Zotob Suspects Arrested

[Mobo]

<a href="http://www.spreadfirefox.com/?q=affiliates&amp;id=118287&amp;t=89">
[img]/portalimages/story6.cyber.crime.jpg[/img]</a>

Law enforcement officials in Turkey and Morocco arrested two men in connection
with the recent release of the Zotob worm, the FBI announced on Friday. <div class="advert">
<div class="quote">
“ This case happened very quickly and was successful because of our
international relationships and because of the support from Microsoft.
If we didn't have that cooperation, the investigation would still likely
be going on to today. ”</div>
</div>
<span class="body">

Local authorities arrested 18-year-old Farid Essebar in Morocco and
21-year-old Atilla Ekici in Turkey on Thursday, according to the FBI. The U.S.
law enforcement agency believes that Essebar coded the Zotob worm and the Mytob
bot software, on which the worm was based, for Ekici, who allegedly paid the
programmer.
"The Moroccan was responsible for writing the code," Louis M. Reigel III,
assistant director of the FBI's Cyber Division, said during a Friday afternoon
press conference. "He had a financial relationship with the Turkish man."
Essebar and Ekici used the online handles Diabl0 and Coder, respectively,
Reigel said. Another Moroccan man was also initially suspected but has not been
arrested, he added.
The Zotob worm started <a href="http://www.securityfocus.com/news/11281">
spreading on August 14</a>, but mainly affected systems running Windows 2000,
Microsoft's five-year old operating system. Initially, the worm seemed to
compromise few systems. However, two days later, computers at CNN and the New
York Times became infected by one or more variants of the worm, and the public
profile of the programs increased a notch.
The Zotob worm, and later variants, are all based on
versatile attack programs,
known as bot software, which had added the ability to spread via a flaw in
Microsoft's Windows Plug-and-Play functionality. Several bot programs had
incorporated the code to exploit the flaw as early as August 12, and starting
with the Zotob worm, began adding the ability to automatically find and infect
systems by the weekend. At least 12 versions of bot software used the exploit to
spread, according to antivirus companies.
The Zotob worms compromises systems by sending data on port 445. If a
computer is infected with the program, the worm creates a file-transfer protocol
(FTP) server and uses it to upload the worm to other vulnerable systems.
The worm shows its pedigree by retaining some bot functionality. Computers
infected with the worm will join an Internet relay chat (IRC) session at a
predefined addresses. An attacker who knows the IRC channel password can command
the bot to disconnect or reconnect to the IRC channel, obtain system
information, clean itself from the system, modify security settings, and
download or execute files, according to an analysis of the Zotob.B worm.
The worm, dubbed Botzor2005 by its creator Diabl0, contained both Diabl0's
and Coder's handles. The worm acknowledged Coder as well as tried to connect to
an IRC channel named diabl0.turkcoders.net.
A side effect of a worm infection is that the compromised systems, almost
exclusively Windows 2000 computers, frequently hang or crash. Multiple postings
to public security mailing lists described disruptions caused by the worm
crashing computers.
The FBI cooperated with Moroccan authorities, the Ministry of Interior
Turkish National Police, and Microsoft to track down and arrest the two men. </span>