Press Releases

Browse our press release archive

27 Jun 2006

Police bust m00p international virus-writing gang

63-year-old man amongst those arrested for conspiring to infect internet users

The three men are alleged to have used malware to take remote control of zombie computers. Image copyright (c) Sophos
The three men are alleged to have used malware to take remote control of zombie computers

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have welcomed news that authorities in the UK and Finland have arrested three men in connection with computer worm attacks.

The British Metropolitan Police's Computer Crime Unit, the Finnish National Bureau of Investigation and the Finnish Pori Police Department, have arrested a 63-year-old man in Ipswich, a 28-year-old man in the Grampian region of Scotland, and a 19-year-old man in Helsinki, Finland. The men, who are all suspected of being members of the m00p virus-writing gang, have been arrested in connection with a conspiracy to infect computers with malware.

Police are now examining computer equipment seized at the residential addresses raided for evidence.

"The police in the UK and Finland should be congratulated for investigating this computer crime ring and breaking up the gang before it can do any more harm to innocent web surfers and businesses," said Graham Cluley, senior technology consultant for Sophos. "It's great to see one less virus writing gang, but the sad fact is, however, that this is probably just the tip of the iceberg. More and more criminals around the globe are being tempted by the anonymity the internet offers to commit their crimes online. A strong message needs to be sent out that those who engage in malicious computer attacks will receive severe punishment."

The m00p group are believed to have written malware in order to create a zombie network (or botnet) of compromised computers under their control. Analysis by Sophos experts have confirmed that there are many pieces of malware which include references to the m00p gang including the W32/Dogbot spyware worm, Troj/Hackarmy-C, Troj/Santabot-A, Troj/Shuckbot-A, W32/Rbot-BF, and W32/Tibick-A.

References to m00p are are also contained inside the Stinx Trojan horse, which was spammed out widely attached to emails with the subject line "Photo Approval Needed".

The Stinx Trojan horse contained a reference to the M00P gang inside its code

The Stinx Trojan horse contained a reference to the m00p gang inside its code.

"Zombie computers can be used by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information and commit identity theft," continued Cluley. "Every computer owner needs to take steps to reduce the chances of their computer being turned into a zombie under the control of hackers."

The men arrested in Suffolk and Scotland are not the first to have been arrested in the United Kingdom in connection with virus writing. In 2003 Welsh virus writer Simon Vallor was sentenced to two years in jail for malware he had created, and in 1995 Christopher Pile (also known as "The Black Baron") was jailed for 18 months for writing and distributing the SMEG viruses.

It is believed that the 28-year-old Scottish man arrested was already known to the police, and has been on bail since January charged with offences related to distributed denial-of-service (DDoS) attacks.

The Stinx Trojan horse hit the headlines in late 2005, when Sophos experts revealed that it was designed to exploit the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant's CDs.

Why is the group called m00p?

There is some debate as to how the gang chose the name "m00p" according to experts at Sophos.

Some believe that the virus writing gang chose the name of their group after an episode of the South Park cartoon series where the characters formed a band called 'Moop'. The episode involved some non-too-subtle arguments about how filesharing affects the music industry.

Another theory which has been suggested is that the name is a reference to an episode of the Seinfeld comedy show where the 'Moops' are mentioned during a game of Trivial Pursuit against the Bubble Boy. Ironically, the character of the Bubble Boy was the inspiration for another virus in 1999.

However, a member of the m00p group has claimed that the name pre-dates these TV shows, and originates from an expression he used as a child.

Sophos continues to recommend that companies protect all tiers of their organization - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at