Brian Krebs on Computer Security
Posted at 12:20 PM ET, 08/29/2005
Conversation With a Worm Author
A couple of weeks ago, I wrote about an increasing number of hackers making money by using large groupings of hacked home computers -- or "bots" -- as massive install bases for spyware and adware, gleaning a commission for each piece of spyware planted on the infected computers.
Last week, with the arrest of two men thought to be responsible for unleashing the destructive Zotob, Mytob and Rbot family of computer worms, it came to light that investigators believe these guys were somehow making money off of their creations. Officials at the FBI and Microsoft said evidence indicates that Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker “Diabl0," developed the worms for sale to Atilla Ekici, aka “Coder,” a 21-year-old citizen of Turkey.
The story I reported last week said Moroccan officials believe the two men are linked to a credit card fraud ring. Now another source claims to have had contact with Diabl0 a month before his arrest, and in their conversation Essebar claimed he was using the worm to infect computers with spyware and adware.
David Taylor, a senior information security specialist at the University of Pennsylvania in Philadelphia, said he received a version of the Mytob virus as an e-mail attachment in the first week of June. Mytob configures infected computers to connect to an Internet relay chat (IRC) server controlled by the author of its particular variant. Once an infected machine connects to the IRC channel, the hacker can update it with additional software, often spyware.
Taylor decided to infect one of his test computers with the worm so that he could follow the computer to the Internet server it was instructed to visit, with the hope of locating any other University of Pennsylvania computers that may have been infected and directed to connect to the same channel.
Finding none, Taylor invited the channel's controller to an online chat. To his surprise, a person using the online screen name "Diabl0" answered, and the two struck up a conversation. Below are a few snippets of that conversation, which Taylor said indicated to him that Diabl0 was making money off his creations.
The transcript of the conversation has been edited slightly for flow. Also, in the original chat, Taylor was referred to as "[msg(DiablO)]," but that has been changed below to "Taylor" to avoid confusion:
[DiablO(DiablO@elite)] wht u think about this new worm? :o
[Taylor] it is pretty good...the variables using the domain from email and then adding the 'www' in front is good. i would imagine you will get a lot of bots
[DiablO(DiablO@elite)] soon adding logo of domaine :p
[Taylor] really? how are you going to do that?
[DiablO(DiablO@elite)] yes
[Taylor] that would be interesting...just curious how you could do that...would be hard
[DiablO(DiablO@elite)] i got more than 200 complaints in last dedicated server :p. i guess u too sent complaints
[Taylor] they are probably not going to send you any christmas presents. it is hard work cleaning up after getting infected with a worm like this. it costs money
[DiablO(DiablO@elite)] no very easy. that worm spread only for money
[Taylor] you should think about joining the other side of this...lots of fun fighting hackers...the thrill is even better. so, do you get paid for the 'click'?
[DiablO(DiablO@elite)] no
[Taylor] how you make money then? i am confused...curious
[DiablO(DiablO@elite)] it low setting of ie. so no need for click. ratio of install is 1:1
What Taylor said Diabl0 meant by the last part of the conversation is that his worm was lowering the security settings of Microsoft's Internet Explorer browser so that pop-up advertisements served by the adware and spyware planted on infected machines would not be blocked.
"He says it's all about making money, and that he doesn't care if people remove the worm because it's the spyware stuff that he installs that's making him the money," Taylor said in a conversation with me. |
