Computer Crime Research Center

etc/map.jpg

Zotob author may be a mastermind of more than 20 viruses

Date: September 01, 2005
Source: Computer Crime Research Center
By: complied by CCRC staff

The teenager arrested on suspicion of writing and distributing the Zotob Windows 2000 worm may have authored more than 20 other viruses, it has emerged.

The claim was made by anti-virus company Sophos, which has analysed a number of viruses incorporating the Diabl0 "handle” or moniker used by the accused, 18-year-old Farid Essebar.

Other viruses and worms suspected of being his handiwork include the Mydoom variant, Mydoom-BG, and the Zotob-related Mytob worm that the company says currently accounts for over half of all virus traffic reported to it in August.

The Russian-born Moroccan resident was arrested last Thursday, after computer forensic work by the FBI traced him and his alleged accomplice, Atilla Ekici, to addresses in the country, and in Turkey.

Police have since widened their net in Turkey, arresting a further 16 people earlier this week on suspicion of distributing Zotob and Mytob, which caused widespread disruption to Windows 2000 systems around the world two weeks ago.

"It appears that whoever wrote Zotob had access to the Mytob source code, ripped out the email-spreading section, and plugged in the Microsoft exploit," said Graham Cluley of Sophos. The two used different methods to spread, but were otherwise closely related, he said. "It's possible that several people have access to the Mytob source code - so it may not be the last we see of this Internet scourge."

Turkish authorities have identified about a dozen individuals thought to be involved in credit card fraud. "It is believed that these individuals have links to Coder," the FBI representative said. "The investigation is still ongoing, but there is no indication these people actually wrote or distributed the Zotob worm."

Zotob attacked computers running Microsoft's Windows 2000 operating system. The worm and its offshoots hit PCs and servers worldwide two weeks ago, including machines at ABC, CNN and Daimler Chrysler.

Ekici along with Farid Essebar, an 18-year-old Moroccan national born in Russia, are believed to be responsible for Zotob and the earlier Mytob and Rbot worms. Essebar was arrested in Morocco on Thursday of last week, the same day authorities nabbed Ekici.

The suspected link to a credit card fraud ring expands the possible financial motivation for the Zotob and Mytob worm attacks. The FBI last week said that it believes Essebar wrote both worms and then sold them to Ekici.

Both Mytob and Zotob attack Windows computers and feature backdoor capabilities. Criminals could use this backdoor to install software that spies on users or to install "bot" programs that create "botnets," networks of hijacked PCs that are rented out to relay spam or attack other systems.

Meanwhile, experts at antivirus company Sophos say they believe Essebar may have had a hand in more than 20 computer pests. The teen's handle, "Diabl0," appears in more than 20 other viruses and worms, including Mydoom-BG and many versions of Mytob, which are currently dominating worldwide virus reports, according to Sophos.

Zotob and its variants exploited a security hole in the plug-and-play feature in the OS, for which Microsoft provided a fix earlier this month. Zotob included some of the code used in Mytob, an e-mail worm that first started spreading in March. To date, more than 100 variants of Mytob have been spotted. The worm is distributed via mass e-mail campaigns.

The investigation into the Mytob and Zotob worms is ongoing and other suspects may be arrested, according to the FBI.


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo