Zotob Authors Jailed
Press reports this morning indicate that the two people arrested in the Zotob case have been jailed. According to Computerworld, "Farid Essebar, 19, of Morocco was sentenced to two years in prison on Tuesday by a Moroccan court, according to a report by Agence France-Presse. An accomplice, Achraf Bahloul, also of Morocco, received a one-year sentence, the report said." There's not much more to the story, it seems. You may recall that Zotob was used, in part, to fuel financial theft via the victims' computers. Zotob built a modestly sized botnet.
Shortly after the original Zotob worm came out last summer, these two guys were identified and arrested. I recall speaking at a local security group event that fall a few days after the arrests, and some federal law enforcement were in the room, as well as some corporate CSOs and such. I showed them some of the Zotob botnet data I had gathered for work, and mentioned that the two guys were apprehended a day or so earlier. They were all pleased, to say the least.
Still, botnet related arrests are exceedingly rare, given the number of botnet operators out there.September 14, 2006 in government, Zotob | Permalink | Comments (0)
UK hackers jailed for global computer worm plot (TK worm)
While getting caught up on the recent news I came across this. I have been swamped at work, especially as I dig out from the week I was away at HITB in Malaysia. (A special thanks to everyone there for everything, it's good to meet so many of you and see so many friends again.)LONDON: Two British hackers were jailed on Friday for helping to spread a computer worm which affected thousands of machines around the world including some at the U.S. Department of Defense. Jordan Bradley, 22, and Andrew Harvey, 23, were part of an international hacking group called "TH34t Krew" which created the "TK worm", a so-called "Trojan" programme that surfaced on the Internet sometime before February 2003.
Source: UK hackers jailed for global computer worm plot, Reuters (in CIOL News).
Additional information:
- Owned by the THR34T Krew...Part II, from Air Scanner, a description of the TKBot traffic and how it was investigated.
- Hackers Jailed for Global Computer Virus in Red Nova.
- Bedroom IT Skills Were Designed to Create a Devastating Worm, also in Red Nova.
While nothing too major, it's good to see malware authors getting traced, caught, and sentenced.
October 12, 2005 in government, media | Permalink | Comments (1)
Morocco to try suspected computer worm author
It looks like the the Zotob trial will be held overseas (at least for us not in Morocco), but more importantly it's happening swiftly. I wonder how much of a dent this will make in things given the popularity of Zotob variants and the proliferation of credit card theft tools in the past year.
An 18-year-old math student will go on trial in Morocco this month for unleashing computer worms that disrupted the networks of major U.S. firms, a Justice Ministry official said today.
The FBI last week announced Moroccan Farid Essebar's arrest in Rabat as well as the arrest in Turkey of 21-year-old Attila Ekici. Both are suspected of releasing the Zotob worm that hit the Internet three weeks ago.
The official said Essebar's trial would start Sept. 13 and he would remain in custody near Rabat until then. "The hearing will specify charges against him for the trial," the ministry official told Reuters.
Source: Morocco to try suspected computer worm author, by Souhail Karam, posted September 2, 2005 (REUTERS).
September 10, 2005 in government, media, Zotob | Permalink | Comments (2)
16 more Zotob suspects
News reports this morning are noting that the FBI and Turkish authorities have announced that they have identified 16 more suspects in the Zotob case. No word yet on how the additional 16 suspects were identified, however given the appearant financial motives behind the incident and the scale of the operation, it may have been classic detective work that lead to this latest development.
The FBI said the Turkish authorities have identified 16 more individuals as suspects in the recent Zotob and the Mytob worm attacks. But Louis M. Reigel III, assistant director of the FBI’s cyber division, said no additional arrests had been made as of Monday.
Based on a code analysis of the worm and its variants, there are at least three gangs of hackers involved with the worm, believes Finnish anti-virus software maker F-secure, according to Mikko Hypponen, director of the company’s anti-virus research. If Turkish officials make the arrests, the action would represent the biggest roundup in the history of the information security business, said Mr. Hypponen.
Source: 16 Sought in Zotob Gang Dragnet, Red Herring online, August 30, 2005. Also see Cyber-cops arrest 16 more Zotob suspects, by Robert Jaques, posted to vnunet.com 31 Aug 2005.
