Network News

X My Profile
View More Activity

Conversation With a Worm Author

A couple of weeks ago, I wrote about an increasing number of hackers making money by using large groupings of hacked home computers -- or "bots" -- as massive install bases for spyware and adware, gleaning a commission for each piece of spyware planted on the infected computers.

Last week, with the arrest of two men thought to be responsible for unleashing the destructive Zotob, Mytob and Rbot family of computer worms, it came to light that investigators believe these guys were somehow making money off of their creations. Officials at the FBI and Microsoft said evidence indicates that Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0," developed the worms for sale to Atilla Ekici, aka "Coder," a 21-year-old citizen of Turkey.

The story I reported last week said Moroccan officials believe the two men are linked to a credit card fraud ring. Now another source claims to have had contact with Diabl0 a month before his arrest, and in their conversation Essebar claimed he was using the worm to infect computers with spyware and adware.

David Taylor, a senior information security specialist at the University of Pennsylvania in Philadelphia, said he received a version of the Mytob virus as an e-mail attachment in the first week of June. Mytob configures infected computers to connect to an Internet relay chat (IRC) server controlled by the author of its particular variant. Once an infected machine connects to the IRC channel, the hacker can update it with additional software, often spyware.

Taylor decided to infect one of his test computers with the worm so that he could follow the computer to the Internet server it was instructed to visit, with the hope of locating any other University of Pennsylvania computers that may have been infected and directed to connect to the same channel.

Finding none, Taylor invited the channel's controller to an online chat. To his surprise, a person using the online screen name "Diabl0" answered, and the two struck up a conversation. Below are a few snippets of that conversation, which Taylor said indicated to him that Diabl0 was making money off his creations.

The transcript of the conversation has been edited slightly for flow.  Also, in the original chat, Taylor was referred to as "[msg(DiablO)]," but that has been changed below to "Taylor" to avoid confusion:

[DiablO(DiablO@elite)] wht u think about this new worm? :o

[Taylor] it is pretty good...the variables using the domain from email and then adding the 'www' in front is good. i would imagine you will get a lot of bots

[DiablO(DiablO@elite)] soon adding logo of domaine :p

[Taylor] really? how are you going to do that?

[DiablO(DiablO@elite)] yes

[Taylor] that would be interesting...just curious how you could do that...would be hard

[DiablO(DiablO@elite)] i got more than 200 complaints in last dedicated server :p. i guess u too sent complaints

[Taylor] they are probably not going to send you any christmas presents. it is hard work cleaning up after getting infected with a worm like this. it costs money

[DiablO(DiablO@elite)] no very easy. that worm spread only for money

[Taylor] you should think about joining the other side of this...lots of fun fighting hackers...the thrill is even better. so, do you get paid for the 'click'?

[DiablO(DiablO@elite)] no

[Taylor] how you make money then? i am confused...curious

[DiablO(DiablO@elite)] it low setting of ie. so no need for click. ratio of install is 1:1. we dont care if user removed worm

[Taylor] oh, ok...that malware...toolbar thing!! i understand now

[DiablO(DiablO@elite)] ;)

What Taylor said Diabl0 meant by the last part of the conversation is that his worm was lowering the security settings of Microsoft's Internet Explorer browser so that pop-up advertisements served by the adware and spyware planted on infected machines would not be blocked.

"He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money," Taylor said in a conversation with me.

By Brian Krebs  |  August 29, 2005; 12:20 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Suspected Zotob Worm Authors Arrested
Next: Hurricane Katrina Breaks Internet2 Link, But Performance Not Affected

Comments

I'm a little bit surprised you choose to reveal the name and location of the person who provided the chat transcript. That seems to be inviting reprisals.

Posted by: aye non | August 29, 2005 12:58 PM | Report abuse

that is entirely up to the source in cases like this. In this particular case, the source said he had no problem with it.

Posted by: Brian Krebs | August 29, 2005 1:00 PM | Report abuse

Do you think people like him, who purposely infect their machine, care about reprisals? Bring it on people.

Posted by: JT | August 29, 2005 7:28 PM | Report abuse

well, he is a security specialist. ;) let him worry about possible reprisals...

Posted by: kl3rk | August 29, 2005 7:45 PM | Report abuse

I did give Brian permission to use my name and affiliation. Thanks Brian.

The machine that I intentionally infected was in a controlled environment. Vmware with a Windows based operating system as the guest. All traffic is fed through snort_inline and IPTABLES to prevent the system from attacking other hosts. I was watching. :)

I have heard some feedback on reprisals for this action but I think it is important to take a stand on this issue. Part of what makes EDUs so attractive to hackers is the fact that most of them will simply clean the mess up and call it a day.

Posted by: David Taylor | August 29, 2005 8:28 PM | Report abuse

Hasn't he been indicted? If so there isn't much he can do.

Posted by: pielover87 | August 29, 2005 10:52 PM | Report abuse

Hackers should receive the same punishment that Singapore gives to drug traffickers.
At the very least those two should be given stiff prison sentences and large fines triple the damage their weapons caused. These are criminals, not misguided children. The sooner we stop coddling hackers with "probation and community service," the sooner we will send these electronic thugs a very simple message:
You hit us, we hit you harder.

