Two men arrested in connection with Zotob attacks

By Steve Malone

Posted on 30 Aug 2005 at 11:18

Police in Morocco and Turkey have arrested two men in connection with the 'Mytob' and 'Zotob' worms which caused chaos in computer systems around the world earlier this month

The two men are Farid Essebar, 18, a Moroccan citizen originally from Russia who went by the screen name 'Diabl0' and 21 year old Atilla Ekici, who goes by the name of 'Coder,' from Turkey. The arrests follow co-operation between Microsoft, the FBI and local law enforcement agencies in Morocco and Turkey.

W32.Zotob is a worm that targets Windows 2000 and XP-based computers. The worm opens a back door and exploits the Windows Plug and Play Buffer Overflow Vulnerability that was announced in a Microsoft security bulletin MS05-039 on August 9th. The worm installs software on a target computer and then searches for other machines to infect.

When the worm hit the internet a few weeks ago, Microsoft played down the impact of Zotob at the time rating it at a 'low' severity level. However, the profile rose immeasurably after several high profile web sites from leading media organisations became infected including those of the Financial Times, CNN and the New York Times.

It was particularly embarrassing for these organisations as the worm could not affect machines issued with the security patch released by Microsoft at the time.

The FBI says that any prosecutions of the two men will take place under local law and it will not be starting extradition proceedings.

Microsoft Senior Vice President and General Counsel Brad Smith congratulated the law enforcement agencies on tracking down the two men and added, 'These arrests demonstrate the value of public-private collaboration - the first-class investigative work by the authorities and 'round-the-clock technical and investigative support provided by our Internet Crime Investigations Team here at Microsoft.'