Moroccan, Turk arrested over worm outbreak

26.08.2005
Von 
Jaikumar Vijayan schreibt unter anderem für unsere US-Schwesterpublikation CSO Online.

A Moroccan and a Turk were arrested in their home countries by local police Thursday in connection with the worm attacks that hit several large organizations last week.

Farid Essebar, 18, of Morocco, and Atilla Ekici, 21, from Turkey, are believed to have been responsible for the creation and the distribution of the Zotob, Rbot and Mytob worms, said Louis Reigel, assistant director of the FBI?s Cyber Division in a press conference Friday.

The Zotob worm was targeted at Windows 2000 systems and affected many large companies, including The New York Times, CNN, ABC News, Caterpillar Inc. and General Electric Co. The mass-mailing Mytob worm meanwhile has been circulating on the Internet since February, affecting a wide range of Windows systems, including Windows 2000, Windows XP, Windows Server 2003 and Windows NT.

The arrests come just 12 days after the Zotob worm was released and are the result of extensive cooperation between Microsoft Corp., the FBI and Turkish and Moroccan authorities, said Brad Smith, senior vice president and general counsel at Microsoft.

?It is truly noteworthy to see such fast action spanning multiple countries and continents. It speaks volumes of the the state of progress? being made in such investigations, he added.

Elaborating on the arrests, Reigel said that Essebar, who used the code name ?Diablo,? was responsible for writing the worm code, while Ekici, who went by the handle ?Coder,? financed the effort.

?The Moroccan had a financial relationship with the Turkish individual,? Reigel said. ?We believe that there was financial gain on the part of the Moroccan in relationship to writing the code.?

No motives have been established, and it was unclear if other individuals or organizations were involved and, if so, to what extent, Reigel said. Both Turkish and Moroccan authorities have indicated that they are investigating other individuals, Reigel said. The FBI has people in both countries assisting in the investigations.

There are no plans to seek extradition of the two individuals to the U.S., Reigel said, adding that the U.S does not have an extradition treaty with Morocco.

?Both of these countries? cybercrime laws are not as advanced as those in America. But both countries are going to charge these individuals, and the FBI will provide as much evidence as needed for both to be prosecuted within their own countries,? he said.

He added that the FBI is unaware of the two individuals being involved with any other cybercrime, and neither are they on any watch list. He also dismissed as speculation that the arrested individuals may have been responsible for the creation of the prolific Mydoom worm of last February.

"Because these men will be prosecuted in their countries of origin, rather than the countries where businesses were hit, many will be interested to see how the investigations and cases brought against these men compare with incidents in other parts of the world,?? said Gregg Mastoras, senior security analyst at Lynnfield, Mass.-based Sophos Inc. in an e-mailed comment.

The arrests were made possible by the investigative work of Microsoft?s 50-person Internet Crime Investigations Team, Smith said.

Microsoft has a $5 million antivirus reward program under which it pays informants for tips leading to the arrest and conviction of virus and worm writers. The program was responsible for the similarly quick arrest of Sven Jaschan, the 19-year old German responsible for creating the Sasser worm and four variants last May.

In this case, the individuals were identified by following an electronic trail created by the worms back to their source, Smith said. Though he did not elaborate, Smith said that Microsoft was able to gather a lot of information by ?monitoring the worms in real time.?

?We were certainly gratified and pleased to help,? Smith said.