Zotob
Zotob是一个电脑蠕虫,感染对象主要是微软的Windows XP以及Windows 2000作业系统。该病毒利用了微软公司于2005年8月9日公布的编号为MS05-039的即插即用中的漏洞。从漏洞的发布到病毒的出现仅用了七天左右的时间。病毒的破坏有:造成系统频繁重启,为系统留后门,阻止安装在系统中的反病毒软件升级。这只电脑蠕虫现时已经出现多个变种,并使部份地区的网上通讯开始瘫痪。
Zotob有多个别名,当中包括Rbot(cbq、ebq等)。它利用微软网络(microsoft-ds)上的TCP port 445散布。
Rbot变种的特色
Rbot系列的变种在2005年8月出现,特色是会不断使受影响的电脑重新启动(soft reboot)。最大规模的爆发在2005年8月16日出现,并使多个跨国企业,包括著名新闻网络CNN的网络系统不能正常运作。而CNN亦因为这件事而把Rbot爆发的消息放在他们的新闻里。
事件发生时序
2005年8月9日:微软公司发表Security advisory
"On 9 August, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available." [1]
编写病毒:有关人员相信在参加过微软的发表会之后,利用这新发现的问题、以及由微软提供的测试程序的帮助,把旧有的Zobot改装。他曾修改过SD-Bot及IRC-Bot并发布出去,然后才发布从Zobot改装而成的Rbot。 [2]
August 13, 2005: Emerged on Saturday
"The worms, called Zotob and Rbot, and variants of them, started emerging Saturday, computer security specialists said, and continued to propagate as corporate networks came to life at the beginning of the week." [3]
August 16, 2005: Took down CNN live
"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later." [4]
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."[5]
"The Internet Storm Center, which tracks the worldwide impact of computer worms, indicated on its Web site that no major Internet attack was underway. Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point, the site read." [6]
August 17, 2005: CIBC and other banks, companies affected
"CIBC says the Zotob worm caused some isolated outages, but did not affect ATMs, Internet or phone banking. The virus also hit other Canadian businesses but has not caused widespread shutdowns."[7]