Spam Wars: The Battle History

Appendix A: Viral: Worm Wars II - Zotob
Books:
  Spam Wars
  Building a DNSBL

Projects:
  Global WHOIS
  DNSBL Scan
  TTBL
  RBL Registry

General:
  NANAE Advice
  Network Tools
  Humour

Login



Forgot Password?

August 2005: Zotob/Bozori vs IRCBot

Renewing the battle for vulnerable Windows machines the Bozori worm was released onto the Internet. This time using the now infamous Windows Plug-and-Play vulnerability. (Or perhapse not renewing, 7 more Bagle variants making a total of 684 were released Fri 12th just before the first Zotob.)

Tuesday 9th:
Microsoft released the monthly security patches for Windows.
This included several critical patches, with one closing a vulnerability in Microsoft's Plug-and-Play service (MS05-039).

Wednesday 10th:
A Russian individual who goes by the name 'Houseofdabus' released working exploit code that could be used to take over Windows 2000 machines with the Plug-and-Play vulnerability.

Sunday 14th:
The Zotob.A worm was found around noon. Farid Essebar who goes by the name 'Diabl0' had incorporated the Houseofdabus exploit code to a worm that would spread automatically over the Internet.

Monday 15th:
An IRCBot variant (Backdoor.Win32.IRCBot.es) is discovered using the same PnP exploit. Zotob is now up to its .C rating with three variants active. This one spreads over both PnP and ASN.1 vulnerabilities as well as via email.

Tuesday 16th:
RBot virus [now known to be a second virus by the Zotob Author] located. At least one other unnamed virus variant aswell.

Wednsday 17th:
F-Secure has now found 11 malware using the same exploit code to spread.
Currently there are three Zotob variants (.A, .B and .C), one Rbot (.YK), one Sdbot (.ADB), one CodBot, three IRCbots (.ES, .ET and .EX) and two variants of Bozori (.A, .B).
Variants from both IRCBot and Bozori families are deleting competing PnP bots. Curtesy of F-Secure WebLog a nice diagram of the warfare going on:

Friday 18th:

Things have sped up since Wednesday. F-Secure now reports "dozens more" of each type of malware are at battle as things hit hyperspeed before they calm down again.

The upswing in malware creation - and competition between various PnP worms - echoes the competition between NetSky and Bagle worms for control of vulnerable Windows PCs that first flared up in March 2004. Then, as now, it's all about turning Windows PCs in zombie spam bots.

The worms are affecting computers which are not properly patched against Microsoft security holes such as the MS05-039 Plug and Play vulnerability, disclosed by Microsoft last week. Windows 2000 systems are particularly at risk of exploit. Many organisations have already been hit including CNN, ABC, The Financial Times, and the New York Times. General Electric, United Parcel Service, Caterpillar and the US Congress have also been affected by PnP worm infestation.

August 28th:
Fortunately The Authors appear to have been caught and their purpose uncovered:

Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder.

... ... ...

Louis M. Reigel III, assistant director of the FBI's Cyber Division, said evidence indicates Ekici paid Essebar to develop the worms and that the two used them for financial gain. Reigel declined to say whether the men were connected to a larger criminal enterprise. But according to information released by the Moroccan government, the two men are alleged to have forwarded financial information stolen from victims' computers to a credit-card fraud ring.