[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Monday, 5 September 2005, 09:43 GMT 10:43 UK
Money motive drove virus suspects
By Mark Ward
Technology Correspondent, BBC News website

Attila Ekici being escorted to court, AFP/Getty
Mr Ekici is accused of paying someone to create the Zotob worm
The arrest of two men suspected of being behind the Zotob virus has give a rare insight into the lifestyle and motivations of criminal hackers.

On 25 August Farid Essebar was arrested in Morocco and Atilla Ekici was detained by police in Turkey following an international investigation into the Zotob outbreak earlier in the month.

More than 100 companies, including the Financial Times, ABCNews and CNN, were hit by the Zotob Windows 2000 worm.

For many one of the oddities of the case was the fact that one of the alleged virus writers was based in Morocco.

Although Turkey has long been a hotspot for virus writers that specialise in making malicious programs that take over PCs and turn them into so-called zombie machines, Morocco is a real surprise.

"It's the first time I've heard of any activity coming from there," said Mikko Hypponen, chief research officer at Finnish security firm F-Secure.

Significantly, said Mr Hypponen, Mr Essebar was originally from Russia where much malicious code is generated and many hi-tech crime groups operate.

According to anti-virus firm Sophos, the Zotob worm is a variant of the Mytob virus which had plugged in to it exploit code written by a Russian hacker called houseofdabus.

Exploit code produced by houseofdabus was also used by German teenager Sven Jaschan to create the Sasser worm which struck on 1 May 2004.

Code farm

Pete Simpson from mail-filtering firm Clearswift doubted that the pair were technically skilled because they used code snippets generated by others to make the variants.

[DiablO] that worm spread only for money
[Taylor] you should think about joining the other side of this...lots of fun fighting hackers...the thrill is even better
[DiablO] we dont care if user removed worm
[Taylor] oh, ok...that malware...toolbar thing!! i understand now
[DiablO] :)
[Taylor] so, do you get paid for the 'click'?
[DiablO] no
[Taylor] how you make money then? i am confused...curious
[DiablO] it low setting of ie
[DiablO] ratio of install is 1:1
[DiablO] :)
[Taylor] but you get paid for someone visiting a site
[Taylor] that is a good ratio
Evidence for this comes from the fact that Mr Essebar - who reportedly used the hacker handle Diabl0 - was also suspected of being behind 20 other viruses all of which are variants of the Mydoom, Mytob and Zotob programs.

"There was a lot of source code around for Mytob which produced a lot of variations," said Mr Simpson.

It is not just the how of the Zotob worm that anti-virus firms have a handle on, they also know why malicious hackers do it: money.

"This has changed who is our enemy," said Mr Hypponen. "We used to be fighting kids and teenagers writing viruses just for kicks."

Despite the change in motive, about 50% of all viruses still contain the names of hackers or the groups that are supposedly behind viruses.

"Now most of the big outbreaks are professional operations," he said. "They are done in an organised manner from start to finish."

Money was reportedly one motive for Mr Essebar who was allegedly paid by Mr Ekici to put the Zotob worm together.

Money talks

What the pair were probably taken aback by was the response that the worm generated.

Few virus writers now want to hit the front pages, said Mr Hypponen, most prefer to have their creations sneak under the radar, rack up a few thousand unwitting victims who are then milked for money or saleable data.

It appears that Mr Essebar was intending to make money several different ways from the people caught out by the Mytob and Zotob viruses he is alleged to have created.

Almost by accident David Taylor, a senior information security specialist at the University of Pennsylvania struck up an online conversation with a malicious hacker that went by the name of Diabl0.

Sven Jaschan, AFP/Getty
Virus writer Sven Jaschan also used code from Russian hackers
Mr Taylor told the BBC News website that the opportunity to chat arose when he investigated a suspected phishing e-mail sent to someone at the University.

When he had compromised a dummy computer with the malicious e-mail he noticed that the machine contacted an IRC chat server making him suspect that it was about to be turned into a zombie.

Once he had extracted the name of the chat server and the channel from the captured network traffic he logged in to try and spot if other university machines had fallen victim.

Mr Taylor noticed someone else in the channel and after a couple of tries had a short conversation with the administrator who went by the name Diabl0.

Although there is no direct evidence that this Diabl0 is the person arrested, Mr Taylor said whoever he talked to connected from a computer based in Morocco.

Mr Taylor has passed all the information he gathered to the FBI.

During the chat, Diabl0 revealed that the Mytob worm had a very sneaky purpose. One of its intentions was to lower security settings on Microsoft's Internet Explorer browser so certain pop-up adverts would not be blocked.

Diabl0 said he would be paid by the pop-up ad makers for every user hit. Even if the compromised users managed to remove the virus, bragged Diabl0, the settings would likely go unchanged and the stream of unwanted adverts would continue.

Every time an ad was sent to a user, Diabl0 would get credited with a click. With Zotob being one of the worst outbreaks of 2005, Diabl0 could have expected a bumper payday.

Windows 2000 worm hits US firms
17 Aug 05 |  Technology
Two detained for US computer worm
26 Aug 05 |  Technology
Windows 2000 bug starts virus war
18 Aug 05 |  Technology
German admits creating Sasser
05 Jul 05 |  Technology
Trench warfare against viruses
06 May 04 |  Technology
Closing the holes on hackers
03 May 03 |  Technology

The BBC is not responsible for the content of external internet sites


Americas Africa Europe Middle East South Asia Asia Pacific