Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Zotob
open-in-new
<h2 id="rbot-variant">Rbot variant</h2> <p>Zotob was derived from the Rbot worm. Rbot can force an infected computer to continuously <a href="/facts/Reboot_(computing)/BfdNXeNu">restart</a>. Its outbreak on August 16, 2005, was covered "live" on <a href="/facts/CNN/kEYsUQqr">CNN</a> television, as the network's own computers got infected. Zotob would self-replicate each time the computer rebooted, resulting in each computer having numerous copies of the file by the time it was purged. This is similar to the Blaster (Lovesan) worm. </p> <h2 id="sequence-of-events">Sequence of events</h2> <ul><li>August 9, 2005: Security advisory"On August 9th, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available."<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a></li> <li>Virus writing"In the days since Microsoft's announcement, virus writers have released several variants of both Zotob and RBot, along with updated versions of older worms named SD-Bot and <a href="/facts/Backdoor.Win32.IRCBot/BD5JrKM0">IRC-Bot</a>, designed to take advantage of the newly discovered flaw."<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a></li> <li>August 13, 2005: Emerged on Saturday"The worms, called Zotob and Rbot, and variants of them, started emerging Saturday, computer security specialists said, and continued to propagate as corporate networks came to life at the beginning of the week."<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a></li></ul> Wikinews has related news: <ul><li>CNN headquarters infected with computer worm, exaggerates global threat</li></ul> <ul><li>August 16, 2005: Took down CNN live"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later."<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a>"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a>"The Internet Storm Center, which tracks the worldwide impact of computer worms, indicated on its Web site that no major Internet attack was underway. <i>Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point,</i> the site read."<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a></li> <li>August 17, 2005: CIBC and other banks, companies affected"CIBC says the Zotob worm caused some isolated outages, but did not affect ATMs, Internet or phone banking. The virus also hit other Canadian businesses but has not caused widespread shutdowns."<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a></li> <li>August 26, 2005: A suspect is arrested in <a href="/facts/Morocco/6ly8170M">Morocco</a> "Under the request of the <a href="/facts/FBI/UY93jwX6">FBI</a>, Moroccan police arrests 18-year-old <a href="/facts/Farid_Essebar/aSPkwSwc">Farid Essebar</a>, a <a href="/facts/Morocco/6ly8170M">Moroccan</a>, suspected for being behind the spread of the virus."<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a></li> <li>September 16, 2006: Sentencing"The creators of the Zotob Windows worm <a href="/facts/Farid_Essabar/aSPkwSwc">Farid Essabar</a> and his friend Achraf Bahloul were sentenced by a court in <a href="/facts/Morocco/6ly8170M">Morocco</a>.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li></ul> <h2 id="arrest-of-the-coders">Arrest of the coders</h2> <p>On August 26, 2005, Farid Essebar and Atilla Ekici were arrested in <a href="/facts/Morocco/6ly8170M">Morocco</a> and <a href="/facts/Turkey/KIYAWAs0">Turkey</a>, respectively. They are believed to be the men behind the worm's coding. </p><p>A signature in the Zotob worm code suggested it was coded by Diabl0 and the <a href="/facts/IRC/oDr3VN9q">IRC</a> server it connects to is the same used in previous version of Mytob. Diabl0 is believed to have incorporated the code of a <a href="/facts/Russia/jfkCwyxn">Russian</a> nicknamed houseofdabus <a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> whose journal has been shut down by authorities,<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> just after the arrest of Diabl0. The coder (Ekici) probably paid Diabl0 (Essebar) to write the code. </p><p>"<i>He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money,</i> Taylor said in a conversation with me."<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> </p><p>On August 30, 2005, controversial reports emerged from different <a href="/facts/Anti-virus/GGMqsfkJ">anti-virus</a> firms. <a href="/facts/Sophos/6oHmdqg0">Sophos</a> declared that several people had access to the Mytob source code (a variant of the worm). On the other hand, <a href="/facts/F-Secure/9axTbEIe">F-Secure</a> declared that it has found multiple variants of Mytob that were coded after the arrest of Essebar. Those declarations suggest that Essebar is only a part of a larger group of <a href="/facts/Black_hat_(computer_security)/QNzdbA8R">Dark-side hackers</a> behind the spread of the <a href="/facts/Malware/5ee7TLFR">malware</a>.<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> </p> <h2 id="farid-essebar">Farid Essebar</h2> <p>Farid Essebar (<a href="/facts/Arabic_language/A1e66hVV">Arabic</a>: فريد الصبار) (born in 1987, known as Diabl0) is a <a href="/facts/Morocco/6ly8170M">Moroccan</a> <a href="/facts/Black_hat_(computer_security)/QNzdbA8R">black hat</a> <a href="/facts/Security_hacker/4bAJ9F1A">hacker</a>. He was one of the two people behind the spread of Zotob. Essebar is also a <a href="/facts/Russians/RBG9H1Rj">Russian</a> citizen.