Try the new FT.com

November 8, 2005 5:11 pm

The short and deadly life of Zotob, the worm

  • Share
  • Print
  • Clip
  • Gift Article
  • Comments

The Zotob worm didn’t just hit the headlines, it nearly destroyed them.

It was small by the standards of earlier epidemics, and it made the news partly because it infected several big media organisations.

Nonetheless, the Zotob story illustrates a worrying trend. Individual virus incidents may be now smaller and less newsworthy,but the number is increasing, and so is the overall cost.

We present a brief history of the Zotob outbreak, showing how it grew from a theoretical hole to total mayhem in one short week – and how some simple measures could protect against a similar threat.

TUESDAY AUGUST 9

Bulletin of vulnerability published

The worm’s history begins quietly on August 9, when Microsoft publishes a security bulletin, as it does on the second Tuesday of every month. These are intended to inform security professionals of potential weaknesses, but virus writers eagerly watch them for clues about possible new attacks. Among the three critical flaws the bulletin mentions is a gap in the Plug and Play (PnP) feature in recent Microsoft Windows operating systems. It could allow unauthorised instructions to be run on remote computers, giving an attacker complete control.

Two days later, program code that exploits this flaw is published on the internet. It  is written by houseofdabus, a Russian programmer whose code was used in several earlier outbreaks, including the May 2004’s Sasser worm. (He is not believed to have created the worms themselves).

SUNDAY AUGUST 14

Outbreak

That weekend, the authors seed the first version of Zotob on to computers they have already taken over through other means. From there, it spreads through broadband and cable networks, using the houseofdabus code to exploit the PnP vulnerability discovered days before.

Automatic detection systems notice the first wild worms on Sunday. It’s less than a week after the flaw was discovered, and few systems administrators have had time to patch all their machines.

Among the first to be hit are corporate staffers putting in extra hours over the weekend at home. Their laptops, mostly running the Windows 2000 operating system, become infected over their broadband internet connections.

MONDAY AUGUST 15

Worms go to work

The following day, these infected laptops show up for work in the office. They take the worm past their companies’ perimeter defences, into the vulnerable interior where it can spread with ease.

Security companies are surprised at how quickly it spreads. The hole Zotob uses has been exploited by many earlier viruses, and any responsible organisation should have plugged it long ago.

As it turns out, most have protected the hole on their perimeter, but within their networks it is often undefended. Zotob spreads fast, affecting Windows 2000 systems in particular.

TUESDAY AUGUST 16

High water mark

The infection reaches its peak on the Tuesday. The Financial Times, The New York Times, CNN, and ABC are among those affected, and the Zotob attack makes headline news.

Programmers are already starting to produce new versions of the worm. By Tuesday there are at least six.

Some variants have new modes of attack. Zotob.C is programmed to spread itself via e-mail. It contains a bug and does not work. More effective mass-mailer versions of Zotob appear over the following week, but happily none create much impact.

The Finnish security company F-Secure observes that some variants of the worm are attacking and deleting each other. They believe rival gangs are fighting for control of the compromised computers.

THURSDAY AUGUST 25

The culprit arrested

Law enforcement and the security community start the hunt for the worm’s creators. The most important clues come from the code of the worm itself. The original Zotob is programmed to connect with a server in Turkey, called diab10.turkcoders.net, to receive its instructions.

On August 26, the FBI announces that an 18-year-old Russian-born Moroccan, Farid Essebar, thought to use the screen name “Diab10”, has been arrested in Morocco, and 21-year-old Atilla Ekici, screen name “Coder”, has been arrested in Turkey.

Mr Ekici is suspected of paying Mr Essebar to create the code of Zotob and the earlier Mytob worm.

LESSONS LEARNED

Despite all the publicity, Zotob was a relatively small outbreak. A survey by information security company Cybertrust finds that only 12 per cent of organisations were affected, with 6.2 per cent seriously affected.

Small attacks such as this one fulfil the perpetrators’ aims better than a headline-grabbing pandemic.

Worms like Zotob are designed to gain control of other people’s computers. A machine controlled like this is known as a “bot”.

Networks of these machines, called “bot nets”, can be rented out to criminal gangs to send spam or attack e-commerce sites.

“The large bot nets are too easy to spot. It is the smaller ones that are better revenue generators for the “bot-herders” [the bot net controllers],” says Peter Tippett, chief technology officer at Cybertrust. “Virus writers are not interested in control of the world, they just want to generate revenue. They are as revenue driven as any corporation.”

Like the virus writers, corporations should think small. Rather than relying solely on large-scale systems such as anti-virus, firewalls and intrusion detection systems, organisations should also use a range of simple low-cost measures to reduce their vulnerability.

Firewalls can be set up to block unexpected outgoing traffic, preventing infected computers communicating with their bot-herders – a process known as “egress filtering”.

“We have pushed companies to do egress filtering, but only 2 per cent of companies are in that mode when we introduce ourselves to them. It’s easy, it’s cheap and it isn’t hard to maintain,” says Mr Tippett.

Once inside networks, Zotob spreads using a system called file transfer protocol, which is installed as standard on Windows machines but rarely used by most workers. It is easy to uninstall,and removing this and other little used features can help to reduce an organisation’s vulnerability.

Zotob was a reminder that worms and viruses still pose a threat, not just to home users, but also to corporations with big security budgets. It may not have been the biggest outbreak in history, but it certainly won’t be the last.

Related Topics

Copyright The Financial Times Limited 2017. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.

  • Share
  • Print
  • Clip
  • Gift Article
  • Comments
SHARE THIS QUOTE