FT briefing: The Zotob and Esbot worms

Listen to this article

00:00
00:00

What are Zotob and Esbot?

At least 12 self-replicating computer viruses, known as worms, have been released onto the internet since August 14. The worms spread themselves around to other computers via internet connections, often without the knowledge of computer users.

They are known by several names including Zotob, Esbot, Mytob, and Rbot.

Although the worms are different, all exploit the same vulnerability in Windows 2000, Windows XP, and Windows Server 2003.

Microsoft, which makes Windows, frequently issues security bulletins to inform users of newly-discovered vulnerabilities in its software. On August 9 it issued a “critical” update over a vulnerability which relates to the software’s “plug-n-play” capabilities. Just a few days later, worms taking advantage of the vulnerabilities began propagating on the internet and on Tuesday evening many companies and organisations were hit.

Which computers are vulnerable?

All computers running Windows 2000, Windows Server 2003 and Windows XP (without Service Pack 2) are vulnerable.

What kind of damage do they cause?

The worms do not damage data, but can slow computer performance. Infected Windows 2000 computers are left exposed to subsequent, more malicious attacks, while infected Windows XP computers can only spread the worms.


How can I make my computer safe?

• Download the latest updates for your security software.

• If your computer has a firewall (software or a hardware device that monitors internet traffic), set it to block traffic on port 445.

• If you have Windows XP, the Service Pack 2 download will protect against Zotob.

For more information, see Microsoft’s Security Bulletin about the vulnerability.


Why are so many businesses affected?

Richard Archdeacon, director of technical services at security software company Symantec, says that unlike many notorious viruses and worms of the past few years, the Zotob-based worms appear to target corporate users through two means.

Firstly, by targeting Windows 2000, which was more popular with corporate users than home users.

Secondly, once the worm has infected a computer, it scans for computers with similar addresses - a tactic which makes it spread more quickly within large networks of computers.

In addition, the speed with which the worms were released meant that many network managers had not tested and deployed the patches quickly enough.

Why are there so many different worms?

At least 12 worms are known to exist which are all based on the same software code, known as an “exploit”, which provides the basis for writing a virus or worm to take advantage of the newly-discovered Windows vulnerability.

It is common for virus authors to take other people’s computer code, and in some cases actually re-write parts of the virus code to delete earlier versions written by competing hackers.

The “exploit” on which Zotob and similar worms are based was written by an unidentified programmer known only as “Houseofdabus”, says Mykko Hyppönen, director of anti-virus research at Finnish anti-virus firm F-Secure/Datafellows.

Houseofdabus is believed to be a Russian who was also responsible for publishing another notorious exploit which led to the creation of the “Sasser” worm in May 2004.

Who wrote the worms, and why?

Until recently, worms and viruses were usually written by computer afficionadoes making “graffiti” style attacks to boost their status in the hacking world.

In the past 18 months however there have been several worms released which exploit their host computers and use them for illegal purposes, such as distributing spam email or hosting fake banking websites.

These worms can effectively create networks of infected computers, known as “botnets”, which can be used for malicious purposes.

Mr Hyppönen says Houseofdabus would be aware that his code, while in itself benign, is being used to write malicious worms. But questions over the legality of exploits mean he has not been arrested.

“You could compare it to leaving loaded weapons around where kids can find them… but what he’s doing would most likely fall to free speech,” says Mr Hyppönen.

While the nature of the worms indicates a battle is under way out between virus writers, experts say it is too early to tell whether they are motivated by criminal activity or simply seeking status.

Have you been affected by the Zotob or Esbot worms? Email us at technology@ft.com

Links

Security information from Microsoft about the Windows vulnerability

Information from anti-virus companies:

Datafellows/F-Secure


Mcafee/Network Associates


Symantec


Sophos

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.