Zotob’s day

By on

It was just another PnP hole until virus writers got hold of it. David Quainton follows the return of the network worm

He was probably working to deadline. Maybe he was rushing home to see his kids. Maybe, like so many other programmers, he just didn't consider the security of his code.

Whatever it was, the Microsoft worker who coded the Plug and Play vulnerability didn't know it was there.

Like a lot of vulnerabilities, this one lay dormant until researcher Neel Mehta passed on its details to Microsoft.

Motivated no doubt by Bill Gates's famous "trustworthy computing" memo of January 2002, and eager to help its customers, the firm put out a security bulletin. And then all hell broke loose.

It was Tuesday, August 9, when Microsoft told the world about the flaw. According to the company, the MS05-039 vulnerability in Plug and Play could "allow remote code execution and elevation of privilege" in Windows 2000, Windows Server 2003 and even some unpatched versions of XP. Alerted to the vulnerability, malware writers around the globe feverishly began trying to exploit it.

Just five days later, at around noon, the honeypots and email inboxes of the world's antivirus companies began to fill with a new virus.

It seemed to demonstrate that not only had the virus writers been successful in exploiting the vulnerability, they had done so with a pervasive and destructive virus. By Monday, August 15, Zotob had gone global.

The next 24 hours would be among the most challenging the antivirus industry, IT security professionals and even users had ever faced.

Monday, August 15, 2005

6 a.m. EST

A member of the University of Helsinki in Finland is working on a laptop plugged into his home network. Like many home users' laptops, this one runs on Windows 2000, does not have a firewall, and its antivirus has not been updated since it was installed. Within minutes, unknown to the user, Zotob slips silently onto the system.

7 a.m.

In New York, journalists on World News Tonight are arriving at their desks.

8 a.m.

Virus researcher Mikko Hypponen is hearing reports of minor infections exploiting the new Windows Plug and Play vulnerability. It's not unusual – every exploit affects someone.

9 a.m. (4 p.m. Helsinki local)

The laptop arrives with its owner at the University of Helsinki. At roughly the time it gets connected to the university network, SC posts an online story about the Zotob worm.

10 a.m.

The University of Helsinki's infosec manager, Mauri Rosendahl, gets reports about strange application requests on a Win2K workstation. An executable app has been trying to connect to an address outside the university using port 18067. Rosendahl's team scans the application and sends F-Secure, their local antivirus firm, a copy for investigation.

11 a.m.

F-Secure finds Rosendahl's application to be Zotob. Back at the university, the infection is spreading.

F-Secure's Mikko Hypponen is at home in Finland with his family. He receives a call from his team: the university is struggling to remove malware. Their antivirus is up to date and all the latest Microsoft patches have been applied, but it won't budge. The PCs don't have individual firewalls, and are rebooting constantly. Hypponen is curious. Why won't it go away?


Zotob is everywhere – around 500 university machines are infected.

Rosendahl's team takes the decision to take servers offline to update them. Complaints fly in from users. Rosendahl demands a cure from both his antivirus vendors, F-Secure and Symantec.

In New York, journalists on ABC's flagship news program World News Tonight are at their desks preparing for an evening's programming. But their PCs don't seem to be working...

1 p.m.

F-Secure releases an antivirus update guarding against and disinfecting the new worm. Satisfied, Hypponen and his family attend a showing of the musical, Hairspray. Rosendahl tests a beta version of a Zotob removal tool. It works.

2 p.m.

World News Tonight is at a standstill. The PCs are all rebooting. From somewhere comes the news that the New York Times is also infected. ABC's computers are getting hit on the East and West Coasts now. For the first time in World News Tonight history, journalists are forced to work on typewriters.

3 p.m.

At the University of Helsinki the infection has stopped spreading. Rosendahl starts inspecting his machines. Although they had Microsoft's Software Update Service (SUS), none had rebooted. Every Win2K machine that has not been patched and rebooted is still vulnerable.

4 p.m. (9 p.m. Helsinki local)

Hypponen returns home. He sends a text to one of his colleagues. They reply: "Everything is fine."

5 p.m.

ABC's World News Tonight and the New York Times are bombarded with media calls. Patches start to roll out and the clickety-clack of typewriters dies down.

Rosendahl arrives home in Helsinki, hoping his network is safe.

6 p.m.

World News Tonight goes on air.

7 p.m. (1 a.m. Helsinki local)

Hypponen is awakened by a call from Microsoft. There is more P'n'P activity.

8 p.m.

There are two new worms. The exploits are not yet dead. Hypponen receives news that CNN is infected too. He isn't sure they have time to test the patch.

9 p.m.

A report reveals the Financial Times in the U.K. is also infected.

10 p.m.

CNN goes down. A reporter from CNN calls Hypponen to ask him if he'll do a phone interview. He does the interview wearing his wife's pink sweater.

11 p.m.

In Helsinki, all is quiet. Hypponen finally gets some sleep. Admins at CNN continue the long process of testing. They have hundreds of Win2K machines.

Tuesday, August 16, 2005

12 a.m.

CNN is still having trouble. Its weather reports are affected.

1 a.m. (7 a.m. Helsinki local)

Hypponen and Rosendahl go back to work. Rosendahl gives his support team the extract tool and they start patching machines that are still vulnerable.

2 a.m.

The virus is still spreading. Unpatched users are still being infected and variants are increasing in number.

3 a.m. (8 a.m. GMT)

Europeans open their newspapers to find stories on the virus.

4 a.m.

F-Secure releases a diagram showing that new variants of the Plug and Play worm are competing, deleting each other and spreading to new machines.

5 a.m.

Rosendahl and his team have patched the university's machines.

He encourages his users to patch, but: "This is a university and we cannot force people to act wisely."The majority of antivirus vendors have put fixes out.

A further 24 hours on...

Thursday: a mysterious virus hits the central U.S. customs database in Virginia. The Navy and Marine corps base in Okinawa gets infected by Zotob. At Disneyland in California, staff sell tickets manually when systems are taken down by an unexplained IT problem.

Friday: the 911 system in Jefferson County's, WA, is disrupted...

Copyright © SC Magazine, US edition

Most Read Articles

Log In

|  Forgot your password?