Among the three Critical patches released by Microsoft on Tuesday 9th August was one to fix a vulnerability in Plug and Play, MS05-039. The vulnerability has since been exploited in a number of new worms and backdoors, including the Zotob family, Backdoor.Win32.IRCBot.es, Backdoor.Win32.IRCBot.et and W32/Dogbot-A. F-Secure has graphed the relationships between the worms.
Reports have included large organizations with a master firewall, but no internal controls and unpatched machines. Once one machine was infected (possibly a laptop that was infected elsewhere and then connected to the internal network), all vulnerable machines on the network quickly became infected.
Victims have included major news organization CNN, ABC and the New York Times. Microsoft was reported to be in “emergency response” mode, Debbie Fry Wilson, director of Microsoft's security response center, said, "Right now, we're mobilizing our two war rooms".
Researchers at the Internet Storm Center recommended three best practices to mitigate the vulnerability:
- close port 445 at least at the perimeter.
- patch systems quickly.
- eliminate NULL sessions.
Mikko Hypponen of F-Secure has written a personal account of the outbreak.
