How Zotob brought down the banks

Microsoft Corp. is disputing conflicting reports about a network worm that affected computers running Microsoft’s Windows 2000 operating system platform Tuesday, including those at two Canadian banks and several U.S. businesses.

While

things are back to normal now, the Zotob worm affected computers in the trading division and head office at the Canadian Imperial Bank of Commerce Tuesday afternoon. CIBC spokesperson Rob McLeod said branches, Internet banking, ABMs, telephone banking were not affected. McLeod said everything was resolved overnight.

“The patch had been rolled out throughout large parts of our network, as was determined by the fact that customer service was generally unaffected by this issue,” said McLeod. “In the areas that were affected temporarily, the security was quickly addressed and resolved and operations are running normally.”

The worm also hit BMO Nesbitt Burns, initially affecting some of its support systems, said spokesperson Joanne Hayes. In both cases there were no reports of customer service disruptions.

“As soon as we determined there was a potential risk we took immediate action to ensure patches were installed on our critical systems first,” said Hayes. “We contained the virus quickly. No customers or clients were impacted and no critical applications were infected.”

Cable news station CNN, television network ABC and The New York Times were also reportedly affected by the worm.

The Zotob worm exploits a security hole in the plug-and-play feature in the Windows 2000 operating system, causing the repeated shutdown and rebooting of a computer. Microsoft one week ago issued a security update for the bug on its Web site — leaving users a short timeframe to repair it across their organizations. While only Windows 2000 machines can be remotely attacked by the worm, conflicting reports suggest Windows XP and Windows Server 2003 are also affected by it.

“The worm can only infiltrate Windows 2000 systems,” said Jill Schoolenberg, Windows Client director at Microsoft Canada Co., adding that Windows XP and Windows Server 2003 clients are protected against the worm. “There’s a lot of misinformation out there indicating that, but that’s not the case.”

After an internal analysis of the outbreak, however, Symantec Corp. found that both of the newer versions can act as carriers for the worm. “Zotob can run on other machines as well that can’t be remotely affected by the worm,” said Jonah Paransky, senior manager of product marketing at Symantec.

Symantec said the number of customer reports of the worms, Zotob and Esbot (which Symantec has also identified) spiked yesterday afternoon and have since leveled off in the seven to eight hours following that. Symantec Security Response developed a fixtool to help users affected by the security threats.

Experts also point out that, compared to several years ago, the time between when a vulnerability is released to the time it is exploited has shortened dramatically.

“This is the wake-up call for everybody,” said Stephen McWilliam, vice-president of channels at Fusepoint. “Gone are the days when you had six months to deploy a patch like the big ones that have hit us in the past. Now we’re getting closer and closer to what the industry refers to as zero-day vulnerability.”

Jack Sebbag, Canadian general manager and vice-president of McAfee Inc., points out that organizations need seven to 14 days minimum for proper quality assurance testing of the patch before they can deploy it.

“Sometimes deploying the patch causes more harm than allowing the worm to infiltrate their network,” said Sebbag. “They need the time to do the patch management and to do it properly.”

Banks, however, are especially cautious about implementing patches as they can negatively impact PCs, said Anti-Virus Information Exchange Network (AVIEN) administrator Robert Vibert. To minimize the risk of that happening, financial institutions might spend more time on testing, potentially increasing their vulnerability for attack.

“(Banks) are responsible for the correct handling of our money,” said Vibert. “We want them to be certain that a patch will not suddenly cause our account managers to lose access to our accounts, for example.”

BMO’s Hayes said the bank does testing on the patches and prioritizes the rollout, covering off the critical apps first. Likewise, CIBC’s McLeod said the bank is constantly rolling out updates to its network in a coordinated fashion.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+