Security threats Toolkit

Two arrested over Zotob worm

Tags:
Turkey,
Morrocco,
Zotob,
Arrests

Joris Evers CNET News

Published: 30 Aug 2005 08:50 BST

Law enforcement officials have arrested two men suspected of unleashing of a pair of computer worms, including last week's Zotob, which hit servers at American Express, The New York Times and elsewhere.

Farid Essebar, age 18, a Moroccan national born in Russia, was arrested in Morocco, and 21-year-old Atilla Ekici, a Turkish resident, was arrested in Turkey, Paul Bresson, a spokesman for the FBI, said Friday. Both suspects were detained towards the end of last week and will be prosecuted in the countries in which they were arrested, Bresson said.

Bresson said that Essebar, who went by the nickname "Diabl0", and Ekici, known as "Coder", are suspected of creating both the Mytob and Zotob worms.

The Zotob worm attacked computers running Microsoft's Windows 2000 operating system, and the worm and its offshoots last week hit PCs and servers worldwide, including machines at ABC, CNN and Daimler Chrysler.

Zotob included some of the code used in Mytob, an email worm that first started spreading in March. To date, more than 100 variants of Mytob have been spotted. The worm is distributed via spam campaigns and features so-called backdoor capabilities, allowing attackers to remotely control infected computers.

Both Mytob and Zotob attacked computers running Windows. Zotob and its variants exploited a security hole in the plug-and-play feature in the OS, for which Microsoft provided a fix earlier this month, as well as a free service to remove the worm from infected machines.

The FBI initiated the investigation into Mytob and Zotob, cooperating with Microsoft and others to trace the origins of the worms, Bresson said. Law enforcement agencies in Morocco and Turkey were instrumental in the investigation, he said.

The bureau alleges that Essebar wrote both the Mytob and Zotob worms and then sold them to Ekici. "We believe that there was financial gain on [Essebar's] part," Louis Reigel, assistant director of the FBI's Cyber Division, said in a conference call with the media. He did not provide further details.

The investigation started in late March, after the Mytob release, Reigel said.

The probe intensified when Zotob hit. Microsoft's Internet crime investigation team dissected the worm and found leads to the two suspects, Brad Smith, Microsoft's general counsel, said on the conference call.

"The trail that we ultimately were able to follow that led to these individuals is a trail that came to light in the last two weeks, after the launch of Zotob," Smith said.

Microsoft hails the arrests as an example of a successful partnership between the private sector and law enforcement. "Our entire industry, especially in partnership with law enforcement, is able to move much more quickly and in a more sophisticated way today than was the case, say, two years ago, and that is certainly part of what made it possible to get to this point within two weeks," Smith said.

The actual legal charges against the individuals are not yet known. Turkey and Morocco will charge the suspects, and the FBI will provide evidence for the prosecution, Reigel said.

The investigation into the Mytob and Zotob worms is ongoing and others may be arrested, Reigel said: "The Moroccan and Turkish authorities are doing a full investigation to determine if there were other individuals involved."