|The worm exploited a Microsoft vulnerability, allowing hackers to take remote control of affected PCs.|
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have determined that separate groups of hackers are releasing a barrage of worms in a battle to seize control of innocent users' computers. Overnight, it has been confirmed that organizations such as CNN, ABC Television, The New York Times and the Financial Times have been hit.
The W32/Zotob-F worms (also known as Bozori) attempts to remove infections by earlier versions of the Zotob worm and other malware, so it can take control of the compromised computer for itself. W32/Zotob-F is related to the W32/Tpbot-A worm, which also exploits the same Microsoft MS05-039 Plug and Play vulnerability that hackers have focused on as a way into poorly defended businesses.
"Once one of these worms has control over your computer, it can use your PC for sending spam, launching an extortion denial-of-service attack against a website, stealing confidential information or blasting out new versions of malware to other unsuspecting computer users," said Graham Cluley, senior technology consultant for Sophos. "Organized criminal gangs are behind attacks like these and their motive is to make money. Owning a large network of compromised computers is a valuable asset to these criminals, and every business needs to take steps to ensure they are not the next victim on their list."
The worms are affecting computers which are not properly patched against Microsoft security holes such as the MS05-039 Plug and Play vulnerability.
More and more virus writers are exploiting the new MS05-039 vulnerability that Microsoft issued a patch against last week. The list of malware which uses the security hole to spread includes:
How to protect your computers
Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.
Sophos recommends that IT staff responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx. Sophos advised customers to patch against the latest security vulnerabilities in Microsoft's software last week. The patch for the MS05-039 Plug and Play vulnerability can be found at on Microsoft's website. However, Sophos recommends that businesses also ensure they are protected against other vulnerabilities commonly used by worms and hackers such as:
LSASS (MS04-011) security vulnerability
RPC-DCOM (MS04-012) security vulnerability
MSSQL (MS02-039) security vulnerability
UPNP (MS01-059) security vulnerability
WebDav (MS03-007) security vulnerability
"The only good thing which might come out of this high profile worm outbreak is that more people and businesses may wake up to the importance of properly protecting their systems from viruses and internet worms," said Cluley. "All companies should take a long hard look at their networks and ask, 'could that have happened to us?'"
Sophos continues to recommend that companies protect all tiers of their organization - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.