Worms and Anti-Worms Get Smarter

At approximately 5 p.m. on aug. 16, Time Warner’s Cable News Network broke into its regular programming with a news item dealing with a situation in its studios in New York and Atlanta. CNN reported that PCs running Windows 2000 were affected by a type of virus, called a worm, that was causing the machines to restart repeatedly; as a result, the network was forced to make programming changes.

CNN’s problems were caused by a bot worm called Zotob. Bot, short for “robot,” is a program covertly installed on a user’s system to enable an unauthorized person to control the computer remotely, often for malicious activities such as extortion or denial of service.

Bots and bot networks, aggregated computers that have been comprised with Trojans—destructive programs that pose as harmless applications—have emerged in 2005 as prominent network security threats, says Dean Turner, senior manager of the security response team at Symantec Corp. in Cupertino, Calif. “We have seen more than a 100% increase in bots over last year,” Turner says.

“Bots offer the attacker high levels of anonymity,” Turner adds. “Someone in Eastern Europe can set up a bot network that infects your computers, and it’s exceedingly difficult to track them down.”

Striking in late summer, Zotob disrupted information-technology operations at almost 200 companies around the globe. However, as worms go, Zotob was less damaging than some of its predecessors. “It affected mostly big companies with thousands of legacy desktops still running Windows 2000,” says Mark A. McManus, vice president of technology and research at Computer Economics, an I.T. research firm in Irvine, Calif. Besides CNN, companies hit by variants of Zotob included DaimlerChrysler, American Express, SBC Communications, Visa International, and major media firms such as ABC and 4The New York Times.

Thirteen of DaimlerChrysler’s U.S. plants were knocked offline by the Zotob attack, causing the automaker’s infected computers to continuously restart. Some 50,000 assembly-line employees ceased working for up to 50 minutes while the I.T. staff attempted to patch the affected Windows 2000 systems, which are integral to DaimlerChrysler’s manufacturing process. The company’s financial services group and many of its suppliers were also affected by Zotob variants.

Zotob struck its victims less than a week after Microsoft announced a Win2000 Plug and Play flaw, a remote code execution vulnerability that could allow an attacker to take control of the affected system, giving enterprises little time to deploy the necessary patches. At San Antonio, Texas-based SBC, the nation’s second-largest phone company, the worm disabled internal computers in call centers after systems repeatedly rebooted. When Visa International’s headquarters in Foster City, Calif., experienced similar problems, the company sent employees home while it made the necessary patches.

“The Zotob attack received a lot of press because it hit various news organizations,” McManus notes, “but it wasn’t the costliest malware on record, not even close.” Love Bug owns that distinction, he says. Created in May 2000, the virus fooled computer users worldwide into believing they were receiving a love note in their e-mail. Love Bug racked up about $8 billion in disruptions, McManus asserts, compared with $500 million for the 12 to 15 variations of Zotob.

Symantec, which rates technology security threats on a scale of 1 to 5, with 5 being the worst case, classified Zotob as a Category 3, or moderate, threat. “The good news is that we’ve only seen four Category 3 threats to date in 2005,” Turner points out. “That’s a real decline.” Last year, Symantec recorded 34 Category 3 and 4 threats. At the same time, however, lower-level threats have increased exponentially.

Next page: When ‘bots Go Bad (or Worse)