washingtonpost.com
Suspected Worm Creators Arrested
Hunt for Zotob Authors Leads To Turkey, Morocco

By Brian Krebs
Special to The Washington Post
Saturday, August 27, 2005

Officials in Turkey and Morocco have arrested two men thought to be responsible for creating computer worms that infected hundreds of thousands of computers worldwide this year, including the Zotob worm that crippled several high-profile companies this month, the FBI said yesterday.

Police in Morocco arrested Farid Essebar, 18, a Moroccan national born in Russia who used the online moniker "Diabl0." Authorities in Turkey arrested 21-year-old Atilla Ekici, known by the online alias "Coder."

Essebar and Ekici are suspected of releasing the Zotob and Mytob computer worms that were designed to take advantage of flaws in Microsoft's widely used Windows operating system. The suspects' nicknames can be found in the original computer programming code for Zotob, according to the FBI and Microsoft Corp., both of which worked with overseas officials on the case.

Authorities said the pair were using the worms in a money-making scheme and did not appear to have any terrorist connections.

Worms and viruses are malicious software that often are introduced when someone opens an infected computer file, such as an e-mail attachment. They can take over a computer hard drive, often making the contents available to hackers. Worms like Zotob are even more dangerous because they can seek out and infect computers on a network without any action on the part of users, exploiting weaknesses in the software that Windows uses to communicate online.

Mytob is an e-mail worm that emerged in late February and has since spawned dozens of variants. Hackers have used Mytob to steal personal information from infected computers and to make the computers automatically send out spam e-mail to others. Authorities also believe the two suspects authored a Mytob predecessor known as "Rbot," a prolific family of Trojan horse programs that allow attackers to maintain access to infected computers.

The Zotob worm first emerged on Aug. 14, just four days after Microsoft released a patch to fix a security flaw in Windows that the worm was designed to exploit. Two days later, several companies -- including CNN, the New York Times and ABC News -- reported that a variant of Zotob had infiltrated their computer networks. The worm also temporarily disabled the systems that the Department of Homeland Security uses to screen airline passengers entering the United States.

A spokesperson for Homeland Security praised the FBI and Microsoft yesterday for the swiftness of the investigation but declined to comment further.

Zotob and subsequent variants of the worm infected at least 255 companies around the world, said Oliver Friedrichs, a senior manager at Cupertino, Calif.-based Symantec Corp., a computer security company.

The spread of the Zotob worm was tempered both by the fact that it infected only computers running Windows 2000, an operating system primarily used by businesses, and because Internet service providers typically filter the type of Web traffic generated by the worm. As a result, most of the Zotob infections were limited to corporate networks.

Louis M. Reigel III, assistant director of the FBI's Cyber Division, said evidence indicates Ekici paid Essebar to develop the worms and that the two used them for financial gain. Reigel declined to say whether the men were connected to a larger criminal enterprise. But according to information released by the Moroccan government, the two men are alleged to have forwarded financial information stolen from victims' computers to a credit-card fraud ring.

Police who raided Essebar's home found a computer that contained the original programming instructions for the first version of the Zotob worm, according to a law enforcement source who was involved in the investigation but spoke on condition of anonymity because the information could affect legal proceedings in Turkey.

The United States has an extradition agreement with Turkey, but Reigel said the government would not seek to extradite either man. Rather, he said, both countries have specific laws against computer crimes that should allow local authorities to prosecute.

Krebs is a staff writer for washingtonpost.com.

© 2005 The Washington Post Company