Zotob: A Malware Event in Warp Speed

September, 2005

Zotob was not the costliest malware attack on record–wasn’t even close. Love Bug owns that record, causing almost $8 billion dollars in damage worldwide. Plus, Zotob was far from being the most sophisticated attack–there have been several much more sophisticated attacks over the past two years. And Zotob wasn’t even the fastest spreading attack—that distinction still belongs to MyDoom which is estimated to have infected one out of every twelve emails worldwide in less than twenty-four hours.

However, Zotob (sometimes referred to as Zobot) did set some speed records, with the entire episode driving forward at warp speed. Zotob.A and Zotob.B began exploiting a known Microsoft flaw within five days after the company announced the security vulnerability and its related patch. Whether this is the fastest such exploit ever recorded is matter of some debate, but it is generally regarded as the fastest–especially for high-profile attacks. Additionally, the time from the release of the code and capture of the suspected individuals involved was less than two weeks–a remarkable story in itself. Incidentally, the individuals captured by the Turkish and Morrocan authorities (with considerable assistance from the FBI) are also suspected of releasing the Mytob attack.

Targets of the Attack
For the most part, the Zotob attack affected organizations running Windows 2000 that were slow to apply Microsoft’s patch. One of the reasons Zotob received so much press was because among the organizations hardest hit were CNN and ABC. I was interviewed by both CNN and ABC News asking for cost estimates on the damages. One of these reporters told me that many of their staff members had to hunt down IBM selectric typewriters to write newscopy, while their production personnel had to use stopwatches to time station breaks! Other major organizations hardest hit by Zotob included the U.S. Congress, New York Times, General Electric, Caterpillar Corporation, and the San Francisco International Airport. 

Many of the major companies that were hit by Zotob have taken a lot of flack for not having patched a known vulnerability. However, it is not that unusual for companies to delay application of the latest patch release. In a large organization, operating system patches need to be tested to ensure that they will work properly with other software and drivers installed across the enterprise.

When an OS patch is dealing with a security threat, large companies are essentially gambling that it is safer to wait and make sure that a new patch release is bug-free than it is to rush a patch into their production environment based on a potential threat. Even companies that are diligent about applying patches often must find “safe” time periods to perform the tasks involved. In companies with thousands of desktops and hundreds of servers this process can take quite a while and the labor involved is not trivial.

Cost Estimates on Zotob
During my interview with CNN, the reporter stated that even though the Zotob attack had a significant impact on their organization, they were able to implement manual work-arounds for their critical functions. So the general feeling was that the cost damages were low.

While implementing manual work-arounds for critical functions does help limit cost damages, many non-essential activities may get placed on hold, creating a backlog of work and slowing the overall functioning of the business. In the case of a news agency, this would only become costly if it were to be knocked off the air. However, in many organizations the cost of changing over to manual processes can be substantial, especially if there is a significant time lag. In fact, the cost associated with non-productive employees is now one of the most damaging aspects of a malware attack.

While Zotob will not rank with the all-time cost damage leaders, Computer Economics estimates that the dozen or so variants of Zotob that were released in the wild in August will account for approximately $500 million in worldwide damages when the final results are tallied.