MS-ISAC ADVISORY NUMBER:
2005-016

DATE(S) ISSUED:
(See MS05-039 and CSCIC Advisories # 2005-013 and 2005-013 Update .)
8/16/2005

SUBJECT:
Update on the Microsoft Windows Plug and Play Buffer Overflow Vulnerability

OVERVIEW:

Four States have reported impacts regarding the above vulnerability involving the following worms Zotob / RBOT.CBQ and Esbot / IRCBot. Two states have reported wide spread worm activity within multiple agencies. Initial reports are that the worms involved are all variants of W32.Zotob (A, B, C, D, E and F) and W32.Esbot.

Please be advised that we have received reports that certain variants of Spybot are also piggybacking the Zotob worm. W32.Esbot.A also exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability. This worm works similarly to the Zotob worm in that it will open a back door and allow an attacker to have complete unauthorized access to the infected system.

SYSTEMS AFFECTED:

  • Windows NT 4.0 Server (SP1 to SP6a)
  • Windows NT 4.0 Enterprise Server (SP1 to SP6a)
  • Windows NT 4.0 Server Terminal Server (SP1 to SP6a)
  • Windows NT 4.0 Workstation (SP1 to SP6a)
  • Windows 2000 Server, Advanced Server and Datacenter (SP1 to SP4)
  • Windows 2000 Professional (SP1 to SP4)
  • Windows XP Home (SP1 to SP2)
  • Windows XP Media Center Edition (SP1 To SP2)
  • Windows XP Professional (SP1 to SP2)
  • Windows 95, 98, 98SE, ME

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
All five variants of the W32.Zotob worm open a back door and exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability on TCP port 445 (Zotob.D exploits this on TCP port 8888). The Microsoft Plug and Play (PnP) service allows an attacker to remotely execute arbitrary code on an affected system. The Plug and Play (PnP) service is used to simplify the installation of new hardware on most Windows-based operating systems. If an attacker successfully exploits this vulnerability, it will give the attacker complete control over the affected system. The Microsoft Windows Plug and Play Buffer Overflow Vulnerability was reported on August 9th, 2005 in Microsoft Bulletin MS05-039. A patch is available for this vulnerability.

Other characteristic of the Zotab variants include:

  • Backdoors connecting to IRC servers on TCP ports 6667 and 8080
  • Opens an FTP server on TCP port 33333 or TCP port 1117 (Zotab.D)
  • Zotob.E opens a back door by connecting to the following IP address: 70.20.27.115 (Verizon Internet Services)

W32.Esbot.A is a worm which also spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability. Once a system is infected with W32.Esbot.A, it will open a back door and allow an attacker to have complete unauthorized access to the infected system.

W32.Esbot.A also connects to IRC servers on TCP port 30722 to listen for IRC commands. The IRC commands allow the attacker to perform the following actions:

  • Download and execute files
  • List, stop, and start processes and threads
  • Launch Denial of Service (DoS) attacks
  • Find files on local hard disks
  • Scans for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS05-039). If successful, the worm will send shell code to the remote machine.

RECOMMENDATIONS:
CSCIC recommends the following actions be taken:

  • Insure that Windows based systems are fully patched after appropriate testing. Microsoft Windows patches can be found at:
    http://www.microsoft.com/technet/security/default.mspx(New Window)
    http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx(New Window)
  • Continue to update your anti-virus software on a daily basis.
  • Enforce a strong password policy in your organization.
  • Block inbound and outbound TCP ports 139 and 445 at the Firewall.
  • Block inbound connection attempts that are not required for normal business processing including inbound FTP’s to unauthorized FTP servers. This can help prevent an infection and if a system becomes infected, this will prevent a remote attacker from using the worm to further compromise the infected hosts.
  • Apply proper egress filtering on the firewall including blocking outbound IRC connections. This will help limit the amount of damage if your systems become infected.

REFERENCES:

Symantec:
 http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.d.html(New Window)
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.c@mm.html(New Window)
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html(New Window)
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html(New Window)
http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html(New Window)

McAfee:
 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135433(New Window)
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135473(New Window)
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135475(New Window)

Microsoft:
 http://www.microsoft.com/security/incident/zotob.mspx(New Window)
http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx(New Window)

F-Secure:
 http://www.f-secure.com/v-descs/ircbot_es.shtml(New Window)

Symantec:
 http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.