Zotob (computer worm) - AbsoluteAstronomy.com

"The Zotob worm and several variations of it, known as Rbot.cbq, SDBot.bzh and Zotob.d, infected computers at companies such as ABC
American Broadcasting Company
The American Broadcasting Company is an American commercial broadcasting television network. Created in 1943 from the former NBC Blue radio network, ABC is owned by The Walt Disney Company and is part of Disney-ABC Television Group. Its first broadcast on television was in 1948...

, CNN
CNN
Cable News Network is a U.S. cable news channel founded in 1980 by Ted Turner. Upon its launch, CNN was the first channel to provide 24-hour television news coverage, and the first all-news television channel in the United States...

, The Associated Press
Associated Press
The Associated Press is an American news agency. The AP is a cooperative owned by its contributing newspapers, radio and television stations in the United States, which both contribute stories to the AP and use material written by its staff journalists...

, The New York Times, and Caterpillar Inc.
Caterpillar Inc.
Caterpillar Inc. , also known as "CAT", designs, manufactures, markets and sells machinery and engines and sells financial products and insurance to customers via a worldwide dealer network. Caterpillar is the world's largest manufacturer of construction and mining equipment, diesel and natural gas...

" — Business Week, August 16, 2005.

Zotob is a computer worm

Computer worm

A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...

which exploits

Exploit (computer security)

An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...

security vulnerabilities in Microsoft

Microsoft

Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

operating systems like Windows 2000

Windows 2000

Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...

, including the MS05-039 plug-and-play

Plug-and-play

In computing, plug and play is a term used to describe the characteristic of a computer bus, or device specification, which facilitates the discovery of a hardware component in a system, without the need for physical device configuration, or user intervention in resolving resource conflicts.Plug...

vulnerability. This worm has been known to spread on Microsoft-ds or TCP port

TCP and UDP port

In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...

445.

It was declared that the Zotob worms cost an average of $97,000 as well as 80 hours of cleanup per company affected.

Rbot variant

Zotob was derived from the Rbot worm. Rbot can force an infected computer to continuously restart. Its outbreak on August 16, 2005 was covered "live" on CNN

CNN

Cable News Network is a U.S. cable news channel founded in 1980 by Ted Turner. Upon its launch, CNN was the first channel to provide 24-hour television news coverage, and the first all-news television channel in the United States...

television, as the network's own computers got infected. Zotob would self-replicate each time the computer rebooted, resulting in each computer having numerous copies of the file by the time it was purged. This is similar to the Blaster (Lovesan) worm.

Sequence of events

August 9, 2005: Security advisory
"On August 9th, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available."

Virus writing
"In the days since Microsoft's announcement, virus writers have released several variants of both Zotob and RBot, along with updated versions of older worms named SD-Bot and IRC-Bot
Backdoor.Win32.IRCBot
Backdoor.Win32.IRCBot is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger...

, designed to take advantage of the newly discovered flaw."

August 13, 2005: Emerged on Saturday
"The worms, called Zotob and Rbot, and variants of them, started emerging Saturday, computer security specialists said, and continued to propagate as corporate networks came to life at the beginning of the week."

August 16, 2005: Took down CNN live
"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later."
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."
"The Internet Storm Center, which tracks the worldwide impact of computer worms, indicated on its Web site that no major Internet attack was underway. Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point, the site read."

August 17, 2005: CIBC and other banks, companies affected
"CIBC says the Zotob worm caused some isolated outages, but did not affect ATMs, Internet or phone banking. The virus also hit other Canadian businesses but has not caused widespread shutdowns."

August 26, 2005: A suspect is arrested in Morocco
Morocco
Morocco , officially the Kingdom of Morocco , is a country located in North Africa. It has a population of more than 32 million and an area of 710,850 km², and also primarily administers the disputed region of the Western Sahara...