If you think this sounds overly harsh, consider the recent "E-Queda" series by the Post. Al-Queda already makes full use of online tools to plan, coordinate, and carry out terrorist attacks. Will the next attack incorporate a massive worm or DDOS assault? How many hackers have been recruited by Osama?

First it was just boot viruses and dead C drives. Next, spam arrived. Now, spyware and malware aimed at stealing your money. What's next, a worm that cripples the local 911 dispatch center prior to a bombing?

Posted by: Ken | August 30, 2005 1:13 AM | Report abuse

What else would they do it for? To get laid?

Posted by: S.R. Prozak | August 30, 2005 1:26 AM | Report abuse

People (internet explorer users) should really wisen up about which browser they use. Really, of all the browsers to go onto the internet with, so many people use the worst one out there. Anyone who gets any worms, viriuses, etc, while using IE, really deserves it.

Posted by: K.A. | August 30, 2005 2:50 AM | Report abuse

As an after thought post, here is a much better alternative to Internet explorer. Reliable, faster,customizable,and more restistant that you might catch while browsing. Mozilla firefox, in the opinion of thousands, as well of my own, makes Internet explorer look like nothing.

http://www.mozilla.org/products/firefox/

Posted by: K.A. | August 30, 2005 2:57 AM | Report abuse

Using windows over linux to play around and get in touch with evil hackers is a good way to find new friends ;)
Just kidding, anyway I think that the linux community could help more people to move from M$ solutions if everyone was contributing this way: just get a raw file containing a minimal and completely unpatched M$ operating system and let it run with vmware without any port filtering.
The problem is not hackers, it is the OS and its default permissive configuration. If you buy a house with no door, do not complain about being burgled all the time.

Posted by: Duke | August 30, 2005 4:05 AM | Report abuse

The law should be common to all. Criminals regardless of color, creed and religion should be punished by the same extents of the law. Criminality and Stupidity has no affliations, it is universal.

Posted by: Zameer | August 30, 2005 7:45 AM | Report abuse

David Taylor. This comment is for you. Have you ever stolen a few bucks from your kitchen counter? Taken something from a store? Downloaded an mp3 from a p2p service? I am sure you understand where I am going with this. These are all illegal. At the same time though they have not ended someones life, or caused someone bodily harm in any way shape or form. For you to try and port the two as the same thing is just ridiculous. Now all of that being said what is being done by hackers is illegal and should be dealt with according to the law. I agree with a lot of these sentences because lets be honest these are non-violent crimes.
Now in all of this I am surprized about one huge thing. Who's responsibility is it to make the opperating system of a computer secure...The end users? or the company who created it? This is a huge question mainly because there will always be people in every area who do things of questionable legality. The huge kicker online is that you can lock down your system like no other but if yer OS has a gaping hole left open for 4 generations, YOUR TOAST.

Just my two cents

LIFELESS!

Posted by: Lifeless! | August 30, 2005 7:52 AM | Report abuse

"I'm a little bit surprised you choose to reveal the name and location of the person who provided the chat transcript. That seems to be inviting reprisals"

http://www.mosnews.com/news/2005/08/15/kushnirinquiry.shtml

Reprise away.

Posted by: Lol McRotflmao | August 30, 2005 8:53 AM | Report abuse

Does anyone else get a creepy feeling that these two are from Morocco and Turkey...Two countries with large populations that are sympathetic to terrorists?

We already know that terrorist groups use the internet to communicate. How long before they start using it for other purposes? Who is to say that Al Qaeda doesn't already have their own hackers writing viruses to collect data for credit card fraud and raising money by deploying adware for slimy, unscrupulous marketers?

Call me crazy, but I am beginning to think that maybe our dependency on buggy MS software might be more of a danger than anyone wants to admit. Could we be supporting terrorism against our own citizens by using MS products?

Let's face it. Our shortsightedness is probably our worst enemy. We foolishly deny that our silly facination with oversized, gas hogging cars funds terrorism. Could our our choice in computer software be doing the same thing?

Posted by: No Comment | August 30, 2005 8:53 AM | Report abuse

This is the new face of newspapers?

Posted by: Anonymous | August 30, 2005 9:11 AM | Report abuse

Can the poster of the last comment please justify his claim of Turkey being a "country with large population that are sympathetic to terrorists"? Turkey had itself suffered from Islamist Al-Qaeda terrorism and its population is staunchly against such radical movements. It's really interesting how the seeds of fear sown by the Bush administration are taking root.

Posted by: IA | August 30, 2005 9:45 AM | Report abuse

The morrocan DiablO is a heros of all time..

Posted by: said agourame | September 8, 2005 6:41 PM | Report abuse

we're a groupe of many persons in quarter "EL BITAT" city tamara -Rabat- MORROCO..DiablO is our friend we re like one family .. of course he makes a mistake but we should be helpful and intersting about a person like him..the morrocan s responsables didn't know how using those intelligent minds ..ther ar mny here..

Posted by: Mohamed, Said, kamal.. | September 8, 2005 6:59 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company