2 min read

Zotob worm wreaks havoc

Microsoft Corp. is disputing conflicting reports about the network worm that affected computers running Windows 2000 last month.

While things are back to normal, the Zotob worm affected computers in the trading division and head office of the Canadian Imperial Bank of Commerce.“The patch had been rolled out throughout large parts of our network, as was determined by the fact that customer service was generally unaffected by this issue,” said CIBC spokesman Rob McLeod. “In the areas that were affected temporarily, the security was quickly addressed and resolved and operations are running normally.”
The worm also hit BMO Nesbitt Burns’ support systems, said spokesperson Joanne Hayes. In both cases there were no reports of customer service disruptions.
“As soon as we determined there was a potential risk we took immediate action to ensure patches were installed on our critical systems first,” said Hayes. “We contained the virus quickly. No customers or clients were impacted and no critical applications were infected.”
Experts also point out that, compared to several years ago, the time between when a vulnerability is released to the time it is exploited has shortened dramatically.
“This is the wake-up call for everybody,” said Stephen McWilliam, vice-president of channels at Fusepoint, a Toronto-based managed service provider.
“Gone are the days when you had six months to deploy a patch like the big ones that have hit us in the past.
“Now we’re getting closer and closer to what the industry refers to as zero-day vulnerability.”
Jack Sebbag, Canadian general manager and vice-president of McAfee Inc., points out that organizations usually need seven to 14 days minimum for proper quality assurance testing of the patch before they can deploy it.
Bryant Jackson, president and CEO of Metafore Corp., a solution provider with offices across the country that was called upon to help clients, said he was surprised at how fast the worm spread.
The incident should be used by VARs to work with clients to help detect network risks and establish a patch management policy, he said.
The Zotob worm exploits a security hole in the plug-and-play feature in Windows 2000, causing the repeated shutdown and rebooting of a computer.
Microsoft issued a security update for the bug on its Web site, but users had only a short timeframe to repair their operating systems.

Conflicting reports
While only Windows 2000 machines can be remotely attacked by the worm, conflicting reports suggest Windows XP and Windows Server 2003 are also affected by it.
“The worm can only infiltrate Windows 2000 systems,” said Jill Schoolen-berg, Windows Client director at Microsoft Canada Co., adding that Windows XP and Windows Server 2003 clients are protected against the worm.
“There’s a lot of misinformation out there indicating that, but that’s not the case.”
After an internal analysis of the outbreak, however, Sym-antec Corp. found that these operating systems can act as carriers for the worm.
“Zotob can run on other machines as well that can’t be remotely affected by the worm,” said Jonah Paransky, senior manager of product marketing at Symantec.
While some companies can risk quickly patching an OS, banks are especially cautious about it, said Anti-Virus Information Exchange Net-work (AVIEN) administrator Robert Vibert. To minimize the risk of that happening, financial institutions might spend more time on testing, potentially increasing their vulnerability for attack.