• SecureWorks Research
• Counter Threat Unit^SM
• Threat Analyses
• Research Blog
• Newsletter
• Webcasts
• Security Tools
• Articles
• Security

• Home
• Research
• Threat Analyses
• MS05-039 PNP Worms

MS05-039 PNP Worms

• URL: http://www.Secureworks.com/research/threats/pnpworms
• Date: August 16, 2005
• Author: Joe Stewart

To date, SecureWorks' research team has found multiple IRC trojans using the newly released MS05-039 exploit in order to spread in a worm-like fashion. Despite reports of a single, widespread worm affecting companies around the world, what we are actually seeing is the effect of multiple existing threats which have been updated to utilize the new exploit. Previously these same trojans would spread using LSASS, DCOM and other older exploits, as well as social engineering through email and instant messaging. Because the MS05-039 PNP exploit provides a fresh pool of machines to add to these botnets, several different criminal hacking groups have adopted it. Although they are not strictly worms, since they have a command-and-control mechanism which allows their spreading to be controlled remotely, we will refer to them in this article using either term.

Since the first worm reported to utilize the exploit was Zotob, we will provide some brief background. Zotob is a descendant of Mytob, which was originally derived from the Rbot IRC trojan. Mytob was created by merging code from Rbot with the publicly available Mydoom source code, in order to allow the bot to spread via email. Zotob.A is the Mytob code with the email spreading capability removed and replaced with the MS PNP exploit. Zotob.C brings the email spreading function back into the worm, so that it has multiple vectors into a network. Zotob likely originated in Turkey, and is signed by a "Diabl0", who also left his mark on the original Mytob releases.

Other IRC trojans have been seen utilizing the same exploit, so they may be confused with Zotob when they are found on a network. We have seen at least three distinct bots so far updated with the code, primarily Rbot variants. It is likely that every botnet owner currently using Rbot will seek out a copy of this updated code, so we will continue to see an increase in attempts to exploit the MS PNP vulnerability from a growing array of unique sources.

The motive behind most of the activity involved with these botnets appears to be in some cases installation of adware, and in other cases installation of spam proxies. There is a distinct profit to be made from exploitation of this new pool of vulnerable machines, and there already appears to be quite a bit of competition for the resource.

The trojans/worms which utilize this exploit are only able to infect Windows 2000 machines. After a successful exploit, the exploited service will crash, forcing Windows to reboot. This is almost a replay of similar events which surrounded the LSASS exploit of last year. Companies who have not taken a proactive approach to security since that time are the ones most likely to become infected by the new range of malware which spreads using the MS05-039 exploit.

The typical scenario for a corporate outbreak is a laptop or VPN user connects to his/her ISP and becomes infected by another machine. When the VPN user connects back to the network, or the mobile user comes back into the office and plugs back into the network, the immediately connected network segment is scanned and vulnerable machines are infected, which then begin scanning as well. This is a classic scenario which every network administrator should be familiar with, yet not enough are taking the steps necessary to practice "defense-in-depth", which is the only long-term solution to threats of this nature.

Some key steps that can mitigate the risk:

• Timely patching
• Network segmentation and access control (especially on Windows Networking ports)
• Internal IPS devices
• Firewalling VPN, wireless and mobile users from the internal network
• Desktop AV and host firewalls/HIPS

From here, it is expected that MS05-039 will dominate the scanning-worm landscape until another wide-ranging exploit is released. If your company is not taking precautions to prevent against Zotob and other similar threats that spread over Windows networking ports, you can expect to become infected at some point. Even though prevention is always the best approach, SecureWorks' Secure Operations Center has the technology to assist our clients in quickly responding to outbreak situations and recovery of infected systems even in cases where antivirus companies don't yet have a removal tool, as part of our normal service offering.

Online Tools

Info Request