Authorities Arrest Zotob Suspects
The hackers believed responsible for the Zotob and Mytob worms were arrested in Turkey and Morocco less than 2 weeks after the viruses were unleashed on the Internet. The worms crashed federal govt. computers, including more than 1,000 Senate PCs, and wreaked havoc on systems at major U.S. news outlets including CNN, ABC and N.Y. Times (WID Aug 18 p1). The viruses and variants hit computers running Windows 2000 platforms by exploiting a security loophole in Microsoft’s software.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Moroccan national Farid Essebar, 18, and Turkish resident Atilla Ekici, 21, were arrested Thurs. and will be prosecuted in the countries where they were detained, the FBI said. While the nations’ cybercrime regulations aren’t as advanced as those in the U.S., they have consumer protection or fraud laws, FBI and Microsoft officials told reporters during a teleconference Fri. FBI Cyber Div. Assistant Dir. Louis Reigel indicated that Essebar, whose codename was “Diablo,” might have been paid to write the code by Ekici, whose online name was “Coder.”
Another Moroccan was initially flagged as a person of interest but wasn’t arrested.
Investigators are unsure whether the suspects ever met face-to-face but they “certainly knew each other via the Internet,” Reigel said. While neither suspect had been persecuted for cybercrimes or shown up on U.S. govt. watch lists, authorities think they may have ties to the spread of the RBot spyware worm.
Analysts were able to derive a substantial amount of technical information about the worm and its origins and used that to “follow the electronic trail” to the sources, Smith said. Reigel said authorities began tracking the case in March and intensified their investigation the past 2 weeks. It’s too early to get an accurate assessment of the total number of victims or the costs incurred from Zotob and Mytob attacks, they said. Zotob emerged Aug. 14, 4 days after Microsoft unveiled a patch to address the vulnerability the worm exploited.
Security analysts weighed in on the duo’s swift apprehension as well. Sophos technologist Graham Cluley noted it will be interesting to see how the case progresses given that the suspects will be prosecuted in their countries of origin, rather than where most of the attacks occurred. Although Microsoft said the Zotob and Mytob worms were less damaging than other network loopholes, it has become standard for many malicious code writers to include exploitation of the flaw in their work, Cluley warned. As the virus spread in recent weeks, Microsoft kept calling it a “low impact” threat while security firms like Trend Micro considered it a new, different kind of worm that was one of the fastest spreading PC threats in history.