Just five days after Microsoft divulged a critical vulnerability in Windows 2000, several bot worms began attacking unpatched systems using exploit code released by the same group responsible for the code used to construct the Sasser worm.
Although some analysts said that the sophisticated nature of the bots could cause problems, most didn't expect this attack to reach the "meta-event" level of Sasser or 2003's MSBlast.
"We reverse engineered one of the bots yesterday, found the IRC channel used by the bot masters to communicate with their bots, and idled there for a while," said David Maynor, a researcher with X-force, the research arm of Internet Security Systems and the group credited with the original discovery of the Plug and Play vulnerability. "The count of infections wasn't all that high. A new system was infected about every 30 seconds. Sasser, in comparison, infected about 10 PCs every second."
Two of the bot worms, dubbed Zotob.a and Zotob.b by most anti-virus firms, are the most prominent, and were widely publicized by security vendors starting Sunday, August 14.
Zotob is technically a bot, which in simplistic terms is a combination of a self-propagating worm and a Trojan horse. The former spreads the malicious code, while the latter typically installs a backdoor through which additional code can be loaded onto the compromised PC by the attacker. Such infected and controlled machines are often used to send spam, conduct denial-of-service (DoS) attacks (or extort money on the threat of a DoS attack), and host phishing Web sites.