Conversation With a Worm Author
A couple of weeks ago, I wrote about an increasing number of hackers making money by using large groupings of hacked home computers -- or "bots" -- as massive install bases for spyware and adware, gleaning a commission for each piece of spyware planted on the infected computers.
Last week, with the arrest of two men thought to be responsible for unleashing the destructive Zotob, Mytob and Rbot family of computer worms, it came to light that investigators believe these guys were somehow making money off of their creations. Officials at the FBI and Microsoft said evidence indicates that Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0," developed the worms for sale to Atilla Ekici, aka "Coder," a 21-year-old citizen of Turkey.
The story I reported last week said Moroccan officials believe the two men are linked to a credit card fraud ring. Now another source claims to have had contact with Diabl0 a month before his arrest, and in their conversation Essebar claimed he was using the worm to infect computers with spyware and adware.
David Taylor, a senior information security specialist at the University of Pennsylvania in Philadelphia, said he received a version of the Mytob virus as an e-mail attachment in the first week of June. Mytob configures infected computers to connect to an Internet relay chat (IRC) server controlled by the author of its particular variant. Once an infected machine connects to the IRC channel, the hacker can update it with additional software, often spyware.
Taylor decided to infect one of his test computers with the worm so that he could follow the computer to the Internet server it was instructed to visit, with the hope of locating any other University of Pennsylvania computers that may have been infected and directed to connect to the same channel.
Finding none, Taylor invited the channel's controller to an online chat. To his surprise, a person using the online screen name "Diabl0" answered, and the two struck up a conversation. Below are a few snippets of that conversation, which Taylor said indicated to him that Diabl0 was making money off his creations.
The transcript of the conversation has been edited slightly for flow. Also, in the original chat, Taylor was referred to as "[msg(DiablO)]," but that has been changed below to "Taylor" to avoid confusion:
[DiablO(DiablO@elite)] wht u think about this new worm? :o
[Taylor] it is pretty good...the variables using the domain from email and then adding the 'www' in front is good. i would imagine you will get a lot of bots
[DiablO(DiablO@elite)] soon adding logo of domaine :p
[Taylor] really? how are you going to do that?
[Taylor] that would be interesting...just curious how you could do that...would be hard
[DiablO(DiablO@elite)] i got more than 200 complaints in last dedicated server :p. i guess u too sent complaints
[Taylor] they are probably not going to send you any christmas presents. it is hard work cleaning up after getting infected with a worm like this. it costs money
[DiablO(DiablO@elite)] no very easy. that worm spread only for money
[Taylor] you should think about joining the other side of this...lots of fun fighting hackers...the thrill is even better. so, do you get paid for the 'click'?
[Taylor] how you make money then? i am confused...curious
[DiablO(DiablO@elite)] it low setting of ie. so no need for click. ratio of install is 1:1. we dont care if user removed worm
[Taylor] oh, ok...that malware...toolbar thing!! i understand now
What Taylor said Diabl0 meant by the last part of the conversation is that his worm was lowering the security settings of Microsoft's Internet Explorer browser so that pop-up advertisements served by the adware and spyware planted on infected machines would not be blocked.
"He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money," Taylor said in a conversation with me.
August 29, 2005; 12:20 PM ET
Save & Share: Previous: Suspected Zotob Worm Authors Arrested
Next: Hurricane Katrina Breaks Internet2 Link, But Performance Not Affected
Posted by: aye non | August 29, 2005 12:58 PM | Report abuse
Posted by: Brian Krebs | August 29, 2005 1:00 PM | Report abuse
Posted by: JT | August 29, 2005 7:28 PM | Report abuse
Posted by: kl3rk | August 29, 2005 7:45 PM | Report abuse
Posted by: David Taylor | August 29, 2005 8:28 PM | Report abuse
Posted by: pielover87 | August 29, 2005 10:52 PM | Report abuse
Posted by: Ken | August 30, 2005 1:13 AM | Report abuse
Posted by: S.R. Prozak | August 30, 2005 1:26 AM | Report abuse
Posted by: K.A. | August 30, 2005 2:50 AM | Report abuse
Posted by: K.A. | August 30, 2005 2:57 AM | Report abuse
Posted by: Duke | August 30, 2005 4:05 AM | Report abuse
Posted by: Zameer | August 30, 2005 7:45 AM | Report abuse
Posted by: Lifeless! | August 30, 2005 7:52 AM | Report abuse
Posted by: Lol McRotflmao | August 30, 2005 8:53 AM | Report abuse
Posted by: No Comment | August 30, 2005 8:53 AM | Report abuse
Posted by: Anonymous | August 30, 2005 9:11 AM | Report abuse
Posted by: IA | August 30, 2005 9:45 AM | Report abuse
Posted by: said agourame | September 8, 2005 6:41 PM | Report abuse
Posted by: Mohamed, Said, kamal.. | September 8, 2005 6:59 PM | Report abuse
The comments to this entry are closed.