Homepage

News > Technology
    SAVE   |   EMAIL   |   PRINT   |   RSS  
Turk, Moroccan nabbed in huge worm case
Suspects allegedly created worm that disrupted computer networks of major U.S. news organizations.
August 26, 2005: 5:17 PM EDT
More stories on viruses
How big was Zotob?
Protecting your PC
Windows 2000 attacked

WASHINGTON (CNN) - An 18-year-old Moroccan national and a 21-year-old resident of Turkey have been arrested for creating and spreading computer worms that disrupted services on computer networks of major U.S news organizations and other institutions earlier this month, the FBI announced Friday.

Farid Essebar, a Moroccan who used the screen name "Diabl0," and Atilla Ekici of Turkey, who used the moniker "Coder," were arrested in their home countries by authorities who cooperated with U.S. investigators in tracking the origins of the Mytob worm; a damaging variant, Zotob; and a third worm, RBot.

Assistant FBI Director Louis Reigel, who heads the Cyber Division, said investigators believe Essebar was the author of the codes and sold them to Ekici for financial gain. He said investigators had not determined what other financial crimes may be involved, but said there was not yet evidence of planned identity theft, bank fraud or forgery.

Authorities said they did not yet know how much Essebar had profited, nor did they yet have any estimate of financial damage caused by the attacks.

Officials said neither suspect was on any watch list, suggesting no political motivation for the computer attacks.

In a late afternoon conference call with reporters, Reigel did not rule out the involvement of others in the case and said he was confident that if others were involved in the cyber crimes, officials in Morocco and Turkey would find them.

Law enforcement authorities in the two countries are examining the suspects' relationships with other individuals to determine the nature of those links.

A second unidentified Moroccan who was initially suspected of involvement in writing the code was not arrested, Reigel said.

FBI officials said the two men are expected to be prosecuted by the governments of their home countries.

"Their cyber laws are not as advanced as those in America but the individuals will be charged, and the FBI will provide as much evidence as needed to prosecute," Reigel said.

Microsoft Senior Vice President and General Counsel Brad Smith said even if strong anti-hacking statutes aren't in place, Morocco and Turkey have consumer fraud statutes and consumer protection laws that could apply.

The FBI praised Microsoft for its cooperation in the investigation, and attributed the swift resolution of the case to strong international cooperation. Microsoft said the arrests demonstrated the value of public-private collaboration and returned praise for the FBI effort.

Smith told reporters his firm's Internet crimes unit, which actively participated in the investigation, had been able to monitor the Zotob attacks in "real time."

"We were able to derive technical information and used that to follow the electronic trail," Smith said. "We were able to dissect the worms and obtain information from that process."

Computer services of CNN, ABC News, The New York Times, the U.S. Senate, the Centers For Disease Control and Prevention, Daimler Chrysler and U.S. Immigration and Customs Enforcement were among those affected by the worm, officials said.

The FBI said the Zotob variant W32.Zotob, which caused nearly all of the damage, targeted Windows 2000 and some early XP-based computers by opening a back door that exploited the Microsoft Windows Plug and Play Buffer Overflow Vulnerability.

Smith credited improved security protections and consumer awareness for limiting the damage from attacks on Windows XP and 2000 systems.

The quick arrests of Zotob's suspected creators was cheered by industry experts.

"I'd like to see this as a trend, that legal action is taken while the event is still fresh in people's minds," said virus expert David Perry of the computer security company TrendMicro.

In the past, it has taken law enforcement months and sometimes longer to arrest and prosecute those who write and distribute Internet viruses, worms and other malicious software. And quite often, there's no arrest at all.

Part of the problem, Perry said, is that technology laws differ dramatically from country to country, and in some places laws don't even exist to make virus writing a crime.

"There's a big effort in NATO and the EC (European Commission) to promote better international cooperation," he said. "Laws are being discussed in international forums to try to normalize law, so suspects can be extradited."

The complexity of Internet exploits and the huge illicit rewards from stealing credit card numbers and other personal information makes the apprehension of virus creators an ever-growing cat-and-mouse game. Security experts say there are vast criminal networks with specialists in every aspect of a virus or worm attack.

"It's a lot like the movie industry: You have producers, you have the actors and you have the distribution network," said David Maynor of Internet Security Systems. "This network is much the same way. You have people who decide what they want to get done, they pass it to the producers who will actually make it happen, get someone to package it up and make sure it works, then the distributors whose only job is to distribute it to other people."

While this worm was not as widespread as other Internet scourges, it got a lot of attention because of the high-profile places it hit.

Computer security companies encourage users of the Windows 2000 operating system to use anti-virus and anti-spyware programs to make sure the machine is not being used as part of a "zombie network," even if there are no signs of infection.

Zotob and its RBot variants can be used to remotely instruct computers to send e-mail spam, steal personal data or attack other computers without the user's knowledge.

________________

Zotob jumped all over flaws in Microsoft Windows -- read more here.

For all the latest headlines on technology, click here.  Top of page

YOUR E-MAIL ALERTS
Computer Worm
Computer Networking
Federal Bureau of Investigation (FBI)
Manage alerts | What is this?