August 31, 2005 in government, media, Zotob | Permalink | Comments (0)
A financial twist to the Zotob case
Some more information on the story around the arrest of two suspects in the Zotob, and Mytob, cases. A story in the Washington Post on Friday reports that there is a financial information theft aspect to the Zotob worm, as well as the Mytob worm. This perspective is also being reported in Maghreb Arabe Presse in Morocco.
Louis M. Reigel III, director of the FBI's Cyber Division, said evidence indicates Ekici paid Essebar to develop the worms, which the two used for financial gain. Reigel declined to say whether the men were connected to a larger criminal enterprise. But according to information released by the Moroccan government, the two men are alleged to have forwarded financial information stolen from victims' computers to a credit card fraud ring.
And finally, eWeek has an interesting summary of the Zotob timeline from the Microsoft perspective. Source: Suspected Zotob Worm Authors Arrested, by Brian Krebs, posted on Washingtonpost.com on Friday, August 26, 2005.
So how did they break this case so quickly? According to the F-Secure antivirus weblog, the handles used by the men, "diabl0" and "coder", are appearant in the worm. This has shades of the Blaster.C variant and the "teekids" handle.
Both nicknames can be found from the code of Zotob.A: the worm connected to a irc server named "diabl0.turkcoders.net" and contained the words "Greetz to good friend Coder".
Source: Breaking news: two arrests in the Zotob case, Friday, August 25, 2005.
August 27, 2005 in government, media, Zotob | Permalink | Comments (1)
Turk, Moroccan nabbed in huge worm case
CNN is reporting that there has been a pair of arrests in the investigation into the Zotob and Mytob worm cases. The report says that a 21-year old resident of Turkey and an 18-year-old Moroccan were arrested in their home countries in an international investigation.Farid Essebar, a Moroccan who used the screen name "Diabl0," and Attilla Ekici of Turkey, who used the moniker "Coder," were arrested in their home countries by authorities who cooperated with U.S. investigators in tracking the origins of the Mytob worm and its damaging variant, Zotob.Source: Turk, Moroccan nabbed in huge worm case, August 26, 2005.FBI officials said the two men are expected to be prosecuted by the governments of their home countries.
Microsoft has a comment in a press release, as well, on the arrest. They reportedly participated in the investigation:
“We congratulate the Turkish and Moroccan authorities and the FBI for finding and apprehending the alleged authors and distributors of the Zotob and Mytob worms so quickly,” [Brad] Smith said. “This arrest demonstrates the value of public-private collaboration — the first-class investigative work by the authorities and round-the-clock technical and investigative support provided by our Internet Crime Investigations Team here at Microsoft. The results show clearly that cybercriminals will be identified, apprehended and held accountable for their actions.”Source: Microsoft Commends Turkish and Moroccan Authorities and the FBI on the Arrest of the Alleged Authors of the Recent Zotob and Mytob Worms, Microsoft Press Release, August 26, 2005.
eWeek has a story on the Microsoft response to the Zotob worm and the release of an obviously wormable vulnerability in MS05-039, released on the August, 2005, patch Tuesday:
"This is something we had created an entire process around and we were much better prepared this time," he said. "Our process is working, and it's working very well."Source: Inside Microsoft's Zotob Situation Room, by Ryan Naraine for eWeek, posted August 26, 2005.That process, Toulouse explained, started long before Patch Tuesday. "Whenever we're dealing with critical updates, one of the things we do is really look very hard at the attack vectors. What are the ways people will try to exploit this? How easy is it to create and unleash a worm? We attack the flaw just like the attacker would, and we knew up front that this one would be trouble.
"We had three critical bulletins in August but, in the case of the Plug and Play vulnerability, we knew there was a remote, unauthenticated attack vector affecting Windows 2000. Whenever there's a remote, unauthenticated attack vector, it sends up major red flags," Toulouse said.
August 26, 2005 in government, Zotob | Permalink | Comments (0)
Worms do China's spying
An interesting article from an Austrailian IT publication recently that conjectures that worms are being used in nation-state warfare. The article makes the claim that industrial espionage is being facilitated by the use of malware like worms and Trojan horse programs, which can be used to access documents on remote systems.
