Summer's Zotob Attack Cost Companies $100K Each In Cleanup

Virginia-based Cybertrust surveyed 700 enterprises on the impact of Zotob, a bot worm that exploited a vulnerability in Windows 2000 during August, 2005. Although Zotob wasn't as widespread as other notable malware, such as Sasser, MSBlast, or Slammer, it raised a ruckus in media companies and briefly slowed overall Internet traffic.

"Sasser had more impact," said Russ Cooper, Cybertrust's senior information security analyst. "Compared to earlier worm outbreaks, Zotob impacted significantly fewer organizations."

About 13 percent of the enterprises polled reported that they experienced at least some negative impact from Zotob, with a bit less than half of that, just 6 percent, classifying the damage as moderate or major, meaning that they suffered more than $10,000 in costs and had one or more business-critical systems affected.

By comparison, 2003's MSBlast rang in with five times the number of organizations in the moderate-to-major category. In 2004, nearly half of the companies surveyed (49 percent) by Cybertrust about Sasser said that they'd been affected to some degree, nearly four times the rate of Zotob.

"This worm and its impact complements Cybertrust&'s intelligence that illustrates the goal of hackers today is no longer widespread system shutdown, but rather more frequent, smaller attacks with specific targets powered by a drive for financial and information gain,” said Cooper.

Most security experts have been talking up that trend for some time, but Cybertrust's report is one of the first to put data on the prediction.

"Under-the-radar attacks are more likely today," noted Cooper, explaining that it is in attackers' interests to narrow the focus of their attacks; it allows them to operate with relative immunity.

"Look at the three Dutchmen who were just arrested for collecting hundreds of thousands of bots," Cooper said, referring to recent news from the Netherland about the arrest of three men charged with creating and using a botnet of as many as 1.5 million computers. The three reportedly used a bot worm dubbed Toxbot to compromise machines

"Toxbot wasn't on anyone's radar, it didn't make it into any media stories," said Cooper. "There is going to be a point where virtually everything falls under the radar, and then we'll have to revise the way we look at anti-virus defense."

Cooper's report laid out other details of the Zotob attack as well. Companies spent about $97,000 to clean up a Zotob infection, the report noted, and 61 percent said that it took 80 or more hours to put their networks back together.

And more than one in four impacted companies were hit by Zotob because no firewall was in place or firewall policies were incorrectly set.

That was one of the surprises to Cooper. "Companies need to review security basics, like firewalls," he said. "Schmancy fancy is wonderful, but if you're not doing the basics, who cares?"

Two men were arrested in Turkey and Morocco in late August, and charged with creating and distributing Zotob. Neither man has yet faced trial.