Botwars – and how to fight them

Mikko Hyppönen, Chief Research Officer at the Data Security Laboratory in Helsinki’s headquarters maps the course of a botwar that developed in Mid-August, that caused him and his colleagues some lost sleep and took on the proportions of an international incident before it was stopped.  

On Sunday August the 14th we detected a new virus round about lunch. Nothing special there, except that this one was using a brand new exploit against a Microsoft patch vulnerability: the MS05-039 PnP hole. I was the viruslab on-call manager for the week, so I called up other on call people to work on the case, test it and publish a new update. We add detection with the name "Zotob" and move on.

On Monday evening I get a call from from one of our people at F-Secure passing on a request from a customer who was having hard time fighting something in their network. It turns out the customer has installed the latest Microsoft patches but hasn't rebooted the machines, and is not running firewalls on individual machines – an error which would subsequently prove costly for other organisations around the world. As a result, they were hit with something that was causing hundreds of their Windows 2000 machines to reboot almost constantly.

Analysis by another one of my team, Alexey Podrezov, turns up a new Ircbot variant that has been modified to use the PnP exploit. An update is released to everybody and Alexey stays in for several hours to build a special tool to help the customer. Late that the evening I write a short blog entry instructing everyone, "patch now." Otherwise though, things look fairly calm, with very few reports of real-world problems from the field. But clearly there was a storm brewing.

On Tuesday evening I'm going out to the theatre with my wife and couple of friends to see a show in Helsinki. Typically, I'm worried that if something big happens I might need to leave during the show but my colleague, Katrin Tocheva is nice enough to stand in for me for the evening while I'm on call.

And so to bed
The show is excellent and the evening passes uneventfully. At 22:36 I get a reassuring message that all is well and prepare for bed. I wake up right after 02:00: Rich Beneck from Microsoft is calling, asking if we're seeing increased PnP activity in the net. Literally, while I'm speaking with him, my phone receives an automatic SMS alert regarding network worm activity. Uh-oh. Better check out the situation.

I get to my computer to see that Ero Carrera in our US viruslab is already hard at work on the problem: there are at least two new worms spreading aggressively. Too bad, but I have to wake up my colleague Jusu again. He sounds awake enough and makes his way to the office.

We're getting reports of CNN having problems. I place two calls to CNN techies to get some kind of a handle of the situation, and it doesn't look good. Big companies have lots of Windows 2000 machines in their networks. Many of them simply haven't had enough time to test and deploy the patch across their networks. Veli-Jussi Kesti "Jusu" gets the update out in high-speed mode and we issue a Radar alert. It’s 03:36.

Rude awakening
I'm chatting on the Messenger with Simon from Microsoft's Security Response Center and he seems to think the whole case is mostly media hype. But I'm not so sure. There are now several reports of infections in places like the Financial Times, New York Times and ABC.

Bob Sullivan from MSNBC calls me for a comment and we discuss at length how, in most places the infection must have entered via infected laptops. I'm walking around my study while talking, trying not to wake the rest of the house. In the wee hours I send my weary on-call colleague home with thanks and start to type out a blog entry entitled "The global PnP problems".

My wife wakes up around 5 in the morning. It has been really cold during the night and I've pulled on one of her pink sweaters, which she finds highly entertaining. Oh well.

I receive couple of calls from CNN Center and they are asking if I could do a live phone interview. We do this at 05:15. It ends up being broadcasted in Asia and USA but not in Europe so I miss it. My wife takes the 6 o'clock bus to work and I doze off on the couch, only to be woken up 15 minutes later by another automated alert text message which doesn’t tell me anything new and isn’t what I need after a long night without much sleep.

I wake up again at 07:30 to check out the morning news. The CNN weathergirl makes a comment about how her forecast isn't very detailed today because only one of her computers is working...

Aftermath
I get to the office before 9 and we try to make some sense of the mess of all these different bot variants with other members of my team. Katrin posts the now-legendary high-tech illustration on the topic to the web.In the afternoon I'm working with our PR team on a press release on the whole saga. It’s significant enough to be reprinted in over 500 different journals in the following days.

Over the next three days we find dozens of new worm and bot variants, all recycling the same 'Houseofdabus' exploit code. New infections are reported from several large companies and I spend almost on hour on phone on the Thursday with one Swiss company trying to fight it.

But overall, the situation starts calming down. Many companies were not affected in any way during the whole outbreak and most others started getting their patches out by the end of the week. From our point of view, the PnP saga is now case closed. I suppose,  we're now waiting for the next big thing, whenever it comes.

These outbreak weeks are getting harder to recover from every year. And we aren't getting any younger, are we?

Author (slowly recovering) Mikko Hyppönen, Chief Research Officer


Printable versionBegin Begin | Back Back