Hackers release Zotob worms to exploit new Microsoft security vulnerability, Sophos reports

August 14, 2005 Sophos Press Release


Sophos customers have been automatically protected against the Zotob worms.

Last updated: 15 August 2005

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, are warning that hackers have released new worms onto the internet that exploit a recently discovered security vulnerability in Microsoft's software.

Over the weekend, hackers launched two versions of the Zotob worm which exploit a Microsoft security vulnerability only announced last week: the MS05-039 Plug and Play vulnerability.

The W32/Zotob-A and W32/Zotob-B worms do not travel via email, instead they spread to other networked computers in a similar way to last year's hard hitting Sasser internet worm, by exploiting security holes in Microsoft's software.

"Microsoft only issued a patch against one of the security holes used by the Zotob worms last week, and yet already worms are being written that exploit these vulnerabilities to attack computer systems. This is a real headache for Microsoft as they try and reassure people that their operating system is becoming more secure," said Graham Cluley, senior technology consultant for Sophos. "There will be many Windows computers that will not have been patched yet and may be vulnerable to infection and compromise. We wouldn't be surprised if more worms were released which exploited this security hole in Microsoft's software. Everyone should act swiftly to ensure their PCs are properly protected with anti-virus software, firewall software and up-to-date security patches."

Once one of the Zotob worms has infected a PC it opens a backdoor, allowing remote hackers to gain access and control over the computer. The affected computer will also try and find other computers to infect.

"Once hackers have control over your computer they can see everything you do online, and steal credit card details, your passwords and commit identity fraud if they wish," continued Cluley. "They could even use your computer to send spam or to launch attacks against other websites. These worms are invisible intruders on your Windows PC, they will not announce that they have infected you. The average computer user would be completely unaware that they have been hit unless they were running up-to-date anti-virus software."

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.

Sophos recommends that IT staff responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx .

Details of the security hole exploited by the worms can be found in Microsoft security bulletin MS05-039. Sophos advised customers to patch against the latest security vulnerabilities in Microsoft's software last week.

Sophos continues to recommend that companies protect all tiers of their organisation - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.