The zotob worm (and its variants), which spent the better part of last week running rampant and halting network traffic worldwide, has highlighted the increased speed at which hackers are exploiting vulnerabilities.
This particular worm exploits a plug and play service vulnerability in Windows 2000, which was announced by Microsoft on Aug. 9. The first attacks were picked up by security alert centers a week later.
Sal Viveros, security strategist with McAfee, says that the time from the discovery of a vulnerability to the creation of a threat is getting shorter and shorter. ?This is a trend that has emerged over the last three years,? he says.
?Criminals look out for vulnerability announcements, and then try to exploit them, because they realize that most businesses do not patch their systems. Only large enterprises with a security policy and dedicated support staff constantly patch systems. Smaller companies mainly focus on keeping the business running, and patching is thus less of a priority.?
?The worm is mainly infecting Windows 2000 systems,? he notes. ?It looks for unpatched systems, and then exploits the buffer overflow vulnerability, installs itself and starts spreading. The worm?s goal is to keep spreading, but it also gives its creator remote control of the infected PC. One of the variants reboots machines repeatedly,? he adds.
Despite this, Viveros says the worm is unlikely to cause any real damage. A number of variants have emerged, and at this point it is merely spreading itself as fast as possible.
?It creates an open system that can be remotely controlled, but at this point it does not appear as if anyone has tried to take control,? he says.
The reason that McAfee has flagged it as a high risk is the speed at which it is spreading. And the speed at which it has spread is the reason why McAfee does not expect anything further to happen.
?Everyone is trying to clean it up at the moment,? says Viveros. Additionally, criminals who exploit vulnerabilities for commercial gain tend to spread worms and Trojans slowly, in a bid to avoid detection.
?We have already seen where threats are discovered by hackers and an exploit created immediately, so from that perspective we are already seeing zero day threats. In terms of a zero day attack, where a vulnerability is announced by the manufacturer, and the threat is created on day one, we think that this is right around the corner,? he states.