Analyst Hopes Zotob Arrests Slow Malware Activity

Although law enforcement officials have arrested two men they believe wrote the Mytob and Zotob worms, one security expert said there may not be much enterprises can do to stop such infections from striking again.

"There's little to learn," Mikko Hypponen, director of antivirus research, F-Secure, told TechNewsWorld about the lessons of the malware attacks. "This worm hit big companies. They already know the importance of timely security patches. The problem is that few large companies can test and deploy patches company-wide in just five days, which was the deadline in this case."

The worms, which infected servers and PCs running Windows 2000, struck at ABC, American Express (NYSE: AXP), CNN, Daimler-Chrysler, The New York Times (NYSE: NYT) and Visa, among others, beginning Aug. 14. The worm exploited a security hole that allowed remote control of the infected machine. Microsoft (Nasdaq: MSFT) had issued a plug days earlier.

Arrests in Turkey, Morocco

The FBI, which worked in conjunction with local authorities, announced the arrests Thursday. Farid Essebar, 18, a Moroccan-national born in Russia who went by the screen moniker "Diabl0," was captured by Moroccan law enforcement officials. Atilla Ekici, 21, who used the name "Coder," was taken into custody in Turkey.

The FBI said it believes Essebar wrote both Mytob and Zotob and sold them to Ekici. The pair will prosecuted in the countries in which they were arrested, with help from the FBI. The United States has an extradition treaty with Turkey, but not Morocco, which could mean Ekici might be taken to the U.S. if the legal case against him in that country does not succeed.

Essebar's arrest is seen as a break for cyber crime-fighting.

"I really hope it will slow down activities of these botnet herders [hackers who control a series of infected machines]," Hypponen said. "They are a major problem already. There's a lot of this activity coming from Turkey, so we're hoping this arrest in Turkey would send a message," although the analyst added that the pair was not working alone. "They had associations to at least 0x90-Team and Turkcoders [groups of malware writers] ... probably others."

Network of Botnet Creators

In the F-Secure Weblog, Hypponen wrote that the Web site of the 0x90-Team functions as an underground meeting spot for bot authors.

"There's around 70 known variants of Mytob and practically all of them create botnets of the infected machines," he said. "Some of these botnets have been controlled by unrelated groups, such as Blackcarder. And we've found new Mytob variants just yesterday, which obviously are not written by Diabl0. So several people have access to Mytob source code and have been making their own variants."

The FBI said the investigation began in March, when the first variant was spotted, and escalated when Zotob hit two weeks ago. Microsoft said its Internet Crime Investigations Team aided the probe by providing technical information and analytical support.