The 16 individuals are believed to be connected to a credit card theft and identity theft ring, but not directly involved with the creation or dissemination of Zotob, according to Paul Bresson, an FBI spokesperson.
The action followed the arrest of Atilla Ekici, 21, in Adana, Turkey on Aug. 26 in connection with the recent Zotob Internet worm and with Mytob, another wide-spreading worm that first appeared in February.
Little information was available on the arrests Tuesday, which was a holiday in Turkey. Officials contacted by eWEEK at the U.S. Consulate in Adana and at the U.S. Embassy in Ankara said they had no information on the additional arrests.
However, links between Ekici, who used the online handle "Coder," and co-conspirator Farid Essebar, an 18-year-old resident of Morocco who was known online as "Diabl0," would not be surprising, security experts said.
Both men are believed to have controlled large networks of compromised computers, or "botnets," according to Joe Stewart, a senior security researcher at managed security provider LURHQ Corp.
Bot networks are frequently used to harvest information or intellectual property from compromised machines, as well as for distributing spam, advertising and viruses.
Microsoft Corp. and the FBI were cooperating in an investigation of botnets before Zotob was released, said Tim Cranton, a senior attorney at Microsoft and director of the companys Internet Safety Enforcement team.
Cranton declined to comment on whether Microsofts investigators were on to Diabl0 before Zotob, but said the company had "developed a lot of intelligence" about the botnets Diabl0 operated prior to Essebars arrest and that the information "helped inform" the actions of law enforcement.
The 16 new suspects may be operating their own botnets using variants of Zotob or the earlier Mytob worms, which Essebar is believed to have created.
According to Stewart, each member of the group would probably be given a copy of the source code by Essebar and would compile it into a unique Mytob or Zotob variant, with its own IRC (Internet Relay Chat) server and channel details, then release the variant on the Internet and build a botnet out of hosts the worm compromises.
"There would be no reason for them not to have their own botnets," he said. In fact, a sizeable botnet is almost a requirement for those who move in the Internet underground, where the slightest online provocation can invoke a denial-of-service attack from another botnet operator.
While the other suspects in the case may be acquainted with Diabl0 and Coder, Stewart said its wrong to think of the botnet operators as a tightly coordinated group.
"Its really just individuals and small groups of botnet owners who get together," he said.
While Diabl0 and Coder were not the largest botnet operators, they were very successful and their creations generated a lot of "noise" on the Internet, he said. Virus researchers at Sophos PLCs SophosLabs said that Diabl0 is believed to be behind about 20 other virus variants, including Mydoom-BG and versions of the Mytob worm.
Together, the variants accounted for six of the top 10 viruses and more than 54 percent of all viruses reported to Sophos in August, the company said.
"It will good to see them go," Stewart said.