How 'limited' malcode pulled off the year's biggest attack

Experts thought worms targeting the Plug and Play flaw wouldn't do much because only Windows 2000 was affected. So how did they mount the biggest attack since Sasser?

Ken Pfeil was one of the lucky ones. While other companies frantically tried to blunt a massive, multi-malcode attack on networks affected by the Plug and Play flaw in Windows 2000, his enterprise hummed along.

"We've been tying up some loose ends, but we're hearing about these attacks much more than we're seeing," said Pfeil, CSO for Capital IQ, a New York-based division of Standard & Poor's with 1,100 employees. This, despite the fact his network still includes "quite a few" Windows 2000 boxes at the workstation and production level.

As the Plug and Play attack mushroomed Wednesday, many chalked the damage up to companies failing to learn the value of punctual patching.

"It would appear that a lot of companies didn't get the word," said Todd Towles, network systems analyst at a medium-sized,

More on Plug and Play

Worms targeting Windows Plug and Play go global

How to protect networks from Plug and Play flaw

Southeastern-based retail chain. In the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies, he added that the malcode should have been stopped in its tracks since its target range was so limited. Despite all the warnings to patch the Plug and Play flaw quickly, worms like Zotob were able to do damage on a global scale, he lamented.

"It is surprising how many people aren't aware of the train that is coming at them, even after doing all we can to get the word out," he said in a follow-up e-mail interview.

So how did Zotob and other malcode pull off the biggest Internet attack since last year's Sasser worm? Pfeil said people can't blame it all on lax patching.

"We don't rely on patching to the extent that we think it will mitigate all risk," he said. "A lot of companies are urgent about patching everything as fast as they can. But they don't necessarily have the system to prioritize which machines are most critical. We have quite a few Windows 2000 workstations and we're predominantly Windows 2003. We knew from the beginning that those systems were most important in our patching priorities."

Speed kills
But in the end, Pfeil said there's only so much you can do when attacks reach the speed of this week's exploits. "This thing went from zero to 60 in three seconds," he noted.

Security experts said laptops, botnets and competition between the malcode itself were factors in that speed.

Many Windows 2000 machines have been replaced with Windows XP and most IT shops know to block TCP port 445 at the firewall because it's been a popular attack vector in the past. But those things don't matter when attackers can infect a few laptops, said Dmitri Alperovitch, research engineer at Alpharetta, Ga.-based CipherTrust.

"One of the big challenges is the roaming nature of networks," he said. "Most IT departments block port 445 at the firewall, but people get their laptops infected on the outside, and then they come back to the office, plug into the network and spread the infection."

Towles agreed. "Every laptop that isn't patched is a time bomb [waiting] to infect your internal network," he said. "It is classic M&M security -- hard outside and a soft inside. Blocking on the border isn't enough."

Zombie wars escalate
Meanwhile, attackers have quietly been building up their arsenals of zombie PCs -- computers infected by bots that quietly await instructions from their maker. Zombie armies can be used as spam and spyware relays and to launch a variety of attacks against targeted companies. In this case, Alperovitch believes attackers used their zombies to quicken the spread of their Plug and Play worms, which at last check included Zotob-A through Zotob-F, Zytob, IRCbot.worm, Tpbot-A, Dogbot-A, Esbot-A, SDbot-ACG, Rbot-AKM and Rbot-AKN and Drugtob-B.

"Zombies have been key to the fast spread of these worms," he said. In a four-hour stretch, he said the lab watched as one zombie army grew from 2,000 to 4,000 machines. "This is something I've never seen before," he said.

U.K.-based MessageLabs said in a statement that it has identified Zotob's author as the same person who wrote the Mydoom/Mytob worms. "MessageLabs has also observed that this virus and its variants are competing with each other for control of the botnets of domestic PCs," the company said, adding, "This leads MessageLabs to conclude that this activity can only be attributed to competing organized criminal gangs seeking to perpetrate wider Internet criminal activity."

Newsroom mayhem
One question people have wondered about with this attack is why news organizations like CNN, ABC and The New York Times were whacked so hard. SANS Institute Research Director Allan Paller has a theory, and it's centered on Zotob-C.

While the first two Zotob variants spread through networked computers exposed to the Plug and Play flaw, version C can also use e-mail to spread. If an early infectee had an e-mail list with reporters at all the major news outlets, that would be all the worm needed to go on the rampage, he said.

"News organizations do not have radical e-mail attachment limits like a rule banning all picture attachments because they get legitimate pictures," Paller said in an IM exchange. "It would have seemed to the first recipient at each news organization to have come from a trusted source. Once it hit someone inside CNN [or other news organizations] it spread through that person's e-mail list to everyone else in that organization through the e-mail lists on each successive victim."

Paller says it's not a provable theory. But he said it's a logical one.

News Editor Shawna McAlearney contributed to this report.

Read more on Microsoft Windows software