<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a> </p><p>It is believed that his intention was to facilitate <a href="/facts/Credit_card/7pKSB5LD">credit card</a> forgery <a href="/facts/Confidence_trick/1XNPz6wR">scams</a>. The <a href="/facts/Federal_Bureau_of_Investigation/UY93jwX6">FBI</a> believes that Atilla Ekici paid Essebar to <a href="/facts/Source_code/o9J6Jv23">code</a> the worm. In July 2006, investigators stated that Essebar may have authored more than 20 viruses.<a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a> </p><p>On 15 September 2006 a <a href="/facts/Judiciary_of_Morocco/3syPqP4L">Moroccan court</a> sentenced Essebar to two years of prison.<a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a> It was reduced to a year on 15 December 2006. </p><p>On 17 March 2014, Essebar was arrested in <a href="/facts/Thailand/GCUnN4JK">Thailand</a> after a 2-year investigation by Thai police. The investigation was triggered by a complaint from Swiss authorities over an alleged infiltration of a Swiss bank that caused dozens of billions of dollars' damage.<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Timeline_of_notable_computer_viruses_and_worms/B18aAYVG">Timeline of notable computer viruses and worms</a></li></ul> <h2 id="external-links-and-sources">External links and sources</h2> <h3>Security vulnerability information</h3> <ul><li><a href="http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx">Microsoft Security Bulletin MS05-039</a> (Microsoft)</li> <li><a href="http://www.microsoft.com/technet/security/advisory/899588.mspx">Microsoft Security Advisory (899588)</a> (Microsoft)</li> <li><a href="http://www.kb.cert.org/vuls/id/998653">US Cert Vulnerability Note VU#998653</a> (US-CERT)</li> <li><a href="http://secunia.com/advisories/16372/">Secunia Advisory SA16372</a> (Secunia)</li> <li><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1983">CAN-2005-1983</a> (Common Vulnerabilities and Exposures)</li> <li><a href="http://www.securityfocus.com/bid/14513">Bugtraq ID 14513</a> (SecurityFocus)</li></ul> <h3>Worm information</h3> <ul><li><a href="http://www.microsoft.com/security/incident/zotob.mspx">What You Should Know About Zotob</a> (Microsoft)</li> <li><a href="https://web.archive.org/web/20050924010132/http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html">W32.Zotob Removal Tool</a> (Symantec Security Response)</li> <li><a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.D">WORM_ZOTOB.D</a> (Trend Micro)</li> <li><a href="http://www.f-secure.com/v-descs/zotob_a.shtml">Zotob.A</a> (F-Secure)</li> <li><a href="http://www.f-secure.com/v-descs/zotob_c.shtml">Zotob.C</a> (F-Secure)</li> <li><a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2ECBR">WORM_RBOT.CBR</a> (Trend Micro)</li> <li><a href="http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html">Full Timeline</a> (Security Blogger)</li> <li><a href="https://www.sophos.com/support/disinfection/zotob.html">Zotob Removal Instructions</a></li></ul> <h3>News coverage</h3> <ul><li><a href="http://news.bbc.co.uk/2/hi/technology/4159002.stm">BBC News</a> Windows 2000 worm hits US firms</li> <li><a href="http://news.bbc.co.uk/2/hi/technology/4162124.stm">BBC News</a> Windows 2000 bug starts virus war</li> <li><a href="http://news.bbc.co.uk/2/hi/technology/4189996.stm">BBC News</a> Two detained for US computer worm</li> <li><a href="http://news.bbc.co.uk/2/hi/technology/4205220.stm">BBC News</a> Money motive drove virus suspects</li> <li><a href="https://www.nytimes.com/2005/08/17/technology/17virus.html">New York Times</a> Virus Attacks Windows Computers at Companies</li> <li><a href="http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html">CNN</a> Worm strikes down Windows 2000 systems</li> <li><a href="https://web.archive.org/web/20150122223054/http://www.nbcnews.com/id/8975840/">MSNBC</a> Computer worms strike media outlets</li> <li><a href="http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=2005-08-16T232013Z_01_HO683966_RTRIDST_0_NET-VIRUS-DC.XML">Reuters</a>[<i>dead link</i>] Computer virus hits U.S media outlets</li> <li><a href="http://it.slashdot.org/it/05/08/16/2247228.shtml?tid=220&tid=188">Slashdot</a> Zotob Worm Hits CNN and Goes Global</li> <li><a href="http://informationweek.com/story/showArticle.jhtml?articleID=168602115">Information Week</a> Zotob Proves Patching "Window" Non-Existent</li> <li><a href="/facts/Security_Now!/Gkf2qqGG">Security Now!</a> PodCast - Episode #1: "As the Worm Turns" <a href="https://www.grc.com/securitynow.htm">[1]</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Zotob Cost $97K per Company". Red Herring. Archived from the original on 2006-02-21. Retrieved 2005-10-27. <a href="https://web.archive.org/web/20060221194827/http://www.redherring.com/Article.aspx?a=14206&hed=Zotob+Cost+%2497K+per+Company§or=Industries&subsector=SecurityAndDefense" target="_blank">https://web.archive.org/web/20060221194827/http://www.redherring.com/Article.aspx?a=14206&hed=Zotob+Cost+%2497K+per+Company§or=Industries&subsector=SecurityAndDefense</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"Windows 2000 worm hits US firms". 