Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 7: Network worms

Zotob worm

Contents

Summary

"The Zotob worm and several variations of it, known as Rbot.cbq, SDBot.bzh and Zotob.d, infected computers at companies such as ABC, CNN, The Associated Press, The New York Times, and Caterpillar Inc."

- Business Week, August 16, 2005.

Zotob was discovered around August 12-13, 2005. August 13, 2005 was a Saturday and the epidemics happened two days later when users returned to their PCs from the weekend.  Good chronology of events can be found at Zotob (computer worm) - Wikipedia, the free encyclopedia. See also Bozori.A-E (Zotob.E) Worm

The main target of the worm is Windows 2000. It represents minimal risk to XP and Windows 2003 as they require authentication that prevents a particular vulnerability from being exploited.  Setting RestrictAnonymous=2 in the registry will disable non-authenticated sessions and prevent infection on Win2k systems.

Enabling port blocking on a built-in firewall is also a good preventive measure. As for many other network worms, disinfection in a sense of removal of worm is not enough: You need to apply Microsoft patch (Microsoft Security Bulletin MS05-039)  

This worm, while not as bad as some previous (slammer/sapphire, code red, msblaster) is still a pain. It tries to spread to addresses with the same first 2 octets as the current machine (same class B networks). On 10 networks that limits it to the same network, unless you have VPN connections to other networks. 

Initially it causes a huge initial spike in network traffic in corporate class B networks but unlike some predecessors the spike was one time and short lived (less then an hour). Some routers went down.  Due to this some organizations overreacted by shutting down their networks or PCs or both, inflicting more damage then the worm itself.   After the initial spike the worm just sits on infected PCs essentially waiting for disinfection and there is no rush to do anything about it. 
 

General Info

Only Windows 2000 PC are affected by the worm. Generally mass infection were typical only for  large organizations with mass deployment of Windows 2000 desktops. The worm does not infect computers running Windows XP Service Pack 2 nor Windows 2003, as those systems are somewhat protected against the Windows Plug-and-Play vulnerability that the worm uses.

The code used in the Zotob worm to exploit the Microsoft PnP vulnerability addresses in MS05-039 relies on NULL sessions to exploit the target system. Default installations of Windows XP SP2 and Windows 2003 do not have NULL sessions enabled, and thus are not affected by the worm. See http://www.securityfocus.com/news/11281

On Windows 2000 the virus is effective only if:

This worm creates up to 300 threads to scan for vulnerable systems generating random class B address in the segment where the infected workstation is. For each generated address the worm is sending SYN packets to TCP Port 445 trying to exploit the vulnerability. Generation is a one time deal -- one for each infection.

When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (ftp connection is established via TCP port 33333, haha.exe is fetched).

Worm propagation is a typical datacenter environment looks like a burst-style, one-time traffic explosion that can tale router down.  After the worm is done with it, it  generates almost no traffic. That's why most networks survived pretty well after the initial infection packets are all generated. 

Summary of ports used:

Administrators can scan their segments using nmap -p 8888,33333  <segment>  to detect infected computers. Please note that ports 445, 8888 and 33333 are blocked on many enterprise routers, so you can get results only within your local network segment. Please do not scan more then one C-class segment at a time.

Ports 8888 and 33333 should be blocked on all firewalls and routers untill the end of epidemics 

Manual Removal using the W32.Zotob Removal Tool

Symantec has a primitive scanning (and that means very slow ;-) removal tool to clean the infections of W32.Zotob. Still that might be the easiest way to remove this worm for home users.

Microsoft also published manual recovery procedure:

To manually recover from infection by Worm:Win32/Zotob.A, follow these steps:
  1. Install security update MS05-039.
  2. Disconnect from the Internet.
  3. End the worm process.
  4. Delete the worm files from your computer.
  5. Delete the worm registry entries.
  6. Clean the system host file.
  7. Restart your computer.
  8. Take steps to prevent re-infection.

Install security update MS05-039

To install MS05-039 using Windows Update
  1. Go to the Windows Update Web site at windowsupdate.microsoft.com.
  2. On the Windows Update site, click Scan for Updates. Windows Update scans your computer and returns a list of critical updates, including service packs.
  3. In the Pick updates to install list, click Critical Updates and Service Packs. Windows Update creates a list of the updates appropriate for your computer, including MS05-039 if it is not installed. Critical updates are selected for download automatically.
  4. Click Review and install updates, and then click Install Now. You may need to restart your computer after installing the updates.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

End the worm process

Ending the worm process will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.

To end the worm process

  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Select the process botzor.exe, and click End Process.

Delete the worm files from your computer

To delete the worm files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type the name of the system folder, for example, C:\Winnt\system32\
  3. Click OK.
  4. Click Name to sort files by name.
  5. If botzor.exe is in the list, delete it.
  6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes.
If deleting the files fails, follow these steps to verify that botzor.exe is not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that botzor.exe is not in the list.

Delete the worm registry entries

Worm:Win32/Zotob.A creates entries in the Windows registry that attempt to run the worm every time your computer restarts. These entries should be deleted.

To delete the worm registry entries

  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    In the right pane, right-click the following value, if it exists:
     

    WINDOWS SYSTEM

  4. Click Delete and click Yes to delete the values.
  5. Repeate steps 3-4 for HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.
  6. Close Registry Editor.

Clean the system host file

The worm makes changes to the system host file to prevent access to certain Web sites.

To clean the system host file.

  1. On the Start menu, click Run.
  2. Type notepad.exe and click OK.
  3. On the File menu, click Open…
  4. In the File name text box, type the name of the Windows directory folder and \system32\drivers\etc\hosts, for example, C:\winnt\system32\drivers\etc\hosts.
  5. Search for text that begins with "Botzor2005 Made By…"
  6. Select this text and all text that follows. Delete the selected text and save the file.
  7. Close Notepad.

Restart your computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

Links to relevant information

Brief Summary

The worm copies the following file to the newly compromised computer and executes an FTP script contained within it:

C:\WinNT\System32\2pac.txt

Next it downloads executes the following copy of the worm from the previously created FTP server on the host computer:

        C:\WinNT\System32\haha.exe 

The worm exists in at least two versions and you should also check for the file

botzor.exe in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:

An additional registry change is made:

The HOSTS file is appended to block access to anti-virus websites:

Those changes can be easily checked manually even without any tools to detect the infection

Webliography

Zotob (computer worm) - Wikipedia, the free encyclopedia


Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May 13, 2017