"The Zotob worm and several variations of it, known as Rbot.cbq, SDBot.bzh and Zotob.d, infected computers at companies such as ABC
ABC are the first three letters of the Latin script known as the alphabet.
ABC or abc may also refer to:
Arts, entertainment, and media Broadcasting
* American Broadcasting Company, a commercial U.S. TV broadcaster
** Disney–ABC Television ...
, CNN
CNN (Cable News Network) is a multinational cable news channel headquartered in Atlanta, Georgia, U.S. Founded in 1980 by American media proprietor Ted Turner and Reese Schonfeld as a 24-hour cable news channel, and presently owned by the M ...
, The Associated Press
The Associated Press (AP) is an American non-profit news agency headquartered in New York City. Founded in 1846, it operates as a cooperative, unincorporated association. It produces news reports that are distributed to its members, U.S. newspa ...
, ''The New York Times
''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...
'', and Caterpillar Inc.
Caterpillar Inc. (stock symbol CAT) is an American ''Fortune'' 500 corporation and the world's largest construction-equipment manufacturer.
In 2018, Caterpillar was ranked number 65 on the ''Fortune'' 500 list and number 238 on the Global ''Fo ...
" — ''Business Week'', August 16, 2005.
Zotob is a
computer worm
A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
which
exploits security vulnerabilities
Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
in
Microsoft
Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
operating systems like
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
, including th
MS05-039plug-and-play
In computing, a plug and play (PnP) device or computer bus is one with a specification that facilitates the recognition of a hardware component in a system without the need for physical device configuration or user intervention in resolving resou ...
vulnerability. This worm has been known to spread on Microsoft-ds or
TCP port
In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific ...
445.
It was declared that the Zotob worms cost an average of $97,000 as well as 80 hours of cleanup per company affected.
Rbot variant
Zotob was derived from the Rbot worm. Rbot can force an infected computer to continuously
restart. Its outbreak on August 16, 2005 was covered "live" on
CNN
CNN (Cable News Network) is a multinational cable news channel headquartered in Atlanta, Georgia, U.S. Founded in 1980 by American media proprietor Ted Turner and Reese Schonfeld as a 24-hour cable news channel, and presently owned by the M ...
television, as the network's own computers got infected. Zotob would self-replicate each time the computer rebooted, resulting in each computer having numerous copies of the file by the time it was purged. This is similar to the Blaster (Lovesan) worm.
Sequence of events
* August 9, 2005: Security advisory
"On August 9th, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available."
* Virus writing
"In the days since Microsoft's announcement, virus writers have released several variants of both Zotob and RBot, along with updated versions of older worms named
SD-Bot and
IRC-Bot, designed to take advantage of the newly discovered flaw."
* August 13, 2005: Emerged on Saturday
"The worms, called Zotob and Rbot, and variants of them, started emerging Saturday, computer security specialists said, and continued to propagate as corporate networks came to life at the beginning of the week."
* August 16, 2005: Took down CNN live
"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later."
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."
"The Internet Storm Center, which tracks the worldwide impact of computer worms, indicated on its Web site that no major Internet attack was underway. ''Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point,'' the site read."
* August 17, 2005: CIBC and other banks, companies affected
"CIBC says the Zotob worm caused some isolated outages, but did not affect ATMs, Internet or phone banking. The virus also hit other Canadian businesses but has not caused widespread shutdowns."
* August 26, 2005: A suspect is arrested in
Morocco
Morocco (),, ) officially the Kingdom of Morocco, is the westernmost country in the Maghreb region of North Africa. It overlooks the Mediterranean Sea to the north and the Atlantic Ocean to the west, and has land borders with Algeria to ...
"Under the request of the
FBI
The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
, Moroccan police arrests 18-year-old
Farid Essebar
Farid Essebar ( ar, فريد الصبار) (born in 1987, known as Diabl0) is a Moroccan black hat hacker. He was one of the two people (along with Turk Atilla Ekici) behind the spread of the Zotob computer worm that targeted Windows 2000 operat ...
, a
Moroccan, suspected for being behind the spread of the virus."
