Two men in Turkey and Morocco have been arrested in connection with the creation and distribution of the malicious code that triggered the Zotob worm attacks.
The duo—Moroccan 18-year-old Farid Essebar and Turkish 21-year-old Atilla Ekici—will be charged and prosecuted in their respective homelands for their alleged roles in launching the worm that hammered Microsoft Corp.s Windows 2000 customers.
According to Louis Reigel, FBI Cyber Division Assistant Director, Essebar is believed to be responsible for writing the first iteration of the Zobot worm that attacked a remotely exploitable vulnerability in the Windows Plug and Play service.
Essebar, who uses the hacker handle “Diabl0,” is accused of selling the code to Ekici.
“He had a financial relationship with the Turkish,” Reigel said, hinting that the malicious code was purchased and released from that region.
“The two subjects were working together. Were not yet sure if they knew each other face to face. But they knew each other on the Internet, and we believe the worm was in fact written in part by each of them,” Reigel added.
The arrests come just two weeks after the Zobot worm and several variants hammered corporate networks globally through a flaw that had already been patched by Microsoft.
Sources tell Ziff Davis Internet News that the “Diabl0” signature was found in one Zotob variant and connected to an IRC (Internet Relay Chat) server that was used in previous worm attacks.
Microsoft general counsel Brad Smith said the two men may also be responsible for Rbot, a virulent family of backdoors that can be used to hijack sensitive data from an infected machine.
The men were arrested at the request of the FBI, and the plan is to file criminal complaints in both Turkey and Morocco.
“Authorities moved very quickly in this case, and it appears that Microsoft was also instrumental in the capture of those responsible for unleashing this computer worm that infected networks at U.S. companies and government agencies earlier this month,” said Gregg Mastoras, senior security analyst at Lynnfield, Mass.-based anti-virus vendor Sophos plc.
“Because these men will be prosecuted in their countries of origin, rather than the countries where businesses were hit, many will be interested to see how the investigations and cases brought against these men compare with incidents in other parts of the world,” he added.
The FBIs Reigel said the cyber-crime laws in both Turkey and Morocco were “not as advanced” as those in the United States.
“Both countries have consumer protection and consumer fraud statutes. We expect both those countries are going to charge these individuals to the fullest extent of the law.”
According to Microsofts Smith, the software makers Internet Crime Investigation Team played a key role in tracking down Essebar and Ekici.
“We were monitoring the worm attack in real time and, from that, we got a lot of technical information to pass along to law enforcement. That information was used to follow the electronic trail back to the source,” Smith said.
“We dissected the worms and monitored the way they went after computers. We were able to identify where they were coming from,” he added.
