Moroccan, Turk arrested in computer worm attack

Two men, one living in Turkey and the other in Morocco, have been arrested on suspicion of unleashing the Zotob and Mytob computer worms that wrought havoc on computer networks worldwide in the past two weeks.

Turkish police on Thursday arrested Atilla Ekici, 21, while Moroccan authorities apprehended 18-year-old Farid Essebar. They acted on information supplied by computer crime specialists at the FBI and Microsoft Corp., maker of the Windows 2000 software attacked by the worms.

Louis M. Reigel III, assistant director of the FBI's cybercrime division, said the investigations ''were successful because of our international relationships, particularly with Turkey and Morocco, and because of significant assistance from Microsoft." Brad Smith, Microsoft's general counsel, said his company used a team of specialists to disassemble the worms, analyze their contents, then trace them to their source. ''Our entire industry, especially in partnership with law enforcement, is able to move more quickly and in a more effective way than we were a few years ago," Smith said.

Reigel said the investigation began in March, when the Mytob worm was released, but progress was slow. ''The investigation really took off when Zotob was released two weeks ago," he said.

Zotob exploited a security hole in Windows 2000. Infected machines automatically searched the Internet for other vulnerable machines, then infected them as well. That made Zotob much more virulent than Mytob, which is distributed through infected e-mail messages. The Zotob-infected machines' efforts to spread the worm caused computer system slowdowns and crashes at a host of major institutions in recent days, including the Massachusetts state government, CNN, and The New York Times.

Microsoft and FBI investigators found that Zotob contained much of the same underlying code as the Mytob worm. This helped them track it to its origin in Morocco. According to Reigel, Ekici, whose Internet nickname is Coder, hired Essebar -- code named Diabl0 -- to produce the worms. ''The Moroccan was responsible . . . for writing the code," said Reigel. ''The Moroccan has a financial relationship to the Turkish individual." Reigel said he didn't know whether Ekici and Essebar have ever met personally.

Machines infected by Zotob could be remotely controlled by criminals seeking to steal personal information or corporate secrets or to send out floods of junk e-mail. Reigel said he didn't know the motives of the two men, or whether they were part of a larger criminal conspiracy, but added that the investigation is ongoing.

Ekici and Essebar will be prosecuted in their home countries, but Reigel didn't know under what laws they'd be charged. ''Both those countries' cybercrime laws are not as advanced as those in America," said Reigel. Microsoft's Smith said that if Turkish or Moroccan computer crime laws were inadequate, the men could probably be prosecuted under their countries' consumer protection statutes. Ekici could see the inside of a US jail, since America has an extradition treaty with Turkey, but no such treaty exists between the United States and Morocco.

Smith said that the quick arrest of the two suspects, and the worm's inability to infect the newer Windows XP software, proves that Microsoft is doing a better job of protecting its customers from rogue software. ''The fact that this was able to have an impact on Windows 2000, but not Windows XP, shows the progress we've made in strengthening our software," Smith said.

But Gregg Mastoras, senior security analyst at antivirus software company Sophos Inc. in Lynnfield, said that the number of Windows viruses has increased by 50 percent over the past six months. Mastoras added that viruses and worms are becoming more dangerous, because today's virus writers are less likely to be mere vandals. Instead, many are professional criminals hoping to steal sensitive information or sell spam advertising. ''Today's virus writer typically is part of organized crime," Mastoras said.

Hiawatha Bray can be reached at bray@globe.com.