Zotob Worm Is Bad But It's Not Sasser or MSBlast

Don't panic. Take a breather. The Zotob bot attacks may be among the biggest of 2005, but they aren't anywhere near the level of last year's Sasser.

August 18, 2005

3 Min Read
Network Computing logo

The Zotob bot attacks may be among the biggest of 2005, but they aren't anywhere near the level of last year's Sasser, security and Web performance monitoring companies said Wednesday.

While some reports have been comparing this week's bot outbreak -- which attacks unpatched Windows 2000 PCs -- as similar to 2004's Sasser blitz or the even bigger MSBlast incident in 2003, experts are saying "hold the phone."

According to Moscow-based anti-virus vendor Kaspersky Labs, the attack that has affected nearly 200 enterprises was caused by the Bozori bot, which also goes by names such as Zotob.f and Tpbot.a. But there's no Internet-wide epidemic.

"There has not been any noticeable increase in network activity which could be ascribed to this worm," said Kaspersky in an e-mail alert.

"During the Sasser epidemic in May 2004, Sasser caused an increase in network traffic of approximately 20 to 40 percent. At the moment, there are no signs of a similar increase," the alert continued.Kaspersky's perspective was in line with other security analysts on Wednesday.

Symantec's Oliver Friedrichs, senior manager of the company's security response team, said earlier that "the bots are not affecting the Internet at large, but they are affecting a number of world's biggest business."

Two Web monitoring vendors confirmed that the Internet is up and running normally even though some enterprises may have suffered temporary outages.

"I don't have a scientific number to give you," said Ken Godskind, the vice president of Boca Raton, Fla.-based AlertSite.com. "But I will tell you, that if there was any performance difference yesterday compared to a week ago, it was very small."

A slow response time from one of AlertSite's benchmark sites hosted in Shanghai, due to more-aggressive-than-average Chinese government filtering, threw off Godskind's numbers enough that he couldn't make specific apples to apples comparisons between Tuesday's Net performance and that of a week ago.U.K.-based Netcraft, however, didn't hesitate to say that it knew Sasser and Zotob was no Sasser.

The Zotob attack, it said on its Web site, "has had no visible impact upon major Web sites."

Any damage caused by Zotob and its ilk is limited to corporate internal networks, noted Netcraft, citing its Fortune 100 Web site numbers to prove that there are no unusual outages.

(The most significant outage as of mid-afternoon Wednesday, in fact, was Walgreens' walgreens.com, which is powered not by Microsoft Windows servers, but by systems running Sun's Solaris operating system.)

Netcraft's FTSE 100, a U.K.-specific list of top business Web sites, did show several sites powered by Windows Server 2003 with performance problems, including one -- the Gallaher Group -- with a three-and-a-half-hour-and-counting outage. According to Microsoft, while Windows Server 2003 is vulnerable to exploit of the Plug and Play technology, an attacker must have a valid log-on, and cannot attack anonymously and remotely, as the Zotob bots do. It's unlikely, then, that these outages are associated with the bot worms on the loose."Since the [Microsoft] patch was issued, approximately 10 malicious programs which exploit this vulnerability have been detected," added Kaspersky. "The published information about these in our opinion is more likely speculation which was not supported by any factual evidence of an epidemic.

"None of these .bots have caused any significant epidemic."

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights