Zotob shows a dark future

Stories of ABC reporters wheeling out typewriters after catching the Zotob worm were set against the backdrop of thousands of companies scrambling to patch Windows 2000 and XP SP1.

In late August, two virus writers were arrested in Morocco and Turkey, suspected of creating and propagating Zotob.

Despite their capture and relative inactivity in early 2005, experts said the death of the network worm had been greatly exaggerated.

"I suspect people thought it went away because it's easier to record email-borne worms," said Graham Cluley, senior technology consultant at Sophos. "So Bagel and Netsky appear on charts, but network worms are ignored. Rbot and Poebot never registered on charts, but did cause damage earlier this year."

David Emm, his opposite number at Russian antivirus firm Kaspersky Labs, agreed.

"Despite the relative decline in the past six months, the threat has always been there," he said. "Look at the increased criminalisation of the virus-writing world. Things are more organised now, worms are flying under the radar."

Zotob surprised many with its speed, appearing within a week of the MS vulnerability being revealed. But Emm explained this is a logical step in viral trends.

"Writers are looking for the first opportunity to exploit a vulnerability. We are not necessarily seeing any major technical innovation, but we are seeing viruses that are aimed at not spreading too far or too quickly," he said.

Zotob hit CNN, ABC, the New York Times, the FT and the University of Helsinki, swiftly taking down firms that had failed to patch themselves adequately.

In an era of improved firewalls, the suggestion is that some companies are being lax with their patch management.

"It's important to remember that the work of the truly skilled hacker goes completely undetected," said Chris Andrew, a VP at patch management company PatchLink.

"The reality is that most commercial businesses are at risk from worm attacks because of a systematic failure to deploy patches."