Turkish authorities have linked one of the suspects in the Zotob worm case to individuals thought to be part of a credit card fraud ring, according to the FBI.
Atilla Ekici, a 21-year-old Turk who used the nickname "Coder", may be affiliated with people thought to be part of a credit card fraud ring in Turkey, an FBI representative said on Tuesday. Ekici was one of two men arrested last week for allegedly unleashing several computer worms, including the Zotob worm that disrupted businesses worldwide two weeks ago.
Turkish authorities have identified about a dozen individuals thought to be involved in credit card fraud. "It is believed that these individuals have links to Coder," the FBI representative said. "The investigation is still ongoing, but there is no indication these people actually wrote or distributed the Zotob worm."
Ekici along with Farid Essebar, an 18-year-old Moroccan national born in Russia, are believed to be responsible for Zotob and the earlier Mytob and Rbot worms. Essebar was arrested in Morocco on Thursday of last week, the same day authorities nabbed Ekici.
This is the second time in as many days that the Zotob outbreak has been linked to a larger network. As reported on Tuesday, security experts have suggested that Essebar had used an underground network called 0x90-team to expedite the creation of the worms.
Zotob attacked computers running Microsoft's Windows 2000 operating system. The worm and its offshoots hit PCs and servers worldwide two weeks ago, including machines at ABC, CNN and Daimler Chrysler.
The suspected link to a credit card fraud ring expands the possible financial motivation for the Zotob and Mytob worm attacks. The FBI last week said that it believes Essebar wrote both worms and then sold them to Ekici.
Both Mytob and Zotob attack Windows computers and feature backdoor capabilities. Criminals could use this backdoor to install software that spies on users or to install bot programs that create botnets — networks of hijacked PCs that are commonly rented out to relay spam or attack other systems.
Meanwhile, experts at antivirus company Sophos say they believe Essebar may have had a hand in more than 20 computer pests. The teen's handle, "Diabl0", appears in more than 20 other viruses and worms, including Mydoom-BG and many versions of Mytob, which are currently dominating worldwide virus reports, according to Sophos.
Zotob and its variants exploited a security hole in the plug-and-play feature in the OS, for which Microsoft provided a fix earlier this month, as well as a free tool to cure infected machines. Zotob included some of the code used in Mytob, an email worm that first started spreading in March. To date, more than 100 variants of Mytob have been spotted. The worm is distributed via mass email campaigns.
The investigation into the Mytob and Zotob worms is ongoing and other suspects may be arrested, according to the FBI.
