Computer Crime Research Center


Zotob and Mytob were originated by Russian hacker

Date: August 30, 2005
Source: Computer Crime Research Center
By: compiled by CCRC

One of the two men arrested last week on charges of creating and mailing the Zotob bot worm also authored some, but not all, of the many Mytob worms in circulation, a security firm said Monday.

Finnish anti-virus vendor F-Secure identified Farid Essebar, 18, who was arrested by Moroccan authorities, as the author of some Mytobs.

"We know that [Essebar] had also authored several of the Mytob variants since February this year," F-Secure's Mikko Hypponen wrote on the company's blog. "However, he's not behind all of them."

Early analysis by others, including Ken Dunham, senior engineer with VeriSign iDefense, pegged Zotob and Mytob as close relations. "Hackers took the Mytob worm code and replaced the e-mail function in Mytob with the exploit of the MS05-039 vulnerability," said Dunham two weeks ago when the Zotob attack first began.

Farid Essebar, age 18, a Moroccan national born in Russia, was arrested in Morocco, and 21-year-old Atilla Ekici, a Turkish resident, was arrested in Turkey, Paul Bresson, a spokesman for the FBI, said on Friday. Both suspects were detained on Thursday and will be prosecuted in the countries in which they were arrested, Bresson said.

Bresson said that Essebar, who went by the nickname "Diabl0," and Ekici, known as "Coder," are suspected of creating both the Mytob and Zotob worms.

The Zotob worm attacked computers running Microsoft's Windows 2000 operating system, and the worm and its offshoots last week hit PCs and servers worldwide, including machines at ABC, CNN, Holden, Visa and Daimler Chrysler.

Zotob included some of the code used in Mytob, an e-mail worm that first started spreading in March. To date, more than 100 variants of Mytob have been spotted. The worm is distributed via mass e-mail campaigns and features so-called backdoor capabilities, allowing attackers to remotely control infected computers.

Both Mytob and Zotob attacked computers running Windows. Zotob and its variants exploited a security hole in the plug-and-play feature in the OS, for which Microsoft provided a fix earlier this month.

The FBI initiated the investigation into Mytob and Zotob, cooperating with Microsoft and others to trace the origins of the worms, Bresson said. Law enforcement agencies in Morocco and Turkey were instrumental in the investigation, he said.

The bureau alleges that Essebar wrote both the Mytob and Zotob worms and then sold them to Ekici. "We believe that there was financial gain on (Essebar's) part," Louis Reigel, assistant director of the FBI's Cyber Division, said in a conference call with the media. He did not provide further details.

The investigation started in late March, after the Mytob release, Reigel said.

The probe intensified when Zotob hit. Microsoft's Internet crime investigation team dissected the worm and found leads to the two suspects, Brad Smith, Microsoft's general counsel, said on the conference call.

"The trail that we ultimately were able to follow that led to these individuals is a trail that came to light in the last two weeks, after the launch of Zotob," Smith said.

Microsoft hails the arrests as an example of a successful partnership between the private sector and law enforcement. "Our entire industry, especially in partnership with law enforcement, is able to move much more quickly and in a more sophisticated way today than was the case, say, two years ago, and that is certainly part of what made it possible to get to this point within two weeks," Smith said.

The actual legal charges against the individuals are not yet known. Turkey and Morocco will charge the suspects, and the FBI will provide evidence for the prosecution, Reigel said.

The investigation into the Mytob and Zotob worms is ongoing and others may be arrested, Reigel said: "The Moroccan and Turkish authorities are doing a full investigation to determine if there were other individuals involved."

As such, the arrests in Morocco and Turkey will not make cyberspace more secure, and even the likelihood of the Zotob and Mytob worms being eradicated looks slim.

Microsoft stated that it will continue to ensure Internet safety, namely through technology investments to improve security, partnering with other private companies as well as governments and law-enforcement agencies to develop policies that can be enforced against cybercriminals and keeping customers aware of the potential hazards in cyberspace and encourage them to keep up-to-date precautionary measures to protect them from emerging threats.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo