Zotob Authors Jailed
Press reports this morning indicate that the two people arrested in the Zotob case have been jailed. According to Computerworld, "Farid Essebar, 19, of Morocco was sentenced to two years in prison on Tuesday by a Moroccan court, according to a report by Agence France-Presse. An accomplice, Achraf Bahloul, also of Morocco, received a one-year sentence, the report said." There's not much more to the story, it seems. You may recall that Zotob was used, in part, to fuel financial theft via the victims' computers. Zotob built a modestly sized botnet.
Shortly after the original Zotob worm came out last summer, these two guys were identified and arrested. I recall speaking at a local security group event that fall a few days after the arrests, and some federal law enforcement were in the room, as well as some corporate CSOs and such. I showed them some of the Zotob botnet data I had gathered for work, and mentioned that the two guys were apprehended a day or so earlier. They were all pleased, to say the least.
Still, botnet related arrests are exceedingly rare, given the number of botnet operators out there.September 14, 2006 in government, Zotob | Permalink | Comments (2)
Updated Microsoft Malicious Software Removal Tool (March, 2006)
Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:
Source: Malicious Software Removal Tool, updated March 14, 2006.
March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (1)
Updated Microsoft Malware Removal Tool (Jan, 2006)
It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware: The full list of families detected and removed by the Windows Malware Removal Tool is listed on the website. The team responsible for the product are also blogging their work.January 10, 2006 in Bagle, Blaster, detection, IM worms, microsoft, sasser, SQLSlammer, tools, Zotob | Permalink | Comments (4)
Updated Windows Defender Tool (Nov, 2005)
It's "patch Tuesday", the day when Microsoft releases their monthly patches (in this case, one fixup for November, 2005), and they also release updates to their malware removal tool. It now has a new name, too, Windows Defender, signifying it's larger purpose. The new families detected by this latest update to Windows Defender:
You can see the full list of families detected by the tool on the Microsoft website Families Cleaned by the Malicious Software Removal Tool. Remember, keep your AV policies current, always make sure you have the latest tool for the newest malware, and check on their sites for updates. You wont detect new threats with out of date tools.
Update: As noted in comments, the malicious software removal tool has not been renamed. I guess I'll still call it the MSRT in future posts.
November 8, 2005 in Bagle, Blaster, defense, malware , microsoft, SQLSlammer, tools, witty, Zotob | Permalink | Comments (2)
Zotob Damages Assessed
Some numbers are in regarding how widespread the Zotob worm has been. Zotob, which spread in August, 2005, seems to have been a relatively minor threat when compared to many other worms like Blaster and Sasser.
Six percent of survey respondents said Zotob's impact on their company was moderate to major, which was defined as more than $10,000 in losses and at least one major business system affected, such as e-mail or Internet connectivity.
Alarming as it was, Zotob did far less damage than did other major worms designed to exploit Windows vulnerabilities, Cybertrust said. For example, the Nimda worm made a moderate to major impact on 60 percent of companies. MSBlast (aka Blaster) struck about 30 percent of organizations to that degree, the firm said.
Source: Zotob damage deep but not widespread, published on ZDNet News: October 26, 2005, 12:33 PM PT.
I find this figure a bit surprising given the damage reported by the Chrysler corporation and how it affected manufacturing operations in addition to other large corporations. It's possible, however, that overall we're getting that much better at containing these things and the average damage really is very small.
Note, posts may be a bit slow for a while, Typepad service has been sluggish and it's a bit tough to post at times. Thanks for your continued patronage.
October 31, 2005 in media, Zotob | Permalink | Comments (0)
MS Malware Tool Updated (October, 2005)
Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are: As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.
October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)
Updated MS Malware Removal Tool (Sept. 2005)
Microsoft has updated their Malware Removal Tool for September, 2005. The new families of malware detected are:
If you're building an incident response kit, this is a worthwhile tool to have on hand. It's not a substitute for a full AV tool, but it's a fast "first pass".
