Two men arrested in connection with worm which hit high profile media companies, Sophos reports

August 26, 2005 Sophos Press Release

Message on Financial Times website
The Financial Times published a message on its website about the worm to its readers.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have welcomed news reports that authorities in Morocco and Turkey have arrested two men in connection with computer worm attacks that hit organizations such as CNN, ABC Television, The New York Times and the Financial Times last week.

According to media reports the FBI has confirmed that police arrested 18-year-old Farid Essebar a resident of Morocco born in Russia, and 21-year-old Atilla Ekici in Turkey on Thursday. The men are said to have gone by the handles "Diabl0" and "Coder", which are mentioned in the code of W32/Zotob-A.

The Zotob worms and related variants hit computers running Windows 2000 at a number of high profile companies by exploiting a security loophole in Microsoft's software.

"It appears that the computer crime authorities have moved very quickly in this case, and it will be interesting to see how the case progresses," said Graham Cluley, senior technology consultant for Sophos. "Because these men will be prosecuted in their countries of origin, rather than necessarily in the countries where businesses were hit, many will be interested to see how the investigations and cases brought against these men compare with incidents in other parts of the world."

Since the first Zotob worm emerged on 14 August, a series of variants and other malware have taken advantage of a critical security hole in Microsoft's software: the MS05-039 Plug and Play vulnerability.

"Astonishingly the time between virus outbreak and arrest is less than two weeks. The authorities were able to investigate quickly and co-ordinate internationally to affect arrests in Morocco and Turkey," continued Cluley. "Unfortunately, since the Microsoft security hole became public knowledge it has become a standard part of many virus writers' armory to include exploitation of the flaw into their malicious code. All companies need to defend themselves with security patches, up-to-date anti-virus software and firewalls for the highest level of protection."

Sophos continues to recommend that companies protect all tiers of their organization - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.