Worms Exploit Plug and Play Vulnerabilities

In 2003, the blaster worm infected as many as 10 million computers just three weeks after Microsoft Corp. issued a patch for the hole the worm exploited.

Today, IT administrators would love to have even a week to patch their systems before a worm appears to exploit a new flaw.

A mob of malicious programs knocked down networks across the country last week, using a powerful, remote exploit of the Windows Plug and Play service that appeared just a day after Microsoft issued a patch for the hole Aug. 9.

The fast-closing window to patch vulnerable systems is putting pressure on IT departments everywhere to find better ways to distribute patches.

But some experts warn that worm and bot outbreaks distract attention from a deeper and darker problem: undiscovered or undisclosed vulnerabilities in software running on critical systems.

By late last week, there were 19 worms that exploit the Plug and Play flaw, including new worm families such as Zotob and Dogbot and variants of Rbot, officials for security vendor Sophos plc. said.

Read more here about Zotob and PnP worms slamming 13 DaimlerChrysler plants.

The flood of malicious programs, coming so soon after the Microsoft patch, made it hard for IT staff members at many companies to patch vulnerable systems in time.

The worms knocked 13 of DaimlerChrysler AG’s U.S. manufacturing plants offline for as long as 50 minutes on Tuesday, idling as many as 50,000 workers, said spokesperson Dave Elshoff in Detroit.

Customer support workers at SBC Communications Inc. also were idled as variants of the recent Zotob and Rbot worms raced through the company’s computer network last week, causing Windows 2000 systems to reboot and hampering the ability of staff to assist customers, said spokesperson Wes Warnick in San Antonio.

SBC was still evaluating the Microsoft patch when the worms hit, Warnick said.

“A large enterprise like SBC has to do testing to make sure that those patches are compatible with existing systems,” he said.

Zotob proves that patch management isn’t enough. Click here to read more.

Microsoft and others recommend a “defense in depth” approach for customers that includes a desktop firewall, anti-virus software, intrusion detection technology and patch management tools, said Stephen Toulouse, security program manager at Microsoft’s Security Response Center, in Redmond, Wash.

A combination of those technologies kept Windows 2000 systems at Principal Financial Group from being hit with Zotob or its cousins, said Corey Null, who works in the information services group at Principal, in Des Moines, Iowa.

The company usually requires a lot of time to test patches, but the company makes an exception for high-risk threats such as the Plug and Play flaw, Null said.

But some experts warn that worm and malicious-code outbreaks can be somewhat of a smoke screen.

“Whatever Microsoft reports is only the tip of the iceberg,” said Nand Mulchandani, vice president of business development and founder of Determina Inc., a security vendor based in Redwood City, Calif. “In most of the [hacking] underground, if somebody finds a vulnerability, they’ll use it, not write a worm for it.”

Window of vulnerability