Arrested Zotob Worm Suspect Linked To Over 20 Other Viruses
Experts at SophosLabs, Sophos’s global network of virus, spyware and spam analysis centres, have discovered that one of the men arrested last week in connection with the Zotob worm outbreak which exploited a Microsoft security hole, appears to be linked to over 20 other viruses.
18-year-old Farid Essebar, a Russian-born resident of Morocco, was arrested by the authorities on Thursday 25 August – less than two weeks after worms disrupted high profile organisations around the world. Essebar is believed to go by the handle “Diabl0”, a phrase embedded inside the Zotob-A worm. It is not unusual for malware authors to leave handles inside their malicious code, sometimes alongside other messages. Essebar’s alleged associate, Atilla Ekici, was also detained in Turkey.
Sophos researchers have determined that over 20 other viruses include the Diablo handle, including Mydoom-BG and many versions of the Mytob worm, which are currently dominating worldwide virus reports – accounting for six of the top ten positions and over 54% of all viruses reported to Sophos so far this month.
“To the untrained eye the Mytob and Zotob worms can appear quite different: one group of viruses travels via email, the other primarily by exploiting a Microsoft security hole. However, when examined by an experienced virus analyst, the similarities become clear. It appears that whoever wrote Zotob had access to the Mytob source code, ripped out the email-spreading section, and plugged in the Microsoft exploit,” said Graham Cluley, senior technology consultant for Sophos. “The Mytob worms have made a significant impact on the virus outbreak charts this year, so anything which may prevent future variants from being developed and released must be welcomed. However, it’s possible that several people have access to the Mytob source code – so it may not be the last we see of this internet scourge.”
Sophos continues to recommend that companies protect all tiers of their organisation – their desktops, servers and email gateways – with automatically updated anti-virus software to reduce the risk of infection.
Further information can be found at: http://www.sophos.com/virusinfo/articles/diablo.html