August 19, 2005 7:10 AM PDT

Flawed code throttled spread of Zotob variants

Havoc caused by variants of the Zotob worm could have been far worse had they not contained flaws, security companies say.

Chris Andrew, vice president of product management at PatchLink, said that coding errors caused a few variants of the worm to send computers into a reboot loop, which meant they spent very little time spreading the infection.

"If you read the vulnerability description in that exploit, it actually tells you that if you do it wrong it crashes the computer. If you do it right, then nobody can tell you have hacked the computer," Andrew said.


Related story
Blaming Microsoft
Many users blame
Redmond for Zotob
and its variants,
a survey says.

He said companies that were hit by one of the flawed variants were "lucky" because it gave them more time to stop the infection taking hold.

"The people at CNN and ABC were very upset that their computers crashed, but they were the lucky ones," Andrew said.

James Turner, security analyst at Frost & Sullivan Australia, agreed that the worm could easily have been worse--because the flawed variants gave administrators some warning that they were under attack.

"Your ultimate crime does not leave any traces. The minute a worm forces computers to do things that are abhorrent--like rebooting--it draws attention to itself," Turner said.

Allan Bell, marketing director for McAfee Asia-Pacific, said the versions that caused systems to crash--which McAfee has called IRCbot--are "often copy-and-paste jobs" created using source code distributed online.

PatchLink's Andrew agreed: "There are documented open-source materials available that show you how to do the hacks. It is hardly surprising that there are a whole bunch of (Zotob) variants."

American Express, Boeing and Holden are just some of companies with Australian locations that suffered from Zotob infections this week.

As part of its monthly patching cycle, Microsoft last week released a number of security updates, including the now infamous MS05-039, which fixed a critical vulnerability in Windows 2000.

Within days, exploit code was being distributed, and on Sunday the first Zotob worm was discovered in the wild.

Munir Kotadia of ZDNet Australia reported from Sydney.

5 comments

Join the conversation!
Add your comment (Log in or register)
Damn it
It's bad enough Windows has badly coded software, now we have to put up with poorly written viruses?! C'mon people! Get it together!
Posted by (464 comments )
Reply Link Flag
only.....
Only in the world of Microsoft product use can a crashing computer
be considered "lucky".... nice spin.
When will the lemmings learn.
Posted by (96 comments )
Reply Link Flag
HAHA
Looks like the virus writers code worst than Microsoft. When will someone with l33t skills come and save the day?? They keep blamming china and stuff.. they should look more in the USAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Posted by (8 comments )
Reply Link Flag
Eddie Haskel: Worm Farmer
The hackers were MS employees. You just can't get good help, it
seems. ; )

(The smiley face indicates that I was kidding, Mr. Gates. Did I tell
you're looking well, Mr. Gates? Please don't have me rubbed out,
Mr. Gates.)
Posted by cjohn17 (268 comments )
Reply Link Flag
Oops Even Cyber Mafias Err-Flawed code throttled spread of Zotob variants
Oops Even Cyber Mafias Err-Flawed code throttled spread of Zotob variants

Mr. AT Alishtari, POA and Founder of EDI Secure LLLP, says that in a banner year for cybermafia victories that even attacked and took over one of his servers, the tricksters and spammers cannot always get it right. They probably make a lot more mistakes but since they act in camera, secret, we just don't know how human they are.

This opens up a whole range of thinking for the authorities. If these guys break in not as often as they seem which is all the time, then we might have a way of catching them. They don't know when they are really breaking in and virtual break ins and though they use cross machine robots and hiding behind screens no one is truly flawless.

Ultimately, they have to retreat data stolen and resell it. Somewhere in the loop has got to be a way to trace it forwards and backwards.

While doing that we also should keep as much public and private data offline by using now U.S. Commerce Department level 4 authentication using multi-factor authentication with offline devices as soon as possible.
Posted by (66 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Inside CNET News

1-2 of 11

Scroll Left Scroll Right

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (0.00%) 0.00 30.58
Dow Jones Industrials (0.00%) 0.00 12,874.04
S&P 500 (0.00%) 0.00 1,351.77
NASDAQ (0.00%) 0.00 2,931.39
CNET TECH (0.00%) 0.00 2,049.14
  Symbol Lookup