Companies hit in worm gangs' turf wars

11 variants of Zotob virus attack computer networks

August 18, 2005|By KNIGHT RIDDER/TRIBUNE

ST. PAUL, Minn. - An Internet shootout is going on between rival computer worm gangs this week, and major U.S. businesses got riddled in the crossfire, security experts said.

A computer worm dubbed Zotob infects computers using Microsoft's Windows 2000 operating system that were not protected by a software patch Microsoft put out last week. Windows 2000 is used mostly by large businesses, and the Zotob outbreak is not as big a threat as 2003's Blaster eruption, anti-virus vendors said yesterday.

But Zotob went prime-time Tuesday when it crippled several major media companies, including CNN, ABC and The New York Times. ABC News said its reporters used electric typewriters to write their broadcasts when their computers shut down.

Zotob also highlighted trends that worry security experts: First, the Zotob worm appeared Sunday, only four days after Microsoft Corp. warned of a security hole in Windows 2000 and urged its customers to patch it.

Not so long ago, it took weeks or months for worm writers to take advantage of a security hole, but a Russian hacker took only two days to post on the Internet an "exploit code." This is not a worm itself but a blueprint for writing the worm that takes advantage of the vulnerability, said Graham Cluely, a senior technology consultant for Sophos Anti-Virus, a firm based in Oxford, England.

"Microsoft must be furious that the exploit code was published so quickly," Cluely said.

A series of damaging worm outbreaks in the past has taught businesses to patch promptly, but many need time to test the software patches to make sure they do not disrupt productive applications, experts said.

"Most of the time it's not a matter of being too slow - it's a matter of being careful," said Aric Bandy, vice president of customer service at Techies Outsourced IT in St. Louis Park, Minn., an outsourcing firm for small to mid-size businesses.

Microsoft releases patches on a monthly schedule, and the lack of a major outbreak may have let people become "relaxed or complacent about applying patches," added Rick Greenwood, chief technology officer for Shavlik Technologies, a Roseville, Minn., firm that makes software to manage computer patches from Microsoft.

Microsoft released a statement Tuesday rating Zotob a "low threat" for its customers.

The second trend security experts noticed is that a host of particularly aggressive new computer worms appeared this week from multiple sources.

When a worm from one source found a computer that was infected with a worm from another, it removed or disabled the rival worm in order to hijack the machine for itself, they said.

"There's a dozen of these things going around and what's interesting is they are fighting one another," Cluely said. "We think each is controlled by a different gang." There is no way to tell who is sending the worms, he said.

The gangs may be trying to assemble "zombie computers" that disable Web sites by overloading them with junk data or steal passwords, bank account numbers or other sensitive information in identity-theft schemes, security experts said.

Some experts expect the Zotob outbreak to taper off, but Shavlik Technologies' Greenwood believes it will continue to grow. Employees who work outside on laptop computers may bring the worm in on their machines behind their company's firewall when they return to the office, he said.

Yesterday, hackers unleashed four new variants of the worm, bringing the total to 11, but infection rates appeared to be low and damage was minor.

Mikko Hypponen, manager of anti-virus research for F-Secure Corp. in Finland, said the variations apparently had been programmed to compete with each other - one automated "bot" pushing the worm will remove another from a computer.

"We seem to have a bot war on our hands," Hypponen said. "There appears to be three different virus-writing gangs turning out new worms at an alarming rate - as if they would be competing [for] who would build the biggest network of infected machines."

The Associated Press contributed to this article.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.