A variant of the Zotob worm that attacks Windows computers has managed to cause havoc at various media outlets around the world.
The worm has shut down machines at CNN and ABC, the New York Times and the London-based Financial Times. It has also hit internet service provider SBC Communications. It mainly affects machines running Windows 2000 allowing an attacker to remotely control the victim’s PC. It also makes the system constantly reboot itself.
According to reports from the Wall Street Journal, ABC producers had to resort to using typewriters to prepare copy for World News Tonight when the worm put systems out of commission. CNN reported on air about its problems with machines restarting repeatedly.
“We managed before there were computers, and we’ll manage now,” ABC spokeswoman Emily Lenzner told the Boston Herald.
Experts said that antivirus software alone is not enough to counteract such attacks.
“Nearly all businesses have antivirus and yet we keep seeing these outbreaks,” said Paul King, a principal security consultant at Cisco Systems. “Businesses must enhance their existing security to protect themselves from new threats as antivirus signatures cannot be updated quickly enough to cope with the almost constant stream of new attacks.”
He said companies need to have additional layers of defense that do not rely on signatures, such as host intrusion prevention software. He added that networks can be designed to block the infections and quarantine infected machines.
Others agreed that traditional antivirus products were useless against these network worms as they only worked at the application layer which is bypassed by worms such as Zotob.
“Organizations should look for products that detect and eliminate viruses at the network layer,” said Peter Craig, product marketing manager at Trend Micro.
He said computers should be patched immediately and that users should install a personal firewall to guard against such attacks.
But those already affected will have problems in getting their machines back to full working order. “Antivirus software will have failed them because a machine that constantly restarts cannot be patched,” said Craig.
He recommended using a clean up tool to remove the worm and to detach the machine from the network until the worm has been removed and the patch applied.