Major Botwar Increases in Scale and Force

Growing infection rates from worm variants based on three virus families: Zotob, Bozori and Ircbot are putting large organizations on the alert around the world.

On Tuesday the 9th of August, Microsoft released the monthly security patches for Windows. This included several critical patches, with one closing a vulnerability in Microsoft’s Plug-and-Play service (MS05-039).

On Wednesday the 10th of August, a Russian individual who goes by the name ‘Houseofdabus’ released working exploit code that could be used to take over Windows 2000 machines with the Plug-and-Play vulnerability.

On Sunday the 14th of August, the Zotob.A worm was found. An unknown party had incorporated the Houseofdabus exploit code to a worm that would spread automatically over the Internet. A very similar development happened in May 2004, when virus writer, Sven Jaschan incorporated Houseofdabus’ LSASS exploit code into his infamous Sasser worm.

By Wednesday the 17th of August, F-Secure has found nine more malware using the same exploit code to spread, including variants of the Ircbot, SDBot and Bozori families.

Together, these continue to infect Windows 2000 computers which have either failed to be patched or has not been rebooted after patch installation, and are not protected by a firewall.

Infections continue to be reported from large organizations, especially from the USA.

In these, infection has most likely originated from infected laptops carried

inside an organization’s perimeter firewall.

These new Plug-and-play worms only infect Windows 2000 machines that are not

protected by a firewall. This worm replicates by scanning machines at port

445/TCP and, when a victim is found, uses the exploit code to download the

main virus file via ftp. At this point it sets up an ftp server on the

infected machine and starts scanning for more targets continuing its spread.

“We seem to have a botwar on our hands. There appears to be three different

virus writing gangs turning out new worms at an alarming rate – as if they

would be competing who would build the biggest network of infected machines,”

comments Mikko Hypponen, Chief Research Officer at F-Secure. “The latest

variants of Bozori even remove competing viruses like Zotob from the

machines!”

About F-Secure Corporation

F-Secure Corporation is the fastest growing publicly listed company globally

in the antivirus and intrusion prevention industry with more than 50% revenue

growth in 2004. F-Secure services and software protect individuals and

businesses against computer viruses and other threats coming through the

Internet or mobile networks. Our award-winning solutions include antivirus

and desktop firewall with intrusion prevention, antispam and antispyware

solutions. Our key strength is our proven speed of response to new threats.

For businesses our solutions feature a centrally managed and well integrated

suite of solutions for workstations and servers alike. Focused partners offer

security as a service for those companies that do not wish to build security

expertise in-house.

Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since

1999. We have our headquarters in Helsinki, Finland, and offices in USA,

France, Germany, Italy, Norway, Poland, Singapore, Sweden, the United Kingdom

and Japan. F-Secure is supported by a global ecosystem of service partners,

value added resellers and distributors in over 50 countries. F-Secure

protection is also available through mobile handset manufacturers such as

Nokia and as a service through major Internet Service Providers, such as

Deutsche Telekom, France Telecom and Charter Communications. The latest

real-time virus threat scenario news are available at the F-Secure Antivirus

Research Team weblog at http://www.f-secure.com/weblog/