Zotob accomplices identified, but arrests may yet be forthcoming

Monterey (CA) - In a keynote speech during a meeting of the International High Technology Crime Investigation Association on Monday, FBI assistant director for the cyber division, Louis Reigel, reportedly remarked to the 650 gathered members that the FBI, in cooperation with Turkish authorities, had identified 16 new suspects in connection with the Zotob worm investigation.

Since that time, sources have reported all 16 suspects were actually arrested in Ankara, Turkey, although information available to the FBI, as well as Turkish press reports from Ankara and Istanbul, appear to contradict those stories.

One Turkish press source used an American Web site as the source for its story stating that the suspects were arrested, but added that it could not confirm that information locally.

Reigel’s remarks regarding the Zotob investigation were apparently brief, amid the context of an otherwise policy-oriented speech. The Montgomery County Herald - which actually attended the conference - quotes Reigel as saying that cyber crime has become a growth industry, forcing law enforcement officials to come together more often and more quickly to exchange information. "It’s absolutely critical for keeping ahead of criminal activity and technology," quotes the Herald. "It’s absolutely essential to develop these relationships with each other so they can pick up the phone and contact somebody when they need to."

The Herald did not quote Reigel with regard to the Ankara matter.

Yesterday, Sophos senior security analyst Graham Cluley released a statement, praising Reigel’s announcement and accurately describing it as pertaining to the identification of suspects. "Increasingly worms and viruses are being written to steal confidential data from innocent people’s computers, hijack resources, or launch spam or denial-of-service attacks," states Cluley’s remarks. "As the authorities investigate more deeply into this case they are likely to uncover traces of communication and connections between different internet criminals. The arrests of two people last week could lead to the break-up of a much larger internet gang."

Cluley is referring to the arrests last Friday of one suspect in Rabat, Morocco, and another suspect in Ankara, Turkey, in connection with the Zotob affair.

But Cluley’s remarks were construed in the press later as praise for the arrests, as well as pointing to evidence that the Moroccan suspect, Farid Essebar, may be linked to at least 20 other virus strains. Indeed, based on forensic investigation, Sophos does suspect a link between Essebar and these other strains. But official evidence to that effect has not been made public by any US or international law enforcement sources.