"Under the request of the FBI, Moroccan police arrests 18 year old Farid Essebar
Farid Essebar
Farid Essebar is a Moroccan black hat hacker. He is also a Russian citizen. He was one of the two people behind the spread of the Zotob computer worm that targeted Windows 2000 operating systems in 2005...

, a Moroccan
Morocco
Morocco , officially the Kingdom of Morocco , is a country located in North Africa. It has a population of more than 32 million and an area of 710,850 km², and also primarily administers the disputed region of the Western Sahara...

, suspected for being behind the spread of the virus."

September 16, 2006: Sentencing
"The creators of the Zotob Windows worm Farid Essabar and his friend Achraf Bahloul were sentenced by a court in Morocco
Morocco
Morocco , officially the Kingdom of Morocco , is a country located in North Africa. It has a population of more than 32 million and an area of 710,850 km², and also primarily administers the disputed region of the Western Sahara...

.

Arrest of the coders

On August 26, 2005, Farid Essebar

Farid Essebar

Farid Essebar is a Moroccan black hat hacker. He is also a Russian citizen. He was one of the two people behind the spread of the Zotob computer worm that targeted Windows 2000 operating systems in 2005...

and Atilla Ekici were arrested in Morocco

Morocco

Morocco , officially the Kingdom of Morocco , is a country located in North Africa. It has a population of more than 32 million and an area of 710,850 km², and also primarily administers the disputed region of the Western Sahara...

and Turkey

Turkey

Turkey , known officially as the Republic of Turkey , is a Eurasian country located in Western Asia and in East Thrace in Southeastern Europe...

, respectively. They are believed to be the men behind the worm's coding.

A signature in the Zotob worm code suggested it was coded by Diabl0 and the IRC server it connects to is the same used in previous version of Mytob. Diabl0 is believed to have incorporated the code of a Russia

Russia

Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...

n nicknamed houseofdabus whose journal has been shut down by authorities , just after the arrest of Diabl0. The coder (Ekici) probably paid Diabl0 (Essebar) to write the code.

"He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money, Taylor said in a conversation with me."

On August 30, 2005, controversial reports emerged from different anti-virus firms. Sophos

Sophos

Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....

declared that several people had access to the Mytob source code (a variant of the worm). On the other hand, F-Secure

F-Secure

F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...

declared that it has found multiple variants of Mytob that were coded after the arrest of Essebar. Those declarations suggest that Essebar is only a part of a larger group of Dark-side hackers behind the spread of the malware

Malware

Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...

Security vulnerability information

Microsoft Security Bulletin MS05-039 (Microsoft)
Microsoft Security Advisory (899588) (Microsoft)
US Cert Vulnerability Note VU#998653 (US-CERT)
Secunia Advisory SA16372 (Secunia)
CAN-2005-1983 (Common Vulnerabilities and Exposures)
Bugtraq ID 14513 (SecurityFocus)

Worm information

What You Should Know About Zotob (Microsoft)
W32.Zotob Removal Tool (Symantec Security Response)
WORM_ZOTOB.D (Trend Micro)
Zotob.A (F-Secure)
Zotob.C (F-Secure)
WORM_RBOT.CBR (Trend Micro)
Full Timeline (Security Blogger)
Zotob Removal Instructions

News coverage

BBC News Windows 2000 worm hits US firms
BBC News Windows 2000 bug starts virus war
BBC News Two detained for US computer worm
BBC News Money motive drove virus suspects
New York Times Virus Attacks Windows Computers at Companies
CNN Worm strikes down Windows 2000 systems
MSNBC Computer worms strike media outlets
Reuters Computer virus hits U.S media outlets
Slashdot Zotob Worm Hits CNN and Goes Global
Information Week Zotob Proves Patching "Window" Non-Existent
Security Now! PodCast - Episode #1: "As the Worm Turns" http://www.grc.com/securitynow.htm

The source of this article is wikipedia, the free encyclopedia. The text of this article is licensed under the GFDL.