Monday, August 22, 2005

Bozori and Zotob the first real company worms.

Bozori or Zotob are no different to earlier Internet worms like Blaster or Sasser: it uses an exploit to spread directly to vulnerable machines. We've had no reports of infection from individual users. There's no question that this worm was spreading heavily. However, it seems to be confined to localized 'explosions' inside large corporations. These organizations, typically made up of 'small internets' behind heavily defended Internet gateways, have experienced infection.
Bozori, it seems, causes local outbreaks, whenever it's able to reach the critical mass (and this is heavily dependent on the level of management in the organization). The worm can't reach many machines over the Internet because these days everybody deploys a firewall. However, a worm can penetrate a local network without going through the firewall: when an infected laptop is brought into a network large problems appear. That's why small companies and home users haven't been affected. On the other hand, a number of globally interconnected corporations, running large networks of computers - practically their own reduced versions of the Internet – have been hit badly. This incident suggests that we're on the threshold of a new era, in which 'company worms' will cause 'local network outbreaks' in large corporations, but will have little effect on the Internet as a whole. And yes we got solutions ... IPS but not everyone is buying this as it is not really cheap... Oh yes I nearly forgot to mention that some of my interviews are published on our press page at http://www.anti-malware.info/press.htm .
And not every newspaper was interested in publishing something only for 'companies'. Was it not problematic enough?
In mean time some zero day exploit appeared: msdds.dll ... more at http://isc.sans.org/diary.php?date=2005-08-19 Let's hope we don't get anymore problems with this in the future!