You got Rbot in Mytob, you Zlob
Perp
Farid "Diab10" Essebar

Status
Currently a guest of the Moroccan prison system. His prison sentence is scheduled to end later this year.

Dossier
In 2005, at the ripe old age of 18, Farid Essebar probably thought he was untouchable. Working with accomplices in his home country of Morocco and in Turkey, the Russian-born Essebar wrote and distributed the Mytob, Rbot, and Zotob botnet Trojans. The malware infected thousands of computers at large corporations, U.S. government departments, and media companies and was built to log keystrokes and steal financial and personal data.

[ For more IT-related idiocy, check out "Stupid user tricks" and "More stupider user tricks redux" ]

Among the targets reported to have major outbreaks on Aug. 15, 2005, were Daimler Chrysler, ABC News, CNN, The New York Times, the U.S. Senate, the Centers for Disease Control and Prevention, and Immigration and Customs Enforcement. Affected computers typically got into a cycle where they rebooted constantly, spread the malware to other computers on the network, then provided remote access to infected computers to a bot herder. The Zotob variant spread rapidly, taking advantage of unpatched Windows computers using a vulnerability disclosed only days earlier.

Essebar also fell prey to the braggadocio bug, a common ailment. When University of Pennsylvania security researcher David Taylor deliberately infected a computer with Zotob, and stumbled into one of Essebar's botnet IRC channels, he struck up a conversation with him. Surprisingly, Essebar responded, gloating that he earned substantial sums using his bot to install adware on infected computers.

But within seven days, the FBI, working in concert with local law enforcement and Microsoft employees, sent teams of computer experts to Rabat, Morocco, and Ankara, Turkey. On Aug. 25, less than two weeks after the outbreak began, authorities arrested Essebar, as well as then-20-year-old Achraf Bahloul in Rabat. The team in Ankara paid a visit to, and arrested, then-21-year-old Atilla "Coder" Ekici, alleging that he paid Essebar to write the Zotob variant. A bit more than a year after the initial arrest, Moroccan authorities convicted Essebar of illegal access to computer systems, theft, credit card fraud, and conspiracy, and sentenced him to two years in prison.

Authorities were able to clearly identify Essebar as the author of the worm; not only had he signed it with the words "by Diabl0" buried in the source code, but he'd written the worm using Microsoft's Visual Studio, which embeds information about the computer on which the code is written into the compiled program -- in this case, the directory path "C:\Documents and Settings\Farid." D'oh!

When Moroccan cops seized his computer, Essebar had formatted the hard drive. Forensic specialists helped recover the source code, which had not been completely wiped clean from the drive. In contrast, Turkish authorities had a more difficult time establishing evidence against Ekici because he'd physically removed and thrown out his hard drive days earlier.

Lessons learned
If you don't want to draw attention to yourself, avoid targeting major media organizations with your poorly designed malware attacks. Always throw out your hard drive that contains all the source code and evidence of your criminal malware creations before the cops arrive. Name your account on your malware creation computer something innocuous, like "user." Also, neither Turkish nor Moroccan prisons are places you want to be. Ever.

[ Stupid juvy hacker home | Stupid juvy hacker trick No. 2: When the DDoS ain't stoppin' expect the cops to come knockin' ]