Zotob arrests point to cybercrime nexus

The expanding investigation into this month’s Zotob worm outbreak is uncovering evidence of the growing nexus between worm writers and gangs looking to profit from cybercrime, according to security experts.

The FBI Tuesday confirmed that Turkish law enforcement officials are investigating 16 more suspects in connection with the Zotob worm and its variants.

This follows last Thursday’s arrests of Farid Essebar, an 18-year-old Moroccan believed to have been responsible for writing the Zotob and Mytob worms, and Atilla Ekici, a 21-year-old man from Turkey who apparently financed the effort.

According to an FBI spokesman, the 16 individuals now being investigated are not believed to have any direct links to the actual creation and dissemination of the worms that hit several large organizations two weeks ago. Rather, “it looks more like they are associated with a credit card theft ring” possibly linked to the worms, he said.

The news is further evidence of the growing alliance between hackers and those seeking to profit from cybercrime, said Graham Cluley, a senior technology consultant at antivirus firm Sophos PLC.

“It is certainly something that we thought has been happening for some time,” Cluley said. “What you are likely to see here over the next few days is the unravelling of an entire identity fraud gang.”

According to Cluley, Sophos researchers have discovered that at least 20 other worms and viruses — including multiple versions of Zotob and Mytob and a version of last year’s prolific Mydoom worm — were created by Essebar. All of these worms and viruses include the Diabl0 handle that Essebar used as a code name, he said.

Malware such as Zotob and Mytob are used by hackers to download so-called bot programs that allow remote servers to take control of compromised systems and steal information from them. The communication between an infected system and remote server is often done using the Internet Relay Chat (IRC) messaging protocol.

Mytob variants created by Diabl0 communicated with a server apparently owned by a group called the 0x90-team whose Web site discussed hacker exploits and credit card fraud, said Ken Dunham, a senior engineer at VeriSign iDefense Intelligence in Reston, Va. The site, which is registered to an individual in Paris, runs several online forums on how to make money by selling, buying and trading such information, he said.

Diabl0 had his own private directory on the Web server hosting the site, which he used to download the various variants of Mytob and other worms that he created, Dunham said.

According to one source who asked not to be named, the server belonging to the 0x90-team is located in the U.S. And, according to anti-virus firm F-Secure in Finland, the group’s Web site has been used as an underground gathering site for bot authors for quite a while.

A code analysis of the Zotob.A worm and a couple of other variants shows that it was controlled by an IRC server named diabl0.turkcoders.net, Cluley said. The code contained a personal greeting to a person called Coder, which was the handle used by Ekici, the Turk arrested last week.

“That points to the guy in Turkey, who is alleged to have paid the worm author for writing Zotob,” Cluley said.

Related Download
What is an Application Delivery Controller Sponsor: Softchoice
What is an Application Delivery Controller
Download this white paper to learn the core services ADCs provide and its benefit to both users and application administrators.
Register Now