By Cassell Bryan-Low
The Wall Street Journal
November 21, 2006
ANKARA, Turkey -- On Aug. 16, 2005, a CNN television news bulletin
alerted viewers that computers at the network's New York and Atlanta
offices were infected with a new virus called Zotob. Soon, U.S.
companies from coast to coast were hit.
Halfway around the world, two young computer hackers in Turkey and
Morocco got spooked by the ensuing media coverage, but mocked the
ability of authorities to track them down. "They can't find me," wrote
Atilla Ekici, a 23-year-old Turk, in an email to his accomplice, a
19-year-old Moroccan called Farid Essebar. "Ha, ha, ha," replied Mr.
The U.S. Federal Bureau of Investigation, however, was already hot on
their trail. The 98-year-old FBI, which has traditionally focused on
domestic crime, is extending its reach beyond U.S. borders and boosting
cooperation with other law-enforcement agencies in pursuit of
cybercriminals, much as the agency has done in tracking down terrorists
The shift reflects the global nature of computer crimes, which include
unleashing viruses, worms and other rogue programs onto victims'
computers to disrupt them or steal information. As electronic borders
between countries blur, hackers in one nation can easily commit crimes
against individuals, corporations and governments on the other side of
The FBI now ranks cybercrime as its third priority behind terrorism and
espionage. Computer-based crimes caused $14.2 billion in damages to
businesses around the globe in 2005, including the cost of repairing
systems and lost business, estimates Irvine, Calif., research firm
Building relationships with police in other countries is "the only way
we are going to effectively get a handle on the problem," says
Christopher Painter, deputy chief of the Justice Department's Computer
The FBI is running into limits fighting international computer crime.
Cybercrooks remain difficult to pinpoint in part because hackers can
hide their tracks by commandeering computers from afar and routing their
activities through machines dotted around the world.
Even when the agency does find suspects overseas, local authorities
sometimes lack the resources or laws to prosecute. In its pursuit of
LoveBug, one of the first big international computer viruses, which
spread around the world in 2000, the FBI located its creator in the
Philippines. But he was never charged because local laws didn't specify
the virus writer's activities as illegal at the time.
"The criminal community is winning," says Nicholas Ianelli, a security
analyst at the CERT Coordination Center at Carnegie Mellon University, a
federally funded group that coordinates responses to computer-security
But the agency is making some headway, thanks partly to a diplomatic
offensive to enlist help from foreign agencies. It now has about 150
agents deployed in some 56 offices around the world, including in Iraq
and China, which deal with computer intrusions, as well as terrorism and
other crimes. That has grown from about a dozen offices in the early
During the past two years or so, the FBI has also built up Cyber Action
Teams, or CATs -- a group of about 25 people that includes agents,
computer forensic experts and specialists in computer code, according to
David Thomas, the deputy assistant director of the FBI's science and
technology branch. Establishing the team has taken longer than expected,
in part because of the challenges of hiring people with the right
skills, Mr. Thomas says.
Earlier this month, the FBI announced the arrest of at least 16
individuals involved in a credit-card theft scam as part of an
investigation spanning the U.S., Poland and Romania. As part of the
probe, the FBI temporarily posted several agents with Polish and
Romanian police to assist with surveillance and information sharing.
Some overseas police agencies have noticed the change. The FBI is "much
more open to interaction" than it was even a few years ago, says Kevin
Zuccato, director of the Australian federal police's high-tech crime
center. One FBI agent is even embedded full-time with Australia's
high-tech crime center. Usually, FBI agents are posted within U.S.
embassies and consulates abroad.
Police in other countries can also get touchy about defending their turf
from outsiders, just as a local beat cop in the U.S. might resent
interference from the FBI on a murder case. In 2002, Russian police
accused an FBI agent with computer hacking after the agent seized
evidence against two Russian hackers by downloading data from their
computers in Russia without approval from local authorities. Russia
hasn't pursued the charges, however, and the agent is still at the FBI.
The two countries since then have worked on several cybercrime cases.
The FBI's overseas push is still a long way from winning the borderless
battle against cybercrime. But as the tale of the Zotob virus shows, the
agency is scoring some victories.
By Sunday Aug. 14, 2005, the FBI and antivirus software companies
noticed that a virus called Zotob had started to spread. The virus
infected computers by taking advantage of a weakness in some versions of
Microsoft Corp.'s popular Windows operating system, causing them to slow
or reboot repeatedly.
But that wasn't all: Zotob opened a door for other malicious software to
be installed, such as "key-logging" programs that record what a PC user
types into a keyboard -- a way to snatch credit-card numbers and other
information that is sold to criminal gangs. Zotob hit some 100,000
companies or more, some analysts estimate, including Time Warner Inc.'s
CNN division and New York Times Co.
