Zotob worm linked to credit card fraud ring

Authorities have linked one of the suspects in the Zotob investigation to individuals thought to be part of a credit card fraud ring.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

Aug. 31, 2005 6:14 a.m. PT

2 min read

Turkish authorities have linked one of the suspects in the Zotob worm case to individuals thought to be part of a credit card fraud ring, according to the FBI.

Atilla Ekici, a 21-year-old Turk who used the nickname "Coder," may be affiliated with people thought to be part of a credit card fraud ring in Turkey, an FBI representative said on Tuesday. Ekici was one of two men arrested last week for allegedly unleashing several computer worms, including the Zotob worm that disrupted businesses worldwide two weeks ago.

Turkish authorities have identified about a dozen individuals thought to be involved in credit card fraud. "It is believed that these individuals have links to Coder," the FBI representative said. "The investigation is still ongoing, but there is no indication these people actually wrote or distributed the Zotob worm."

Zotob attacked computers running Microsoft's Windows 2000 operating system. The worm and its offshoots hit PCs and servers worldwide two weeks ago, including machines at ABC, CNN and Daimler Chrysler.

Ekici along with Farid Essebar, an 18-year-old Moroccan national born in Russia, are believed to be responsible for Zotob and the earlier Mytob and Rbot worms. Essebar was arrested in Morocco on Thursday of last week, the same day authorities nabbed Ekici.

The suspected link to a credit card fraud ring expands the possible financial motivation for the Zotob and Mytob worm attacks. The FBI last week said that it believes Essebar wrote both worms and then sold them to Ekici.

Both Mytob and Zotob attack Windows computers and feature backdoor capabilities. Criminals could use this backdoor to install software that spies on users or to install "bot" programs that create "botnets," networks of hijacked PCs that are rented out to relay spam or attack other systems.

Meanwhile, experts at antivirus company Sophos say they believe Essebar may have had a hand in more than 20 computer pests. The teen's handle, "Diabl0," appears in more than 20 other viruses and worms, including Mydoom-BG and many versions of Mytob, which are currently dominating worldwide virus reports, according to Sophos.

Zotob and its variants exploited a security hole in the plug-and-play feature in the OS, for which Microsoft provided a fix earlier this month. Zotob included some of the code used in Mytob, an e-mail worm that first started spreading in March. To date, more than 100 variants of Mytob have been spotted. The worm is distributed via mass e-mail campaigns.

The investigation into the Mytob and Zotob worms is ongoing and other suspects may be arrested, according to the FBI.