- Zotob (computer worm)
"The Zotob worm and several variations of it, known as Rbot.cbq, SDBot.bzh and Zotob.d, infected computers at companies such as ABC,
Zotob is aCNN , TheAssociated Press , TheNew York Times , andCaterpillar Inc. " — Business Week,August 16 ,2005 .computer worm which exploits security vulnerabilities inMicrosoft operating systems likeWindows 2000 , including the [http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx MS05-039]plug-and-play vulnerability. This worm has been known to spread on Microsoft-ds or TCP port 445.It was declared that the Zotob worms cost an average of $97,000 as well as 80 hours of cleanup per company affected. [http://www.redherring.com/Article.aspx?a=14206&hed=Zotob+Cost+%2497K+per+Company§or=Industries&subsector=SecurityAndDefense]
Rbot variant
Zotob was derived from the Rbot worm. Rbot can force an infected computer to continuously restart. Its outbreak on
August 16 ,2005 was covered "live" onCNN television, as the network's own computers got infected. This is simlar to the MSBALST.A/love san worm.clarifymeequence of events
*
August 9 ,2005 : Security advisory
"On 9 August, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available." [http://news.bbc.co.uk/2/hi/technology/4159002.stm]* Virus writing
"In the days since Microsoft's announcement, virus writers have released several variants of both Zotob and RBot, along with updated versions of older worms namedSD-Bot andIRC-Bot , designed to take advantage of the newly discovered flaw." [http://msnbc.msn.com/id/8975840/]*
August 13 ,2005 : Emerged on Saturday
"The worms, called Zotob and Rbot, and variants of them, started emerging Saturday, computer security specialists said, and continued to propagate as corporate networks came to life at the beginning of the week." [http://www.nytimes.com/2005/08/17/technology/17virus.html]*
August 16 ,2005 : Took down CNN live
"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later." [http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html]
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly." [http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=2005-08-16T232013Z_01_HO683966_RTRIDST_0_NET-VIRUS-DC.XML]
"The Internet Storm Center, which tracks the worldwide impact of computer worms, indicated on its Web site that no major Internet attack was underway. "Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point," the site read." [http://msnbc.msn.com/id/8975840/]*
August 17 ,2005 : CIBC and other banks, companies affected
"CIBC says the Zotob worm caused some isolated outages, but did not affect ATMs, Internet or phone banking. The virus also hit other Canadian businesses but has not caused widespread shutdowns." [http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1124243901921_51/?hub=TopStories]*
August 26 ,2005 : A suspect is arrested inMorocco
"Under the request of theFBI , Moroccan police arrests an 18 year oldMoroccan calledFarid Essebar suspected for being behind the spread of the virus." [http://www.map.ma/eng/sections/general/young_moroccan_hacke4792/view]*
September 16 ,2006 : Sentencing
"The creators of the Zotob Windows wormFarid Essabar and his friend Achraf Bahloul were sentenced by a court inMorocco [http://news.bbc.co.uk/1/hi/technology/5345404.stm] .Arrest of the coders
On
August 26 ,2005 ,Farid Essebar andAtilla Ekici were arrested inMorocco andTurkey , respectively. They are believed to be the men behind the worm's coding.A signature in the Zotob worm code suggested it was coded by Diabl0 and the
IRC server it connects to is the same used in previous version of Mytob. Diabl0 is believed to have incorporated the code of aRussia n nicknamed houseofdabus [http://www.milw0rm.com/author/183] whose journal has been shut down by authorities [http://www.livejournal.com/users/houseofdabus/] , just after the arrest of Diabl0. The coder (Ekici) probably paid Diabl0 (Essebar) to write the code."He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money," Taylor said in a conversation with me." [http://blog.washingtonpost.com/securityfix/2005/08/conversation_with_a_worm_autho_1.html]
In
August 30 ,2005 , controversial reports emerged from differentanti-virus firms.Sophos declared that several people had access to the Mytob source code (a variant of the worm). On the other hand,F-Secure declared that it has found multiple variants of Mytob that were coded after the arrest of Essebar. Those declarations suggest that Essebar is only a part of a larger group ofDark-side hacker s behind the spread of themalware . [http://www.channelregister.co.uk/2005/08/30/zotob_arrests_follow-up/]ee also
*
Timeline of notable computer viruses and worms External links and sources
ecurity vulnerability information
* [http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx Microsoft Security Bulletin MS05-039] (Microsoft)
* [http://www.microsoft.com/technet/security/advisory/899588.mspx Microsoft Security Advisory (899588)] (Microsoft)
* [http://www.kb.cert.org/vuls/id/998653 US Cert Vulnerability Note VU#998653] (US-CERT)
* [http://secunia.com/advisories/16372/ Secunia Advisory SA16372] (Secunia)
* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1983 CAN-2005-1983] (Common Vulnerabilities and Exposures)
* [http://www.securityfocus.com/bid/14513 Bugtraq ID 14513] (SecurityFocus)Worm information
* [http://www.microsoft.com/security/incident/zotob.mspx What You Should Know About Zotob] (Microsoft)
* [http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html W32.Zotob Removal Tool] (Symantec Security Response)
* [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.D WORM_ZOTOB.D] (Trend Micro)
* [http://www.f-secure.com/v-descs/zotob_a.shtml Zotob.A] (F-Secure)
* [http://www.f-secure.com/v-descs/zotob_c.shtml Zotob.C] (F-Secure)
* [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2ECBR WORM_RBOT.CBR] (Trend Micro)
* [http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html Full Timeline] (Security Blogger)News coverage
* [http://news.bbc.co.uk/2/hi/technology/4159002.stm BBC News] Windows 2000 worm hits US firms
* [http://news.bbc.co.uk/2/hi/technology/4162124.stm BBC News] Windows 2000 bug starts virus war
* [http://news.bbc.co.uk/2/hi/technology/4189996.stm BBC News] Two detained for US computer worm
* [http://news.bbc.co.uk/2/hi/technology/4205220.stm BBC News] Money motive drove virus suspects
* [http://www.nytimes.com/2005/08/17/technology/17virus.html New York Times] Virus Attacks Windows Computers at Companies
* [http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html CNN] Worm strikes down Windows 2000 systems
* [http://msnbc.msn.com/id/8975840/ MSNBC] Computer worms strike media outlets
* [http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=2005-08-16T232013Z_01_HO683966_RTRIDST_0_NET-VIRUS-DC.XML Reuters] Computer virus hits U.S media outlets
* [http://it.slashdot.org/it/05/08/16/2247228.shtml?tid=220&tid=188 Slashdot] Zotob Worm Hits CNN and Goes Global
* [http://informationweek.com/story/showArticle.jhtml?articleID=168602115 Information Week] Zotob Proves Patching "Window" Non-Existent
Wikimedia Foundation. 2010.