* September 16, 2006: Sentencing
"The creators of the Zotob Windows worm
Farid Essabar
Farid Essebar ( ar, فريد الصبار) (born in 1987, known as Diabl0) is a Moroccan black hat hacker. He was one of the two people (along with Turk Atilla Ekici) behind the spread of the Zotob computer worm that targeted Windows 2000 operat ...
and his friend Achraf Bahloul were sentenced by a court in
Morocco
Morocco (),, ) officially the Kingdom of Morocco, is the westernmost country in the Maghreb region of North Africa. It overlooks the Mediterranean Sea to the north and the Atlantic Ocean to the west, and has land borders with Algeria to ...
.
Arrest of the coders
On August 26, 2005,
Farid Essebar
Farid Essebar ( ar, فريد الصبار) (born in 1987, known as Diabl0) is a Moroccan black hat hacker. He was one of the two people (along with Turk Atilla Ekici) behind the spread of the Zotob computer worm that targeted Windows 2000 operat ...
and
Atilla Ekici were arrested in
Morocco
Morocco (),, ) officially the Kingdom of Morocco, is the westernmost country in the Maghreb region of North Africa. It overlooks the Mediterranean Sea to the north and the Atlantic Ocean to the west, and has land borders with Algeria to ...
and
Turkey
Turkey ( tr, Türkiye ), officially the Republic of Türkiye ( tr, Türkiye Cumhuriyeti, links=no ), is a list of transcontinental countries, transcontinental country located mainly on the Anatolia, Anatolian Peninsula in Western Asia, with ...
, respectively. They are believed to be the men behind the worm's coding.
A signature in the Zotob worm code suggested it was coded by Diabl0 and the
IRC
Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called ''channels'', but also allows one-on-one communication via private messages as well as chat and ...
server it connects to is the same used in previous version of Mytob. Diabl0 is believed to have incorporated the code of a
Russia
Russia (, , ), or the Russian Federation, is a List of transcontinental countries, transcontinental country spanning Eastern Europe and North Asia, Northern Asia. It is the List of countries and dependencies by area, largest country in the ...
n nicknamed houseofdabus whose journal has been shut down by authorities, just after the arrest of Diabl0. The coder (Ekici) probably paid Diabl0 (Essebar) to write the code.
"''He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money,'' Taylor said in a conversation with me."
On August 30, 2005, controversial reports emerged from different
anti-virus
Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...
firms.
Sophos
Sophos Group plc is a British based security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primarily ...
declared that several people had access to the Mytob source code (a variant of the worm). On the other hand,
F-Secure
F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland.
The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...
declared that it has found multiple variants of Mytob that were coded after the arrest of Essebar. Those declarations suggest that Essebar is only a part of a larger group of
Dark-side hackers behind the spread of the
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
.
See also
*
Timeline of notable computer viruses and worms
A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events.
Timelines can use any suitable scale representin ...
References
External links and sources
Security vulnerability information
Microsoft Security Bulletin MS05-039(Microsoft)
Microsoft Security Advisory (899588)(Microsoft)
US Cert Vulnerability Note VU#998653(US-CERT)
Secunia Advisory SA16372(Secunia)
CAN-2005-1983(Common Vulnerabilities and Exposures)
Bugtraq ID 14513(SecurityFocus)
Worm information
What You Should Know About Zotob(Microsoft)
(Symantec Security Response)
WORM_ZOTOB.D(Trend Micro)
Zotob.A(F-Secure)
Zotob.C(F-Secure)
WORM_RBOT.CBR(Trend Micro)
(Security Blogger)
News coverage
BBC NewsWindows 2000 worm hits US firms
BBC NewsWindows 2000 bug starts virus war
BBC NewsTwo detained for US computer worm
BBC NewsMoney motive drove virus suspects
Virus Attacks Windows Computers at Companies
Worm strikes down Windows 2000 systems
MSNBCComputer worms strike media outlets
Reuters{cbignore, bot=medic Computer virus hits U.S media outlets
SlashdotZotob Worm Hits CNN and Goes Global
Information WeekZotob Proves Patching "Window" Non-Existent
*
Security Now!
''Security Now!'' is a weekly podcast hosted by Steve Gibson and Leo Laporte. It was the second show to premiere on the TWiT Network, launching in summer 2005. The first episode, “As the Worm Turns”, was released on August 19, 2005.
''Se ...
PodCast - Episode #1: "As the Worm Turns
Exploit-based worms
Hacking in the 2000s