If you've come to this page via a web search, make sure you download the latest update of the tool. Microsoft updates it every month.
September 14, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (0)
Morocco to try suspected computer worm author
It looks like the the Zotob trial will be held overseas (at least for us not in Morocco), but more importantly it's happening swiftly. I wonder how much of a dent this will make in things given the popularity of Zotob variants and the proliferation of credit card theft tools in the past year.
An 18-year-old math student will go on trial in Morocco this month for unleashing computer worms that disrupted the networks of major U.S. firms, a Justice Ministry official said today.
The FBI last week announced Moroccan Farid Essebar's arrest in Rabat as well as the arrest in Turkey of 21-year-old Attila Ekici. Both are suspected of releasing the Zotob worm that hit the Internet three weeks ago.
The official said Essebar's trial would start Sept. 13 and he would remain in custody near Rabat until then. "The hearing will specify charges against him for the trial," the ministry official told Reuters.
Source: Morocco to try suspected computer worm author, by Souhail Karam, posted September 2, 2005 (REUTERS).
September 10, 2005 in government, media, Zotob | Permalink | Comments (3)
Zotob Callgraph Analysis
Panda Software has released callgraphs of several of the Zotob worm variants. These are interesting because they help to illustrate the degree of changes between the variants. The files below are ZIP files which include a graphic showing the callgraph for each of the Zotob variants. You can compare them and see the differences for yourself.
The malware graphs showing the main variants to appear over the last few days are the following:
http://www.pandasoftware.com/resources/des/bck_ircbot_JZ.zip
http://www.pandasoftware.com/resources/des/ircbot_KC.zip
http://www.pandasoftware.com/resources/des/ircbot_KD.zip
http://www.pandasoftware.com/resources/des/zotob_A.zip
http://www.pandasoftware.com/resources/des/zotob_B.zip
http://www.pandasoftware.com/resources/des/zotob_C.zip
http://www.pandasoftware.com/resources/des/zotob_D.zip
The graph shows the flow chart or malware graph of the processes carried out by each worm, arranged identically, representing the 'fingerprint' or 'genetic signature' of each worm. This gives a graphic idea of the make up and complexity of each one and the relationship they could have with other variants.
The following image shows a more detailed malware graph of IRCBot.KC: http://www.pandasoftware.com/resources/des/ircbot_KC.zip
The comparative of the malware graphs for the different variants shows that while the A, B and C variants of Zotob, which caused the alert last weekend, are almost identical to one another, they are very different from the rest, which caused infections throughout yesterday.
Source: Zotob - IRCBot: In-depth Analysis of an Infection, Panda Software Press Release, Aug. 18, 2005.
If you are interested in how they did this (ie to do this kind of graphing yourself), you should read the Graphing Malware entry on the F-Secure AV weblog.
September 1, 2005 in malware , Zotob | Permalink | Comments (0)
16 more Zotob suspects
News reports this morning are noting that the FBI and Turkish authorities have announced that they have identified 16 more suspects in the Zotob case. No word yet on how the additional 16 suspects were identified, however given the appearant financial motives behind the incident and the scale of the operation, it may have been classic detective work that lead to this latest development.
The FBI said the Turkish authorities have identified 16 more individuals as suspects in the recent Zotob and the Mytob worm attacks. But Louis M. Reigel III, assistant director of the FBI’s cyber division, said no additional arrests had been made as of Monday.
Based on a code analysis of the worm and its variants, there are at least three gangs of hackers involved with the worm, believes Finnish anti-virus software maker F-secure, according to Mikko Hypponen, director of the company’s anti-virus research. If Turkish officials make the arrests, the action would represent the biggest roundup in the history of the information security business, said Mr. Hypponen.
Source: 16 Sought in Zotob Gang Dragnet, Red Herring online, August 30, 2005. Also see Cyber-cops arrest 16 more Zotob suspects, by Robert Jaques, posted to vnunet.com 31 Aug 2005.
August 31, 2005 in government, media, Zotob | Permalink | Comments (0)
