Zotob | |
---|---|
Type | Internet worm |
Creator | Diabl0 and Coder* |
Date Discovered | 2005.08.14 |
Place of Origin | Salé, Morocco |
Source Language | |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 22,528 bytes |
Reported Costs | $67,900,000 |
Zotob is an internet worm that makes an infected computer a part of a botnet. It comes from the same creator as many variants of the Mytob worm. The worm caused an average of $97,000 in damage at 700 companies, totaling almost $68 million in damage, a relatively small number compared to the damage estimates of worms like Mydoom and Sobig.
Behavior
A clean system under attack from Zotob will receive exploit code coming from port 445 on the attacking system. The code exploits a vulnerability in the umpnpmgr.dll file which allows it to open a command shell on port 8888. This shell executes an FTP script that downloads the worm to the target computer as haha.exe.
When the worm is executed, it creates a mutex named "B-O-T-Z-O-R", which ensures only one instance of the worm is running at any time. It adds the value "WINDOWS SYSTEM = botzor.exe" to the local machine Run and RunServices registry keys, ensuring the worm starts before the user logs in. It also adds the value "Start = 4" to the registry key that controls shared access to disable the shared access service.
Zotob creates 300 threads that generate random IP addresses in the B-class network of the infected system. It scans for new systems to infect through port 445 and sends exploit code to the new systems. When the exploit is successful, it sends the worm via FTP to the new target.
The worm directs 50 hostnames to 127.0.0.1 (back to the computer itself). These are mostly antivirus sites, but also a few others like Amazon and Paypal are blocked. Zotob also listens on an IRC channel for commands from any cracker who knows how to find it. It can execute commands from the cracker, such as connecting and disconnecting from the IRC channel, getting information on the infected system, downloading and executing files, changing security settings and removing the worm from the system.
The worm contains the text strings "Botzor2005 Made By …. Greetz to good friend Coder. Based On HellBot3" and "MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!".
Origin
Zotob comes from Morocco, and is from the creator of Mytob. Farid Essebar (فريد الصبار), a Russian-born Moroccan was arrested along with a Turkish coder Atilla Ekici for creation of the worm. The worm very early on was suspected of having a Turkish connection. The exploit the worm used was first used by a Russian hacker named "Houseofdabus". Essebar is believed to have done most or all of the actual coding of the worm, while Ekici paid him for it by giving him hijacked credit card data. Essebar began writing worms when he received a copy of Mydoom from the British hacker Uncanny. He later wrote Mytob and a significant number of its variants. Essebar was sentenced to two years in prison.
The arrest was controversial among some Arab hackers, as they believed Moroccan authorities had nothing to go on for the arrest beyond some orders from the US, and resented what they saw as Morocco's slavish devotion to its alliance with the US. One claims that Farid did not even have his own computer until he bought one in the Souq of Rabat after his return from Russia. However, Internet Cafés are common in both Russia and Morocco, and the Internet can be accessed from from any number of educational institutions in both countries, so it is possible that he could have done his coding on a computer belonging to someone else.
Name
The worm was named Zotob by Antivirus companies. Diab10 intended for it to be named Botzor2005. Screwing around with the name the creator intended to give it is common for antivirus companies. In the (likely) creator's native Arabic, the name of the worm would usually be written using the Roman letters, however, one poster to the VBSpiders forum wrote it out in Arabic as "زوطوب". This would be pronounced in about the same way as one would pronounce "Zotob" in English, with the exception of the "ط", which is like an English "T", but with very slight differences. Some of its variants are named Bozori, while the worm itself is considered a variant of Mytob. This however, is very unusual, since the worm exploits computers over the Internet with no help from a naive user, while Mytob spreads mostly through email.
Effects
The security firm Cybertrust surveyed 700 companies and determined that it cost an average of $97,000 to clean up per company. For some businesses surveyed, it took more than 80 hours to clean up the worm. It was however, less damaging than the previous major worms. Computers at CNN, ABC, The New York Times, Daimler-Chrysler, Caterpillar and Boeing were infected with the worm.
The case of this worm was also one more wake-up call for the need for tighter security measures. The government of Morocco in particular was propelled to take action against crackers. Before this incident, most attacks from Morocco were minor defacements of US and Israeli websites, usually adding messages supporting the Palestinian cause.
Sources
F-Secure, Worm:W32/Zotob.A.
Robert X. Wang. Symantec, W32.Zotob.A. 2007.02.13
Red Herring, Zotob Cost $97K per Company. 2005.10.27
RadoVane. Maghress, Zotob is made in Morocco !!. 2005.09.03
VBSpiders, الي رواد منتديات العناكب: مادا تعرفون عن فريد الصبــــــار.
Joris Evers. CNet, Zotob worm from Turkey?. 2005.08.18