Computer Crime Research Center


Serious damage caused by chat and IM

Date: August 18, 2005

Reports are coming in from threat centers around the country that the Zotob virus continues to spread rapidly, and impact Windows XP computers on consumer and enterprise desktops. Reports have included serious service interruptions at CNN, ABC, the New York Times, and other places.

Dimitri Alperovithch, a research engineer at CipherTrust, says the Zotob virus is spreading faster than any virus he has ever seen. "It's the zombie effect," he says, "the Zotob virus is using zombie PCs that have been taken over by a hacker to spread a virus, very, very effectively." He noted that at one point today, more than 2000 zombies were part of the network that is spreading the virus. Meanwhile, the IMLogic Threat Center this morning reported that both the Zotob and IRCbot worms are using a chat channel to allow hackers to gain access and control of an infected machine. In a statement, the company said, "The rapid spread of these worms is illustrating the special problems posed by threats that can leverage real time data channels like IM."

The statement added that the worms are taking advantage of a Windows 2000, XP and Server 2003 vulnerability caused by a flaw in the Windows operating system which allows hackers to exploit the “plug and play” capability of the Windows system. The vulnerability can be exploited by an infected machine creating a denial of service attack on other vulnerable machines. By leveraging a chat channel, the initiating hacker gains access to a host machine, leveraging it to attack other networked machines.

Once successfully executed, the vulnerability allows a hacker to impact a number of systems, including stealing system info or the most damaging impact of forcing an infected computer into a continual reboot.

Initially rated a "low" risk by security industry threat centers, the rapid propagation of the Zotob and IRCbot worms has motivated providers to increase the risk level.

The worm appears to lay quiet on an infected machine until prompted into action by the hacker. The messaging channel opened up by the worm appears to await direction prior to disrupting system activity or propagating itself on the network.
Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-08-23 13:28:11 - Another flaw in Windows XP!why had the... Diana Martin
2005-08-23 13:27:54 - Another flaw in Windows XP!why had the... Diana Martin
2005-08-23 13:27:42 - Another flaw in Windows XP!why had the... Diana Martin
Total 3 comments
Copyright © 2001-2024 Computer Crime Research Center
CCRC logo