MS05-039 and the Zotob summary

Time line

• Aug 9th 2005 - Microsoft releases six security patches as part of the scheduled release cycle, MS05-0(38-43). four of which are critical. Exploits are released for MS05-038,041.
• 10th - The digital signature trouble with MS05-038 is resolved.
• 11th - Exploits are released for MS05-039 (the PnP exploit)(one, two) and more for 038. In addition a 0day for Veritas backup agent is released. Microsoft releases a security advisory.
• 12th - The plethora of exploits leads the SANS ISC to raise the InfoCon alert level to yellow expecting a worm to be developed. In addition snort signatures are released to detect the exploits. Administrators are encouraged to fast track patching these exploits. Another MS05-039 (PnP) exploit is released.
• 13th - Infocon remains at yellow, a worm is expected.
• 14th - A worm utilising MS05-039 (PnP exploit) as an attack vector is released, it is first discovered by F-Secure and named Zotob. Zotob is expected to have less impact as port 445 is usually firewalled and Windows XP SP2/2003 are mostly unaffected. Snort rules are released to detect it. Microsoft updates their security advisory to include guidance.
• 15th - The existing IRCbot is updated to use the MS05-039 exploit as an attack vector demonstrating a blended threat. Variants of Zotob (Zotob B and C) start appearing. Microsoft releases guidance and an encyclopedia entry on Zotob. Apple releases several security updates labeled 2005-007.
• 16th - The SANS ISC moves the InfoCon alert back to green expecting that "most exploitable systems have been compromised at this point" and no new exploits have been released.. Microsoft updates their security advisory on MS05-039 and releases a press statement. CNN, ABCNews, NYTimes and Capitol Hill report worm outbreaks in their networks, it appears to be either Zotob or the new RBot which uses 5 attack vectors(one, two, three, four, five) including PnP. SANS and Microsoft agree the outbreak is localised,
• 17th - There are now seven variations of Zotob, one Rbot, one SDbot, one CodBot, three IRCbots and two Bozori variants using the PnP vulnerability. The Bozori and IRCbots are deleting other bots. CNN and the like kick up a fuss. Microsoft updates their press statement. A 0day exploit (no patch) is released for Internet Explorer, the SANS ISC could not get it to work, AV vendors update their signatures to detect it.

Discussion

Right, now that is out of the way, lets get onto an analysis. Some people have claimed this is the "fastest turnaround from the announcement of a vulnerability to the actual virus." At first I thought this was true, but it isn't. Sasser appeared the day after the exploit was released but the vulnerability was released sixteen days earlier. However the witty worm appeared about 36 hours eEYE's public disclosure of the vulnerability. Therefore, it is not the fastest instance of vulnerability to exploit (0days get that accolade) or exploit to virus or disclosure to worm.

Zytob is a descendant of Mytob and seems to have originated in Turkey having been written by the same author as Mytob.

The blended threat problem seems to have caused the biggest headache. When a new vulnerability is announced, existing worms can be upgraded to use it as a new attack vector. This is exactly what we have seen in this case and should expect more of in the future. There won't be one worm to rule them.

The exploits for Veritas and Apple patches in the middle of the incident could have been a headache for some. To elaborate on joat's point about standardisation, there may be some advantage to minimal vertical integration i.e. linux on both desktops and servers but each with different configurations standardised horizontally.

Implications

A post on the patchmanagement mailing list summarised the problem nicely. This company used to have a 20 day testing cycle, from analysis to full production deployment. After Sasser they pushed for a 7 day testing turnaround. However this demonstrates that they need to move to a 3 day turnaround, if you ignore 0days. Each move requires a re-negotiation with management. Three days to patch is next to impossible, you can't patch that quickly. Then other issues such as the current IE 0day turn patching policies into an impossible race.

This brings us to the mitigation strategies. There were/are multiple ways to block this malware without requiring a patch (although in the long term a patch is the preferred solution). There are two parts to this, actions you can undertake in the situation and long term architecture changes.

Situational

• Firewall the service. If you can proxy it or disable it.
• Apply recommended mitigating strategies (in this case disable NULL sessions).
• Update snort signatures to block suspicious traffic, this will create some false positives, but they are easier to deal with that a worm outbreak. The false positives will also help to improve the signature for the community.
• Update AV signatures to block the malware (this isn't always a solution).

• Quarantine portable devices (e.g. wifi devices, laptops, PDAs) on their own subnet and treat it like the external internet. THis should prevent malware piggy-backing in.
• Limit VPN access to prevent malware tunneling in. Sometimes a simple webapp can provide the necessary level of access.
• Implement routing white-lists, and egress filtering. User desktops often only need to talk to a handful of servers. This should reduce propogation speed within your organisation and can allow you to focus on server patching.
• Reorder your network into zones and focus on the connectivity between them, at the same time try and simplify the organisational network diagram connectivity by centralising services where appropriate (from  tqbf).
• Execution white-lists could be useful depending on your environment (thanks Axel Ebel). Windows has DEP and work has been done on signed binaries.
• Keep an eye on security news, particularly the SANS ISC InfoCon threat level. Sometimes you will need to fast track a patch with minimal testing.

These should buy you some time to get the patches tested and deployed. We are still seeing too much of what Bill Cheswick, way back during the Morris worm in this paper, described as "a sort of crunchy shell around a soft, chewy center".

Conclusion

In conclusion, this seems like a lot of noise for something that wasn't that big. However, it wasn't a non-event. The hype can be used to get a patching and threat management policy up to date.