Local police have arrested two people in Turkey and Morocco under suspicion of involvement in the Zotob, Rbot and Mytob computer Windows 2000 worms, according to Microsoft.
Microsoft worked in conjunction with the Turkish and Moroccan authorities and the U.S. FBI, according to a release from the company. The software vendor, through a division it created two years ago to investigate cybercrime, provided the FBI with technical information and analytical support that was then shared with Turkish and Moroccan police.
Law enforcement officers in Rabat, Morocco, and in Adana and Ankara in Turkey, arrested the alleged distributors of the worms - Atilla Ekici, 21, of Turkey and Farid Essebar, 18, of Morocco on Thursday, 12 days after the release of the first Zotob worm, Microsoft and FBI representatives said.
Ekici went under the code name of "Coder" and Essebar used the code name "Diabl0," said Louis M. Reigel III, assistant director of the FBI Cyber Division, in a conference call Friday.
Ekici apparently paid Essebar a sum of money to write the worms, but was not involved in their creation himself, Reigel said. "We believe that there was financial gain on the part of the Moroccan in the relationship," he said.
Originally investigators believed there might be two Moroccan individuals involved in the crime, but that proved not to be the case, he said. At this time, investigators do not think Ekici and Essebar were involved in creating any of the worms' variants, but the investigation is ongoing and further arrests or charges will be made if needed, he said.
The FBI is not currently seeking extradition of the suspects to the U.S., but is working with local authorities in Turkey and Morocco to prosecute the individuals, he said. Though the two countries' cybercrime laws are not as "advanced" as those in the U.S., the suspects will be charged with appropriate crimes in their home countries, Reigel said.
The suspects may be charged with violating consumer protection and antifraud laws, according to Microsoft Senior Vice President and General Counsel Brad Smith.
The investigation to apprehend the creator of the Mytob worm, which was released in February, began in late March, but the investigation that eventually led to the arrests of Ekici and Essebar began in earnest after the Zotob worm was released two weeks ago, Reigel said. Investigators received no major tip-off but used information from Microsoft that monitored the behavior of the worms to track them to their origin, he said.
The worms exploited vulnerabilities in the Windows 2000 operating system to infect computers running the software with malware that shifted complete control over the PCs to the hackers who launched the attacks.
Fortunately, the worms don't appear to have caused as much damage as previous hacker attacks. Microsoft has since issued security patches to fix the holes in its operating system.
Microsoft's Smith attributed the fact that relatively little damage was caused by the worms to two things: consumers are becoming more savvy to threats and taking more precautions to shield their software from viruses, and Microsoft is making good on its commitment to create more secure products.
Smith also lauded the swiftness with which Microsoft and the FBI identified the suspects with the arrests coming less than two weeks after Zotob was released.
"Clearly I think this kind of public and private collaboration [to fight cybercrime] is a model that is successful here," he said.