Among the targets reported to have major outbreaks on Aug. 15, 2005, were Daimler Chrysler, ABC News, CNN, The New York Times, the U.S. Senate, the Centers for Disease Control and Prevention, and Immigration and Customs Enforcement. Affected computers typically got into a cycle where they rebooted constantly, spread the malware to other computers on the network, then provided remote access to infected computers to a bot herder. The Zotob variant spread rapidly, taking advantage of unpatched Windows computers using a vulnerability disclosed only days earlier.
Essebar also fell prey to the braggadocio bug, a common ailment. When University of Pennsylvania security researcher David Taylor deliberately infected a computer with Zotob, and stumbled into one of Essebar's botnet IRC channels, he struck up a conversation with him. Surprisingly, Essebar responded, gloating that he earned substantial sums using his bot to install adware on infected computers.
But within seven days, the FBI, working in concert with local law enforcement and Microsoft employees, sent teams of computer experts to Rabat, Morocco, and Ankara, Turkey. On Aug. 25, less than two weeks after the outbreak began, authorities arrested Essebar, as well as then-20-year-old Achraf Bahloul in Rabat. The team in Ankara paid a visit to, and arrested, then-21-year-old Atilla "Coder" Ekici, alleging that he paid Essebar to write the Zotob variant. A bit more than a year after the initial arrest, Moroccan authorities convicted Essebar of illegal access to computer systems, theft, credit card fraud, and conspiracy, and sentenced him to two years in prison.
Authorities were able to clearly identify Essebar as the author of the worm; not only had he signed it with the words "by Diabl0" buried in the source code, but he'd written the worm using Microsoft's Visual Studio, which embeds information about the computer on which the code is written into the compiled program -- in this case, the directory path "C:\Documents and Settings\Farid." D'oh!
When Moroccan cops seized his computer, Essebar had formatted the hard drive. Forensic specialists helped recover the source code, which had not been completely wiped clean from the drive. In contrast, Turkish authorities had a more difficult time establishing evidence against Ekici because he'd physically removed and thrown out his hard drive days earlier.
If you don't want to draw attention to yourself, avoid targeting major media organizations with your poorly designed malware attacks. Always throw out your hard drive that contains all the source code and evidence of your criminal malware creations before the cops arrive. Name your account on your malware creation computer something innocuous, like "user." Also, neither Turkish nor Moroccan prisons are places you want to be. Ever.
[ Stupid juvy hacker home | Stupid juvy hacker trick No. 2: When the DDoS ain't stoppin' expect the cops to come knockin' ]
When the DDoS ain't stoppin' expect the cops to come knockin'
Ivan Maksakov, Alexander Petrov, and Denis Stepanov
All three are guests of the Russian penal system, sentenced to eight years at hard labor and a 100,000 ruble fine