FBI Nab Worm Attackers
N
N
0Overall Score

The FBI working with Microsoft and Turkish and Moroccan authorites have swooped on two individuals who the FBI claim were responsible for the recent Zotob virus attack.

The Cyber Division of the FBI, in cooperation with Microsoft and Moroccan and Turkish authorities have arrested two individuals in connection with the Zotob worm virus attack.

Moroccan authorities arrested Farid Essebar, age 18; and simultaneously, Turkish officials arrested Atilla Ekici, age 21, both in connection with a global investigation into the outbreak of the Zotob network worm discovered just over two weeks ago. Louis M. Reigel, FBI Assistant Director for the Cyber Division, told reporters this afternoon that Essebar is believed to have been the sole author of the Zotob strain.

“The Moroccan was responsible, [it is] our belief, at this point in the investigation, for writing the code,” A.D. Reigel stated. Referring to the suspect by his country of origin, he continued, “Moroccan has a financial relationship with the Turkish individual, Mr. Ekici. We believe that there was financial gain on the part of Moroccan in relationship to the writing of the code.” However, Reigel added, the FBI had not seen official charges against the two suspects from their respective governments.

Essebar is also suspected, the FBI confirmed, of either writing or co-writing two other major instances of obtrusive and destructive code: The Mytob mass-mail attachment worm, discovered last February, to which Essebar is believed to have contributed, exhibits similar behavior to Zotob but is communicated in a different way. Zotob attacks systems through an unmonitored network port reserved for Universal Plug and Play, in order to exploit a deficiency in Windows 2000 which fails to authenticate traffic over that port.

Also being attributed to Essebar is the Rbot strain of worms, first detected in June 2004, for which anti-virus provider Sophos reports hundreds of known variants. Rbot manifests and distributes itself in a variety of ways, although it usually attempts first to attack Windows computers by exploiting open ports reserved for NetBIOS and Microsoft Directory Services traffic, passing itself off as legitimate network share traffic using a weak administrator password. Like both Mytob and Zotob, once a system is infected, Rbot changes some System Registry keys in order for it to run automatically at system startup, and then tries to communicate with an un-resourced (unnamed) IP address using Internet Relay Chat (IRC) protocol.

Although the FBI could not go into further detail about the nature of the charges against the suspects, the official Moroccan news agency Maghreb Arabe Presse reported this afternoon, US time, that local police told them Essebar may be connected with a bank card fraud investigation. Reigel was cautious not to advance those conclusions, saying, “At this point in time, we have no information that this case relates to identity theft or bank fraud, but anything other than the development of the malicious code. That doesn’t necessarily mean the investigation couldn’t lead to those different avenues.” He added he suspects that Turkish and Moroccan authorities are investigating other potential suspects, though FBI investigations into the possibility of others’ involvement have yet to conclude.

During the first week of Zotob attacks, speculation about their nature and intent had been disseminated by a report from security systems provider F-Secure — the same company associated with the misinterpreted “Vista virus” story — that the behavior of later Zotob strains seeking out and destroying earlier strains, was an indication of a sort of “hacker gang war” emerging in the Internet underground.

Though unaware of the technical specifics about worm variants, FBI Assistant Director Reigel told Tom’s Hardware Guide there was no indication at this time that anyone other than Essebar was principally responsible for all the strains of Zotob. At an early stage of the investigation, Reigel said, a second Moroccan was under investigation, though no evidence exists at this time for US federal or Moroccan federal officials to arrest this person.

Addressing our question, Microsoft general counsel Brad Smith added that malicious users are often associated with a variety of different social motivations. “Oftentimes, there’s an element of bragging rights with one’s friends or colleagues,” he said, “and I think that’s perhaps started to abate since we created the reward program a year and a half ago, with the FBI and Interpol, because people who brag to their friends risk giving their friends obvious opportunities to turn them in.” The Internet itself plays a social factor, he added, by giving individuals means to work together when they’re thousands of miles apart.

Reigel made certain to credit Microsoft for helping to expedite the Zotob investigation. “This case happened very quickly — one week into the investigation,” stated Reigel, “and was successful because of our international relationships, particularly in Turkey and Morocco, and because of the very significant support from Microsoft. Had we not had those entities involved in this investigation, I suspect it would still be ongoing today.”

Smith described his company’s Internet crimes investigations team as composed of 50 individuals committed to working with law enforcement to pursue perpetrators of network crimes. “We had our Internet Crimes Investigations team focus on two types of activities,” he explained. “The first was really to monitor the worms and the attacks in real-time, and from that, they were able to derive a lot of technical information, [which] we used to follow the electronic trail, so to speak, back to the source. They were able to dissect the worms, obtaining quite a bit of information from that process, and by monitoring the worms and the way they went after computers, identify where they were coming from.”

When asked by Hiawatha Bray of the Boston Globe why these things keep happening to Microsoft products, Smith responded, “I think the reality is that any company that has popular products has to recognize that it’s a fact of life that there are individuals around the world who will, from time to time, try to attack them. Obviously, we have popular products, but we’ve seen Apple, we’ve seen Linux, we’ve seen a whole variety of products put under this kind of pressure.”

Smith credited what he called a “three-pronged” approach to mitigating and managing the Zotob problem: The first, he said, is strengthened software, indicated by the fact that Zotob affected an older version of Windows than XP. Second is more pro-active involvement by consumers, who act more responsibly in installing firewalls and security patches, and keeping their anti-virus signatures up-to-date. “So I think we have important work ahead of us to strengthen computer security,” he concluded, “but we’ve also come a long way in a short time; and the fact that we were able to see these arrests in less than two weeks, halfway around the world, really drives that point home.”