It seemed harmless at first, but mutant versions of Zotob turned out nasty. Are warring hackers to blame?
The original Zotob.A was unleashed over the weekend, wreaking relatively little havoc. As of Monday morning on the West Coast, the original worm had infected about 50 computers worldwide, and the first variant, Zotob.B, had compromised about 1,000 systems.
However, by Tuesday the worm had evolved into a greater annoyance, shutting down computers running Microsoft's Windows 2000 operating system. Computers across the United States were hit, including those at cable news station CNN, television network ABC and The New York Times. Symptoms of infection include the repeated shutdown and rebooting of a computer.
Without any user interaction, the worms can infect unpatched Windows 2000 systems that aren't protected by a firewall. The worms typically install a shell program on the computer to download the actual worm code using FTP, or File Transfer Protocol. The newly infected system then starts searching for new computers to compromise.
The worm, which has spawned several variants, exploits a hole in the plug-and-play feature in the Windows operating system. It surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.
Some at CNET News.com found irony in some media outlets' coverage of the worm. "CNN should be embarrassed," wrote Timothy Beckner in News.com's TalkBack forum. "Their IT people could have patched them last week."
Some theorize that the recent surge in worms could be part of an underground battle to hijack PCs for use in Net crimes. Signs of a turf war between cybercrooks lie in the behavior of the worms that have emerged since Sunday, said Mikko Hypponen, chief research officer at F-Secure, a Finnish security software company.
The dozen or so worms and variants all exploit the same security hole, but some versions undo the effects of earlier worms, suggesting that the creators are battling to take over computers that others have already compromised, Hypponen said.
"We seem to have a bot war on our hands," Hypponen said. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines."
In response to the havoc, Microsoft made available a free software tool to help victims of worms that hit Windows computers in the past days clean their systems. The tool can be run online through Microsoft's Web site or downloaded from the Microsoft Download Center.
Microsoft's moves did little to assuage the anger some CNET News.com readers feel toward the company's executives. "How (Bill)Gates and (Steve) Ballmer get any sleep every night is beyond me," wrote Carl Johnson in News.com's TalkBack forum. "These "critical" situations are affecting people's lives in dramatic ways..."
Meanwhile, Apple Computer released what seems to be one of its larger security updates for Mac OS X, doling out fixes for 44 flaws. Still, only a handful of the vulnerabilities are of major concern, according to security analysts. The package of fixes was released Monday.
By comparison, Apple last May released an update for 20 vulnerabilities and in March distributed an update for a dozen flaws. The flaws affect Apple's Mac OS 10.3.9 and 10.4.2 operating system software and related server software.
However, Apple's security fixes appear to break support for 64-bit applications in the operating system, according to Wolfram Research, maker of the Mathematica computation software. It's unclear whether applications other than Mathmatica's are affected.
Apple did not comment on the problem Wednesday, but early Thursday morning the company said it had released a new security update that fixes the issue. "We have issued a new version of the 2005-07 security update which resolves an issue affecting 64 bit applications," an Apple representative said in an e-mailed statement.