Security threats Toolkit

Police arrest suspected virus writers

Tags:
Trojan Horse,
Zotob

Tom Espiner ZDNet.co.uk

Published: 27 Jun 2006 16:45 BST

The Metropolitan Police, acting in conjunction with Finnish law-enforcement authorities, arrested three suspected virus writers on Tuesday.

A 63-year-old man in Suffolk, a 28-year-old man in Scotland, and a 19-year-old man in Finland were arrested for "an international conspiracy to infect computers using viruses attached to unsolicited commercial email (spam)", according to a Metropolitan Police spokeswoman.

The Metropolitan Computer Crime Unit, the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department collaborated to arrest the men, who are all suspected of being members of the M00P (M - zero - zero - P) cybercriminal gang.

A number of computers have been seized at residential addresses in England, Scotland and Finland, in addition to the suspects' servers, the Met said.

"This highly organised group are suspected of writing new computer viruses in order to avoid detection by antivirus products. They have been primarily targeting UK businesses since at least 2005, and during this time thousands of computers are known to have been infected across the globe," the spokeswoman said.

Antivirus vendors McAfee and Sophos believe the suspects may have been involved in writing a Trojan variously known as Stinx, Breplibot, and Rykanos. The Trojan was spammed out to many thousands of businesses, in an attempt to infect computers and compromise them. Once the computers were compromised, they could be controlled using Internet Relay Chat (IRC), a protocol used in instant online communication.

The computer viruses ran in the background on an infected computer without the knowledge of the computer's owner, allowing the criminals behind the virus to access any private and commercial data stored on the computer, according to the police.

The Metropolitan Police spokeswoman told ZDNet UK that businesses that suspect they have been affected by viruses written by the gang should contact their local police station.

According to Graham Cluley, senior security consultant for Sophos, "Stinx had a UK bent. Some of the spam would pretend to come from a UK petrol prices site."

McAfee's UK security consultant Greg Day said that as well as installing a backdoor, the Trojan would also attempt to hide itself by exploiting the rootkit-like properties of any Sony BMG digital rights management software installed on a system.

Cluley said the group could also have been responsible for writing a worm Sophos called "Tibick", written in 2004. The worm spread via file-sharing networks, and again created a backdoor and connected the compromised machine to an IRC channel.

Cluley said the group may have been involved in writing software designed to exploit computers previously compromised by other cybercrime gangs.

"They may have been involved in trying to release bot worms that exploited machines previously infected by Zotob and RBot, to take over compromised computers," said Cluley. "Rival gangs fight for the ownership of zombies. They find other botnets and take them over because they're such a valuable commodity. The OX90 gang that created Zotob would be natural rivals to M00P," Cluley told ZDNet UK.

The Metropolitan Police said that the international co-operation between the specialist law-enforcement units had produced "this really significant result."

"These men appear to be connected via an online company," said detective constable Bob Burls of the Metropolitan Police Computer Crime Unit in a statement.

"We believe the suspects created and adapted viruses with the aim of causing massive infection by spamming. Today's arrests will send a clear worldwide signal to the authors of malicious software that national borders will not limit the ability and commitment of law-enforcement authorities to clamp down on this criminal activity," Burls added.