17 August 2005. <a href="http://news.bbc.co.uk/2/hi/technology/4159002.stm" target="_blank">http://news.bbc.co.uk/2/hi/technology/4159002.stm</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>NBC News <a href="https://web.archive.org/web/20150122223054/http://www.nbcnews.com/id/8975840/" target="_blank">https://web.archive.org/web/20150122223054/http://www.nbcnews.com/id/8975840/</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Richtel, Matt (17 August 2005). "Virus Attacks Windows Computers at Companies". The New York Times. <a href="https://www.nytimes.com/2005/08/17/technology/17virus.html" target="_blank">https://www.nytimes.com/2005/08/17/technology/17virus.html</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"CNN.com - Worm strikes down Windows 2000 systems - Aug 17, 2005". CNN. <a href="http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html" target="_blank">http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Reuters[dead link] <a href="http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=2005-08-16T232013Z_01_HO683966_RTRIDST_0_NET-VIRUS-DC.XML" target="_blank">http://today.reuters.com/news/NewsArticle.aspx?type=internetNews&storyID=2005-08-16T232013Z_01_HO683966_RTRIDST_0_NET-VIRUS-DC.XML</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>NBC News <a href="https://web.archive.org/web/20150122223054/http://www.nbcnews.com/id/8975840/" target="_blank">https://web.archive.org/web/20150122223054/http://www.nbcnews.com/id/8975840/</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>CTV.ca <a href="https://web.archive.org/web/20060628005808/http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1124243901921_51/?hub=TopStories" target="_blank">https://web.archive.org/web/20060628005808/http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/1124243901921_51/?hub=TopStories</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"Maghreb Arabe Presse: Young Moroccan hacker arrested for web virus". Archived from the original on 2005-11-12. <a href="https://web.archive.org/web/20051112123757/http://www.map.ma/eng/sections/general/young_moroccan_hacke4792/view" target="_blank">https://web.archive.org/web/20051112123757/http://www.map.ma/eng/sections/general/young_moroccan_hacke4792/view</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"Zotob virus writers face prison". 14 September 2006. <a href="http://news.bbc.co.uk/1/hi/technology/5345404.stm" target="_blank">http://news.bbc.co.uk/1/hi/technology/5345404.stm</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>"milw0rm.com - n/a". Archived from the original on 2006-03-29. <a href="https://web.archive.org/web/20060329120210/http://milw0rm.com/author/183" target="_blank">https://web.archive.org/web/20060329120210/http://milw0rm.com/author/183</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>http://www.livejournal.com/users/houseofdabus/ [dead link] <a href="http://www.livejournal.com/users/houseofdabus/" target="_blank">http://www.livejournal.com/users/houseofdabus/</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Krebs, Brian (August 29, 2005). "Conversation With a Worm Author". Washington Post (Blog). Archived from the original on 2006-03-14. <a href="https://web.archive.org/web/20060314145923/http://blog.washingtonpost.com/securityfix/2005/08/conversation_with_a_worm_autho_1.html" target="_blank">https://web.archive.org/web/20060314145923/http://blog.washingtonpost.com/securityfix/2005/08/conversation_with_a_worm_autho_1.html</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>"Zotob arrests throws open trade in compromised PCS". <a href="http://www.channelregister.co.uk/2005/08/30/zotob_arrests_follow-up/" target="_blank">http://www.channelregister.co.uk/2005/08/30/zotob_arrests_follow-up/</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>"Notorious Hacker Diabl0 Arrested in Thailand". 18 March 2014. Retrieved 23 March 2014. <a href="http://news.softpedia.com/news/Notorious-Hacker-Diabl0-Arrested-in-Thailand-432817.shtml" target="_blank">http://news.softpedia.com/news/Notorious-Hacker-Diabl0-Arrested-in-Thailand-432817.shtml</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>"(pcwelt.de) - "Zotob author may be virus mastermind"". Archived from the original on 2007-05-22. Retrieved 2006-07-29. <a href="https://web.archive.org/web/20070522212338/http://www.pcwelt.de/news/englishnews/118950/" target="_blank">https://web.archive.org/web/20070522212338/http://www.pcwelt.de/news/englishnews/118950/</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>Moroccan authorities sentence two in Zotob computer worm attack Archived 2016-12-24 at the Wayback Machine <a href="https://www.fbi.gov/pressrel/pressrel06/zotob091306.htm" target="_blank">https://www.fbi.gov/pressrel/pressrel06/zotob091306.htm</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>Yassine Majdi (18 March 2014). "Le hackeur marocain, Farrid Essebar arrêté en Thaïlande". Telquel. Archived from the original on 21 March 2014. Retrieved 18 March 2014. <a href="https://web.archive.org/web/20140321165124/http://www.telquel-online.com/content/le-hackeur-marocain-farrid-essebar-arr%C3%AAt%C3%A9-en-tha%C3%AFlande-0" target="_blank">https://web.archive.org/web/20140321165124/http://www.telquel-online.com/content/le-hackeur-marocain-farrid-essebar-arr%C3%AAt%C3%A9-en-tha%C3%AFlande-0</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> </ol>