該病毒利用了微軟公司於2005年8月9日公布的編號為MS05-039的即插即用中的漏洞。從漏洞的發布到病毒的出現僅用了七天左右的時間。病毒的破壞有:造成系統頻繁重啟,為系統留後門,阻止安裝在系統中的反病毒軟體升級。這隻電腦蠕蟲現時已經出現多個變種,並使部份地區的網上通訊開始癱瘓。
Zotob有多個別名,當中包括Rbot(cbq、ebq等)。它利用微軟網路(microsoft-ds)上的TCP port 445散布。
Rbot變種的特色
Rbot系列的變種在2005年8月出現,特色是會不斷使受影響的電腦重新啟動(soft reboot)。最大規模的爆發在2005年8月16日出現,並使多個跨國企業,包括著名新聞網路CNN的網路系統不能正常運作。而CNN亦因為這件事而把Rbot爆發的訊息放在他們的新聞里。
事件發生時序
2005年8月9日:微軟公司發表Security advisory
"On 9 August, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available." [1]
編寫病毒:有關人員相信在參加過微軟的發表會之後,利用這新發現的問題、以及由微軟提供的測試程式的幫助,把舊有的Zobot改裝。他曾修改過SD-Bot及IRC-Bot並發布出去,然後才發布從Zobot改裝而成的Rbot。 [2]
August 13, 2005: Emerged on Saturday
"The worms, called Zotob and Rbot, and variants of them, started emerging Saturday, computer security specialists said, and continued to propagate as corporate networks came to life at the beginning of the week." [3]
August 16, 2005: Took down CNN live
"Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later." [4]
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."[5]
"The Internet Storm Center, which tracks the worldwide impact of computer worms, indicated on its Web site that no major Internet attack was underway. Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point, the site read." [6]
August 17, 2005: CIBC and other banks, companies affected
"CIBC says the Zotob worm caused some isolated outages, but did not affect ATMs, Internet or phone banking. The virus also hit other Canadian businesses but has not caused widespread shutdowns."[7]
