TechWeb

FBI: Suspected Zotob Makers Arrested

Aug 26, 2005 (12:08 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=170100954


Two men have been arrested by local authorities in Turkey and Morocco, and charged with creating and distributing the Zotob and Mytob worms, as well as Rbot bot worm, the FBI announced Friday in a conference call with news media.

Farid Essebar, 18, a Moroccan national born in Russia and known by the moniker "Diabl0," was arrested by Moroccan authorities, while Atilla Ekici, aka "Coder," a 21-year old resident of Turkey, was grabbed by Turkish police.

The two are believed to be behind the Zotob attacks that began last week, quickly infected thousands of machines worldwide, and brought down some corporate and media networks running vulnerable Windows 2000 PCs. They are also suspected of being behind Mytob, which harks back to February 2005, and Rbot, an IRC-controlled bot which debuted in August 2004.

The FBI's investigation doesn't go back that far, but it did begin long before the Zotob outbreak, said Louis Reigel, the assistant director of the FBI's Cyber Division.

"We started our initial investigation [of Mytob] in late March, but it became very aggressive in the last two weeks," Reigel said. "The arrests were made from a trail that came to light in the last two weeks [since Zotob]," confirmed Brad Smith, Microsoft's general counsel, who also participated in the call.

According to the FBI, Essebar was the one who wrote the worms and bots, and was then paid for his work by Ekici. "There was a financial relationship between Essebar and Ekici," said Reigel, "and we believe that there was financial gain on the part of the Moroccan, Mr. Essebar."

Microsoft, said both Reigel and Smith, was instrumental in tracking down the pair. Microsoft's Internet Crime Investigations Team began monitoring the first wave of Zotob attacks last week, and used that information, as well as technical analysis of the worm, to "follow the electronic trail back to the source, so to speak," Smith said.

Microsoft's Anti-Virus Reward program, which started in 2003 and offers bounties of $250,000 for information that leads to the arrests of some worm writers, didn't play a part here, said Smith. "The arrests were not made based on a tip-off; they were based on our Internet Crime Investigations Team."

Microsoft's reward program has had spotty success, although it contributed to the arrest last year of the Sasser worm writer, a German teenager who was convicted and sentenced in early July of this year.

Both Essebar and Ekici will face charges in their home countries, Reigel said, although he wasn't able to detail the exact charges which had been filed nor the possible penalties. There is no plan to extradite the two to the United States, he added, in part because there is no extradition treaty with Morocco.

Nor would either Reigel or Smith of Microsoft speculate as to the motive for writing and distributing the various worms. Although some media reports -- including one out of Morocco -- claimed that the two men were involved in bankcard fraud, Reigel said there was no evidence of that.

"We have no information that this case relates to identity theft or bank fraud," said Reigel.

Smith praised the FBI and the cooperating overseas law enforcement for jumping on the case so quickly. "I think that such fast law enforcement action spanning not only multiple countries but multiple continents speaks volumes about the progress law enforcement has made against cyber criminals," Smith said.

He also defended his company, which is frequently lambasted for its many security problems, by claiming, as have other officials, that the root cause for the attack isn't necessarily Microsoft's fault, but is due to the overwhelming popularity of its products.

"We have very popular products, and so we're put under this kind of pressure," said Smith. "But security remains our highest priority."