and comprehensive view of the Zotob worm attack.

The Zotob worm produces unusual traffic patterns on port 445.

The VRT used RNA to view graphical displays of the Zotob worm attacking Sourcefire’s research network. The examples above and below shows traffic on port 445 to multiple nodes on the network. With this information, administrators can identify and patch infected machines that are producing the attack, blacklist attacking machines using a firewall, or identify segments that need increased protection.

Using the time distribution functionality of RNA, the VRT displayed exploit timelines to identify when attacks occur.  In the example above, five days of traffic are displayed. Initially only typical traffic on port 445 is observed. Normal SMB traffic uses port 445, however, the Zotob worm produced a sudden flood of traffic on this port.

About the Zotob Worm

The worm uses exploit code that targets the PnP issue via port 445 and upon successful exploitation, it then uses ftp to transfer data from the infecting machine. The newly infected machine then becomes an ftp server itself and begins scanning for other vulnerable hosts to infect.

F-Secure Antivirus Research Team is maintaining a great blog that details the history of the Zotob worm, as well as other worms that exploit 05-39 (also covered by the Sourcefire VRT Certified Rules). Interesting note is that "The big organizations that are getting hit right now have most likely introduced the infection to the internal network via infected laptops." Read the full blog at http://www.f-secure.com/weblog/#00000631.

For complete details on the Zotob worm, visit Trend Micro:

WORM_ZOTOB.A - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.A

WORM_ZOTOB.B - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.B

WORM_ZOTOB.C - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.C

WORM_ZOTOB.D - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.D

WORM_ZOTOB.F - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.F

MS05-039 Details

A programming error in the Plug and Play (PnP) service used by Microsoft Windows machines can present a remote attacker with the opportunity to overflow a fixed length buffer, execute code on the vulnerable system and escalate privileges on the host to the extent that they could take complete control of the affected machine.

A patch for this vulnerability is available at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.