International investigators looking to identify the virus writer responsible for the Zotob/Rbot worm outbreak two weeks ago have additionally stumbled onto three groups of virus writers, two groups of botnet creators, and an international stolen credit card network. FBI and other international authorities recently announced the arrests of two individuals, Farid Essebar, an 18-year-old Russian-born Moroccan, and Atilla Ekici, a 21-year-old Turkish man, in connection with authoring the recent worms. Authorities also hinted that additional arrests (though not necessarily for writing viruses but for stealing your personal information) may be announced shortly. Both Morocco and Turkey have cybercrime laws in place, and it is expected that both men will be tried within their respective countries, with help from the FBI. It looks like law enforcement might be getting the upper hand for once.

	Authorities in Morocco are said to have found the source code for Mytob on Essebar's personal computer.

Mytob, Zotob--same thing
According to antivirus vendor F-Secure, Essebar authored some but not all of the Mytob viruses that have been active since early 2005, based on patterns within the code itself. For example, it appears that Essebar stripped out the e-mail functions within Mytob and replaced them with exploits for the Windows 2000 Plug-and-Play vulnerability to create Zotob. Authorities in Morocco are said to have found the source code for Mytob on Essebar's personal computer. There are also signatures embedded within the clear text of the virus and the worms themselves that contain his nickname, Diabl0, and that of Ekici, Coder; however, such identifiers could have been left by anyone. F-Secure suggests that as many as three different groups of virus writers, including groups 0x90-Team, Blackcarder, and MetalHit, may have produced the more than 70 variations of Mytob now circulating the Internet. Authorities began investigating the origins of the Mytob virus back in March 2005, which may explain the quick arrests subsequent to the release of Zotob.

Ongoing investigations in Morocco and Turkey suggest that Essebar sold these viruses and worms to Ekici. Ekici then either worked with or sold these viruses and worms to members of a group dealing in credit card theft.

Carder groups
So-called carder groups are not new. Earlier this year, the FBI and Secret Service busted U.S.-based ShadowCrew, operating out of a suburban home in New Jersey. Carder groups are structured much like traditional organized crime syndicates: new members must provide a certain number of fresh, new stolen credit card numbers before they are admitted; once inside, they must commit to providing a certain number of stolen credit card numbers each week. In the case of ShadowCrew, there were periodic threats of enforcement for not delivering the goods, delivering bad goods, or narcing to the authorities. However, there appears to be no follow-through on those threats, and at least one federal agent was able to infiltrate and therefore expose the group.

	The disruption of one or more underground botnet communities may be an even bigger coup for authorities.

By hiring virus writers, carders can use the infected computers worldwide to harvest credit card information from that PC or from other computers on a network. I've written before about the suspected influence of money in the virus-writing community, but this appears to be the first tangible link.

Yet the disruption of one or more underground botnet communities may be an even bigger coup for authorities.

Botnets for the asking
F-Secure reports that Essebar has been linked to 0x90-Team, a gathering site for botnet advice, whose Web site was first defaced, then completely taken offline shortly after the arrests were made public. Mytob and Zotob race from infected PC to infected PC, opening back doors for remote operators to download spyware or other malicious software. Bragging rights for whomever had remote control of the most "zombie" computers used to be enough; now, such botnets fetch top dollar in underground Web sites. Spammers and identity thieves are thought to use botnets to conduct their businesses.

The United Kingdom's The Register reports there's scattered information that a second botnet group, m00p, may have released rival worms, IRCbot and Bozori, designed to remove infections caused by Zotob and Rbot. If the pending arrests are related to 0x90-Team and m00p, as some security researchers have speculated, then a major source of today's new viral activity should be eliminated--though future arrests won't necessarily mean the end of computer viruses and worms.

A silver lining, perhaps
Still, this is progress. Where we often don't understand the motivations of a single virus writer working alone, we do understand crime syndicates, and both the carder groups and the botnets function similarly. I remain hopeful that the infusion of money into the worm-writing, card-stealing, and botnet-creating community will start to expose and unravel these Internet crime syndicates. Large groups can be infiltrated, and money--even e-cash--can be traced. The relative inexperience of these new cybergangs may, in the end, be their own undoing.

Do these recent Zotob/Rbot arrests make you feel more or less confident that cybercriminals will be held accountable for their actions? Talk back to me.

Next steps 
CNET editors' top security products
Check latest prices for Internet security and firewall applications
Get the latest specs and reviews for antivirus applications
Protect your computer with security and encryption software