Last week's Zotob family of worms took a nasty turn this week, with a new variant slamming companies around the world starting on Tuesday.
The new worm, dubbed IRCbot, has been rated "high" risk by most anti-virus vendors, who say the worm is making quite an impact, with hundreds of infections reported, including high-profile infections at financial institutions and media outlets such as CNN and ABC.

"This is an extension of the Zotob family, and this one was very successful in what it's doing," said Jack Sebbag, general manager of McAfee Canada, of the new worm.

IRCbot is the first of the family of malware to come out of last week's announcement of a flaw in Windows 2000's plug and play implementation that has been successfully able to reproduce, replicate and spread in the wild. Most infections thus far have been in North America, although anti-virus researchers do also list infections in Asia and Europe.

The worm thus far only infects Windows 2000 systems, and contacts a remote Internet Relay Chat server to wait for further instructions. If the worm is run on a system not patched for the recently-announced flaw, the machine will continually reboot. The worm also copies itself to the Windows system directory, which can then be run by a user directly or by using the buffer overflow error.

"There are thousands of machines infected at this point, and a lot of major organizations have been all over the media as having been hit," Sebbag said. "It's starting to stabilize in terms of spread. Companies are getting out there and putting up the patches, so that's starting to slow this thing down."

The speed with which Zotob and its successors have launched have pointed to the alarming trend in acceleration of worm infections following the disclosure of a new security flaw. The notorious Sasser worm arrived 14 days after the vulnerability it exploits was announced. By comparison, IRCbot comes along just less than seven days after Microsoft released the patch for Windows 2000, with the first Zotob variant appearing a scant 72 hours after the flaw was proclaimed.

"These guys are getting really good, they've got great scripting tools, and they're exploiting in record times," Sebbag said. "It's not much of a stretch to think of a zero-day exploit."

Sebbag said that the increasing speed of infection after the exploit is discovered points to the need for organizations to use proactive security technology -- modern anti-virus software that offers built-in buffer overflow protection, and intrusion prevention systems that can watch for attacks both known and unknown.

"An investment in proactive blocking technologies is key for organizations," he said. "In our case, our intrusion prevention system was protecting [against exploits of the Windows 2000 plug and play flaw] within 24 hours from the vulnerability being announced."

Reprinted by permission of Integrated mar.com (integratedmar.com), EchannelLine © Copyright 2005 Integratedmar.com Corporation.