Cyberspace is becoming a new battleground for the United States and China, amid growing concerns about Chinese industrial espionage through various types of computer worms, security experts say.
At least one "Trojan horse" program used to steal files from infected computers has been traced to servers in China, providing further evidence that US companies may be targets, say analysts.
Security firms have long been concerned about various types of malicious software used to steal files or passwords. But some newer programs seem designed as a more sophisticated and targeted effort.
Source: Worms do China's spying, July 25, 2005.
For some additional background, see this recent Forbes magazine piece which features the LURHQ analysis.
August 1, 2005 in government, media, new trends | Permalink | Comments (1)
Microsoft to Pay Reward to Sasser Worm Informants
Following the conviction of Sven Jaschen for writing and releasing the Sasser worm, Microsoft is living up to it's promise of offering rewards for information leading to specific malware convictions.Microsoft Corp. today announced that two individuals who helped identify the creator of the notorious Sasser worm in 2004 will share a reward of $250,000 (U.S.). The author of the worm, arrested in May 2004, was found guilty Friday by a court in Verden, Germany, and handed a sentence of one year and nine months on probation and 30 hours of community service.Source: Microsoft to Pay Reward to Sasser Worm Informants, Microsoft Press Release, July 8, 2005....
“We’re pleased that the author of the Sasser worm has admitted responsibility for the damage he caused and is being held accountable,” said Nancy Anderson, vice president and deputy general counsel at Microsoft. “It has been important and gratifying to collaborate with and support law enforcement in this case, and we’re glad to provide a monetary reward to those individuals who provided credible information that helped the German police authorities solve this case.”
The reward will be paid from Microsoft’s anti-virus reward program, an initiative established by the company with Interpol, the Federal Bureau of Investigation and the United States Secret Service in November 2003 to provide an incentive for people to help identify those responsible for unleashing malicious viruses and worms on the Internet and deter cyber-criminals. The reward is paid to informants who are not involved in the criminal activity and provide credible information to law enforcement agencies that leads to an arrest and conviction.
July 10, 2005 in government, microsoft, sasser | Permalink | Comments (1)
German youth convicted for Sasser
Sven Jaschan, the German teenager on trial this week for the launch of the Sasser worm, has been convicted. This was expected after he confessed in court earlier this week to comitting the crime. As was widely expected, he received a suspended sentence, in part because he was a minor at the time of the crime.A German youth has been given a 21-month suspended sentence after being convicted of creating the Sasser worm which crippled computers worldwide.Source: German youth convicted for Sasser, BBC News Online, Friday, 8 July, 2005.Sven Jaschan was found guilty of computer sabotage and illegally altering data, said a court official.
He escaped a jail term as he was tried as a minor since he was 17 years old when he wrote the worm.
July 8, 2005 in government, media, sasser | Permalink | Comments (1)
Teenager admits to unleashing internet worm
In somewhat breaking news, The Mail and Guardian Online is reporting that Sven Jaschan, the alleged author of the Sasser worm, has confessed in court. Today is the first day of his trial in Germany for creating and releasing the Sasser worm, which was found spreading in the wild in May, 2004. Thanks in part to a large reward sum, he was implicated by an anonymous person and police then found enough evidence to bring charges:
A German teenager confessed on the first day of his trial on Tuesday to creating the internet Sasser worm that waylaid millions of computers around the globe last year, a court official said.
The spokesperson for the tribunal, Katharina Kruetzfeldt, said that Sven Jaschan, now 19, admitted during the closed-doors hearing in this northern city to unleashing the destructive program in the spring of 2004.
...
He is now facing charges including sabotage, data manipulation and disruption of public administration.
...
Jaschan, whose parents own a computer service company, now works for a German security software firm called Securepoint, which specialises in defences against viruses and worms.
A company representative said Jaschan will remain an employee regardless of the outcome of the trial.
Source: Teenager admits to unleashing internet worm, Julia Deppe. The article goes on to say that a verdict could come as early as Thursday, thanks to this confession.
UPDATE: The story has hit almost every major news outlet, and one of the better stories on the subject is from the Scotsman, entitled Boy who nearly crashed the world.
July 5, 2005 in government, media, sasser | Permalink | Comments (0)
