Zotob is a 2005 Windows worm that exploited the Microsoft Windows Plug and Play buffer overflow vulnerability addressed by MS05-039. It primarily targeted unpatched Windows 2000 systems and spread over TCP port 445; some reporting also states it propagated via shared folders on networked computers. Multiple variants appeared rapidly after disclosure of the vulnerability, including W32.Zotob.A, B, C@mm, D, E, F, G, I, and J@mm, and related detections referenced in reporting include Rbot.cbq, SDBot.bzh, and Zotob.d. Security reporting described Zotob as derived from or related to the Rbot/Mytob ecosystem, with some analyses stating it was a Mytob variant or descendant that incorporated the Plug and Play exploit as an additional attack vector.
Observed behavior in the provided content includes opening a backdoor that allowed remote control via IRC, creating botnet-capable infections, attempting to remove software including antivirus and other countermeasures, and causing infected systems to reboot repeatedly. One account states Zotob self-replicated across reboots, resulting in multiple copies on infected hosts. Symantec remediation guidance states associated variants modified registry values and the Windows Shared Access service, and that the removal tool terminated malicious processes, deleted associated files and registry entries, and restored the Shared Access service to its default state.
Zotob caused operational disruption at multiple high-profile organizations in August 2005. Reported victims include CNN, ABC News, The Associated Press, The New York Times, the Financial Times, Caterpillar, Boeing, CIBC, and DaimlerChrysler, where 13 U.S. automobile manufacturing plants were reportedly forced offline for nearly an hour. Reporting also states that more than 100 companies were affected. The outbreak was widely publicized because infected Windows 2000 systems at CNN rebooted repeatedly on air, although SANS ISC and Microsoft assessed the incident as localized rather than a major Internet-wide event.
The malware was associated in reporting with Farid Essebar, also known as "Diabl0," who was arrested in Morocco in August 2005, and Atilla Ekici, arrested in Turkey. Investigators alleged Essebar created Zotob and that Ekici paid him to do so. Several sources note that the string "Diabl0" was embedded in Zotob-A and that the worm connected to IRC infrastructure also used by earlier Mytob activity. Some reporting further links the exploit component to code written by the Russian hacker known as "houseofdabus." At the same time, the content indicates multiple actors had access to related source code and continued producing variants after the arrests.
High-confidence indicators and technical references directly mentioned in the content include exploitation of MS05-039, use of TCP port 445 (Microsoft-ds), IRC-based command and control/backdoor functionality, the embedded handle "Diabl0," and the affected Zotob variant names listed above.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Microsoft Plug and Play contains a flaw in the handling of message buffers that may result in local or remote arbitrary code execution or denial-of-service conditions... The Plug and Play service in Microsoft Windows contains a buffer overflow that may allow an attacker to execute arbitrary code or cause a denial-of-service condition... multiple variants of exploit code for this vulnerability are publicly available. In addition, reports indicate that this vulnerability is being actively exploited by malicious software including the Zotob worm. | Please note that multiple variants of exploit code for this vulnerability are publicly available. In addition, reports indicate that this vulnerability is being actively exploited by malicious software including the Zotob worm. The exploit code seen in the wild includes but is not limited to functionality that attempts to remove software (including anti-virus applications and other countermeasures) and that opens a backdoor that allows the computer to be remotely controlled through mediums such as Internet Relay Chat (IRC), known as a "zombie".
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Farid Essebar, 18, a Russian-born Moroccan resident, was arrested by investigators last Thursday, less than two weeks after Zotob worms exploited recently-discovered Windows flaws to disrupt high profile organisations around the world.
13 distinct techniques documented for this family, organized by ATT&CK tactic.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
2005-08-29 - Suspeitos da criação do worm Zotob detidos pelo FBI
A Windows 2000 worm described as a variant of Mytob that incorporated exploit code written by houseofdabus. It spread to compromise PCs and turn them into zombie machines, and was allegedly created for financial gain.
A worm family that spreads via shared folders on networked computers, adds registry values, runs associated processes, and modifies the Shared Access service settings on Microsoft Windows systems.
A worm family that exploited recently discovered Windows flaws, particularly the Windows Plug-and-Play vulnerability, to spread and disrupt organizations. The article also indicates Zotob variants were used in competition for control of vulnerable Windows PCs.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.