FortiGuard Advisory (FGA-2005-04)

Zotob Worm Threat
2005.April.14

Fortinet advises that its FortiGate security appliances, FortiMail antispam appliances and FortiClient Host Security software protect against all known variants of the W32/Zotob worm. This network worm appeared last weekend after a vulnerability in Windows Plug and Play service was announced ( MS05-039). W32/Zotob spreads through the network scanning random IP addresses for systems vulnerable to ( MS05-039). Upon finding a vulnerable system, the exploit is triggered, and the newly infected system downloads its own copy of the worm from the originally infected system. The worm is then executed and starts scanning for new targets. Fortinet has also examined Zotob variants that propagate through mass-mailing and other Windows vulnerabilities. Zotob opens a backdoor and functions as a bot - listening to owners' commands through an IRC channel. Some systems infected by Zotob become unstable, rebooting continuously.

There are a few characteristics that make this family of worms a serious threat. First, like Blaster and Sasser worms, Zotob requires no user interaction and spreads to all vulnerable machines automatically. Second, the worm's footprint is quite small (10KB) and it can simultaneously connect to hundreds of target computers so it spreads very rapidly. Third, the worm exploits a vulnerability that affects Windows 2000, Windows XP, and Windows Server 2003, all potential victims as these ystems make up a large percentage of Internet-connected computers. Lastly, it can spread to a wide array of networks by randomly guessing IP addresses.

Fortinet protects against and labels these worm variants as follows:

FortiGuard Network Information: All of Fortinet's FortiGate and FortiMail systems and FortiClient Host Security software in production worldwide are kept up to date automatically by Fortinet's FortiGuard Network, which provides continuous updates that ensure protection against the latest threats around the clock and around the world. Fortinet's FortiGate and FortiMail systems can block the W32/Zotob worm variants' attack at the gateway before it enters customers' networks, or on the host with the FortiClient Host Security software.

For more information on the FortiGuard Network, please visit:
http://www.fortiguardcenter.com/av.html

For more information on Fortinet's FortiGate and FortiMail systems and FortiClient Host Security software, please visit:
http://www.fortinet.com/products/



Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.