Law enforcement officials in Turkey and Morocco arrested two men in connection with the recent release of the Zotob worm, the FBI announced Local authorities arrested 18-year-old Farid Essebar in Morocco and 21-year-old Atilla Ekici in Turkey on Thursday, according to the FBI. The U.S. law enforcement agency believes that Essebar coded the Zotob worm and the Mytob bot software, on which the worm was based, for Ekici, who allegedly paid the programmer.
"The Moroccan was responsible for writing the code," Louis M. Reigel III, assistant director of the FBI's Cyber Division, said during a Friday afternoon press conference. "He had a financial relationship with the Turkish man."
Essebar and Ekici used the online handles Diabl0 and Coder, respectively, Reigel said. Another Moroccan man was also initially suspected but has not been arrested, he added.
The Zotob worm started spreading on August 14, but mainly affected systems running Windows 2000, Microsoft's five-year old operating system. Initially, the worm seemed to compromise few systems. However, two days later, computers at CNN and the New York Times became infected by one or more variants of the worm, and the public profile of the programs increased a notch.
The Zotob worm, and later variants, are all based on versatile attack programs, known as bot software, which had added the ability to spread via a flaw in Microsoft's Windows Plug-and-Play functionality. Several bot programs had incorporated the code to exploit the flaw as early as August 12, and starting with the Zotob worm, began adding the ability to automatically find and infect systems by the weekend. At least 12 versions of bot software used the exploit to spread, according to antivirus companies.
The Zotob worms compromises systems by sending data on port 445. If a computer is infected with the program, the worm creates a file-transfer protocol (FTP) server and uses it to upload the worm to other vulnerable systems.
The worm shows its pedigree by retaining some bot functionality. Computers infected with the worm will join an Internet relay chat (IRC) session at a predefined addresses. An attacker who knows the IRC channel password can command the bot to disconnect or reconnect to the IRC channel, obtain system information, clean itself from the system, modify security settings, and download or execute files, according to an analysis of the Zotob.B worm.
The worm, dubbed Botzor2005 by its creator Diabl0, contained both Diabl0's and Coder's handles. The worm acknowledged Coder as well as tried to connect to an IRC channel named diabl0.turkcoders.net.
A side effect of a worm infection is that the compromised systems, almost exclusively Windows 2000 computers, frequently hang or crash. Multiple postings to public security mailing lists described disruptions caused by the worm crashing computers.
The FBI cooperated with Moroccan authorities, the Ministry of Interior Turkish National Police, and Microsoft to track down and arrest the two men.
This case happened very quickly and was successful because of our international relationships and because of the support from Microsoft," FBI's Reigel said "If we didn't have that cooperation, the investigation would still likely be going on to today."
Microsoft provided most of the technical assistance in tracking down the two suspects. While the Zotob worm was a public relations hit for the software giant, the worm left behind clues for the company's investigators to follow, said Brad Smith, senior vice president and general counsel for Microsoft.
"From the worm's real-time attack, (the investigators) could derive technical information about what was going on," he said. "We used that to follow the electronic trail aback to the source. They were able to dissect the worm ... and by monitoring the worm, were able to discern where it was coming from."
While the FBI had a case opened up since the Mytob bot software first appeared in March, it was the spread of the Zotob worm in the past two weeks that lead back to the worm's programmer, the FBI's Reigel said.
The FBI have evidence that Ekici paid Essebar to create the original Mytob bot software and the Zotob worm based on that bot software, Reigel said. The agency did not yet know how much was paid for the programmer's efforts.
The arrests were not due to an informant nor was a reward offered through the Anti-virus Reward Program, said Microsoft's Smith. That program had a recent success with the conviction of 19-year-old Sven Jaschan, the German teenager whose friends turned in for the $250,000 bounty that Microsoft offered.
Virus and worm writers are likely becoming more careful about their identities, Smith said.
"People who brag to their friends give their friends various opportunities to turn them in," he said.
While the Moroccan and Turkish men were working together, they likely had not met face to face, the FBI's Reigel said.
The FBI is not currently seeking extradition of the two men, stating that they would be prosecuted locally. While Turkey has an extradition treaty with the United States, Morocco does not, Reigel stated.
Copyright © 2005, SecurityFocus