Major botwar increases in scale and force

Aug 17, 2005: Growing infection rates from worm variants based on three virus families: Zotob, Bozori and Ircbot are putting large organizations on the alert around the world.

On Tuesday the 9th of August, Microsoft released the monthly security patches for Windows. This included several critical patches, with one closing a vulnerability in Microsoft’s Plug-and-Play service (MS05-039).

On Wednesday the 10th of August, a Russian individual who goes by the name ‘Houseofdabus’ released working exploit code that could be used to take over Windows 2000 machines with the Plug-and-Play vulnerability.

On Sunday the 14th of August, the Zotob.A worm was found. An unknown party had incorporated the Houseofdabus exploit code to a worm that would spread automatically over the Internet. A very similar development happened in May 2004, when virus writer, Sven Jaschan incorporated Houseofdabus’ LSASS exploit code into his infamous Sasser worm.

By Wednesday the 17th of August, F-Secure has found nine more malware using the same exploit code to spread, including variants of the Ircbot, SDBot and Bozori families.

Together, these continue to infect Windows 2000 computers which have either failed to be patched or has not been rebooted after patch installation, and are not protected by a firewall.

Infections continue to be reported from large organizations, especially from the USA. In these, infection has most likely originated from infected laptops carried inside an organization’s perimeter firewall.

These new Plug-and-play worms only infect Windows 2000 machines that are not protected by a firewall. This worm replicates by scanning machines at port 445/TCP and, when a victim is found, uses the exploit code to download the main virus file via ftp. At this point it sets up an ftp server on the infected machine and starts scanning for more targets continuing its spread. “We seem to have a botwar on our hands. There appears to be three different virus writing gangs turning out new worms at an alarming rate – as if they would be competing who would build the biggest network of infected machines,” comments Mikko Hypponen, Chief Research Officer at F-Secure. “The latest variants of Bozori even remove competing viruses like Zotob from the machines!”

About F-Secure Corporation

F-Secure Corporation is the fastest growing publicly listed company globally in the antivirus and intrusion prevention industry with more than 50% revenue growth in 2004. F-Secure services and software protect individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions. Our key strength is our proven speed of response to new threats. For businesses our solutions feature a centrally managed and well integrated suite of solutions for workstations and servers alike. Focused partners offer security as a service for those companies that do not wish to build security expertise in-house.

Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Italy, Norway, Poland, Singapore, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of service partners, value added resellers and distributors in over 50 countries. F-Secure protection is also available through mobile handset manufacturers such as Nokia and as a service through major Internet Service Providers, such as Deutsche Telekom, France Telecom and Charter Communications. The latest real-time virus threat scenario news are available at the F-Secure Antivirus Research Team weblog at http://www.f-secure.com/weblog/ For more information, please contact:

F-Secure Corporation Mikko Hypponen, Chief Research Officer PL 24, 00181 Helsinki Finland Gsm +358 (0)40 064 8180 Fax (09) 2520 5001