iDefense Security Intelligence Service

Early Threat Warning

The ZoTob.A threat became a full-fledged computer virus in a matter of days during August 2005. As the virus evolved from a known vulnerability to an exploited threat, VeriSign provided up-to-date intelligence based on the likelihood of attack, and developed signatures and workarounds to protect customers as malicious code developed and started spreading in the wild.

The Life of a Threat

As criminals and attackers become more sophisticated and organised in their attacks, the time from vulnerability awareness to attack will continue to decline. Advanced warning and actionable intelligence will be necessary to prevent attacks.

A Case Study: The VeriSign Response to ZoTob.A

Day 1: Tuesday, August 9, 2005, Guarded
Microsoft® announces a Plug-and-Play Buffer Overflow Vulnerability in security bulletin MS05-039. VeriSign issues an iDefense FLASH Report and threat research begins.

Day 2: Wednesday, August 10, 2005, Guarded
VeriSign sends updates with new details. The VeriSign® iDefense® Threat Analysis Team begins to monitor chatter among known malicious actors.

Day 3: Thursday, August 11, 2005, Elevated
VeriSign discovers public exploit code, increasing the risk of attack, and issues an iDefense FLASH Report. The Bi-Weekly Threat Report warns of the new vulnerability and the appearance of public exploit code, putting customers on alert.

Day 4: Friday, August 12, 2005, High
Among the exploit codes appearing, VeriSign identifies one of particular concern. The HOD exploit code comes from the same actor who published exploit code for LSASS in 2004, leading to Sasser and other destructive worms. With the discovery of three exploit codes and heightened hacker activity, VeriSign escalates threat warning to HIGH. Advisories include snort signature information and other data to help mitigate the worm.

Day 5: Saturday, August 13, 2005, High
While monitoring hacker activities related to MS05-039, the iDefense Malicious Code Team finds three compiled binaries made from public exploits, progress towards a Trojan horse tool for automated malicious code exploitation.

Day 6: Sunday, August 14, 2005, Severe
VeriSign identifies the first tool to help automate exploitation of vulnerable computers (an iDefense malcode exclusive). This relatively simple code represents a significant increase in global risk in the lifecycle of the threat. VeriSign sends a predictive iDefense FLASH Report.

Day 7: Monday, August 15, 2005, Severe
The VeriSign Rapid Response Team reports the first three of seven new bots. VeriSign validates several codes for email functionality and exploit vectors, fully qualifying the evolution of bot threats exploiting MS05-039.

Day 8: Tuesday, August 16, 2005, Severe
More bots emerge. Incidents attributed to the RBot.BJT variant and others are reported by large companies. VeriSign releases an iDefense FLASH Report: RBot.BJT Worm Exploits Microsoft Plug-and-Play Buffer Overflow Vulnerability, Aggressively Spreading in the Wild.