Virus writer Diabl0, author of the some of MyTob family of viruses, appears to be responsible for the current outbreak of Zotob variants that, over the last few days, has caught out many organisations, including several global media companies. It could spell the beginning of a period of intense malware activity similar to the Netsky-Bagle wars, according to security experts at MessageLabs, the leading provider of messaging security and management services to businesses.
While this latest Zotob variant is not email-borne, it does contain an apparently inactive copy of the email engine from MyDoom and it is expected that future versions may therefore also spread by email. Research indicates that Diabl0 may be based in Turkey, although the availability of source code for various versions of Mydoom and MyTob do cloud the picture somewhat.
The new worm, which first hit late yesterday, is spreading via vulnerabilities in the Plug-and-Play functionality of Windows 2000. It is likely that it has most successfully infected organisations that do not have adequate protection from viruses penetrating the corporate network via remote workers operating in non-secure environments. However, MessageLabs believes that companies struck by the virus are merely collateral damage in the malware authors' attempts to compromise home computers to generate zombie armies.
Alex Shipp, Senior Anti-Virus Technologist at MessageLabs, comments:
"The fact that companies have been severely hit by Zotob indicates that lessons haven't been leant from Blaster which struck back in 2003. It again highlights the vital need for internal firewalls in addition to anti-virus software and regular patching and updating, so that road warriors cannot bring infection into the company.
"More importantly, however, we have discovered separate malware in the wild – one which is a similar worm identified as Bozori – that is designed to de-install Zotob. These competing factions are part of organised criminal gangs and seem to be duelling for control of the botnets of domestic PCs in order to perpetrate wider internet criminal activity. We may well now see a period of intense malware activity as these groups via for pole position."