Even before the virus became famous by attacking CNN's computers, FBI
Agent Erkan Chase and his colleagues were tracking the code. They
discovered that the Zotob computer program had a signature line "by
Diabl0". Mr. Chase, a 41-year-old former New York cop, recalled the
nickname from another virus that he had started monitoring earlier in
the year, called Mytob. That suggested the same person created both
Mr. Chase, who was overseeing the FBI's Cyber Action Teams at the time,
checked in with the FBI's U.S. field offices and found that agents in
Seattle had opened an investigation into Diabl0 after Mytob hit, linking
him to an email account at Microsoft in nearby Redmond, Wash. With
search warrants served on the software giant, Mr. Chase and his
colleagues obtained emails between Diabl0 and another suspect using the
nickname "Coder." They also received subscriber information and other
evidence indicating the two were using computers in Morocco and Turkey,
In their email traffic, the tone of the hackers became cautious after
media coverage of the virus, especially a local report in Turkey that
authorities believed one of the hackers might be living there. The two
suspects discussed whether to take precautions by getting rid of the
evidence, by wiping or ditching their computer hard drives.
That raised the pressure on Mr. Chase to act quickly and try to arrest
the two young men before it was too late. "We had to respond pretty
quickly because we didn't want to get out there and find there was no
evidence," he said.
Late afternoon on Aug. 18, 2005, just days after the virus hit, the head
of the Turkish national police's cybercrime unit, Omer Tekeli, received
a call from the U.S. Embassy in Ankara asking for help. The FBI teams
only travel overseas at the behest of local authorities and don't have
special powers to make arrests, but can offer technical and
Mr. Tekeli agreed, and later that same day, an FBI agent from the
Seattle office called to brief Turkish police on the details, including
information they had gathered on Coder, Mr. Tekeli says. Mr. Tekeli's
team soon identified Coder as Mr. Ekici, a farmer's son who had taught
himself about computers at Internet cafes. Turkish authorities already
knew of Mr. Ekici from an earlier investigation into a gang of
credit-card thieves. Among other details, the FBI provided an email
address for Coder that included part of Mr. Ekici's name as well as the
equivalent of digital fingerprints that linked Coder's computer with Mr.
Ekici's home address.
On Aug. 21, a week after noticing the virus, Mr. Chase left with a team
of about a dozen people for Morocco and Turkey, flying in an FBI
Learjet. The fact that Mr. Chase, whose mother is Turkish, spoke some of
the local language helped smooth the process. After dropping half the
group in the Moroccan capital of Rabat, Mr. Chase landed in Ankara,
At the sparsely furnished offices of Turkey's cybercrime police, the FBI
team handed over evidence they had obtained about the suspects from
Microsoft and about 25 pages of analysis of the malicious code. FBI
engineers gave a roughly hour-long presentation on how the code worked,
complete with slides. In Rabat, meanwhile, emails provided by the FBI
enabled Moroccan authorities to locate Diabl0 -- Mr. Essebar -- as well
as an accomplice. Emails typically carry a unique set of numbers, known
as an Internet protocol address, which identifies each computer
connected to the Internet. Moroccan police were able to obtain the name
and contact details associated with the Internet protocol addresses
received from the FBI from a local Internet service provider.
The FBI's documents also helped local authorities swiftly secure arrest
and search warrants. Concerned that the arrest of one suspect would tip
off the others, Mr. Chase helped the two countries coordinate the raids.
In the early hours of Aug. 25, Turkish police officers surrounded Mr.
Ekici's home and took him into custody. About 2,000 miles away in Rabat,
police moved in on Mr. Essebar and his accomplice. The FBI wasn't
invited to be present at either of the arrests. Turkish and Moroccan
authorities say that is because only local police are allowed to charge
suspects under the respective national laws.
Mr. Ekici in Turkey had disposed of his computer hard drive so Turkish
investigators weren't able to gather much evidence from his machine. But
Mr. Essebar in Morocco only reformatted his hard drive, which wipes out
files but let the Moroccan police's computer specialists recover most of
them because copies often still exist.
Among the finds were copies of the code itself and other information
identifying Mr. Essebar as Zotob's author. Police also found emails
between Diabl0 and Coder discussing Zotob as well as the numbers of
about 1,600 stolen credit cards.
In parallel, FBI specialists worked off a copy of the hard drive,
searching for relevant emails and writing a piece of computer code on
the fly to help them analyze the program. "We were able to use that
information from Morocco and give it to Turkish authorities to further
(their) investigation," says Mr. Chase.
In September of this year, a Rabat court sentenced Mr. Essebar, a
Russian-born Moroccan national, to two years in prison for
virus-writing, illegal access to computers and conspiracy to commit
credit-card fraud. The court also sentenced his 21-year-old accomplice
to one year in prison for conspiracy to commit fraud. A lawyer for Mr.
Essebar couldn't be reached. At the time of the sentencing, news service
Agence France Presse cited a lawyer for the defendants saying they
planned to appeal.
Authorities allege Mr. Ekici, whom they believe met Mr. Essebar at a Web
site for credit-card fraudsters, was responsible for disseminating the
Zotob worm and intended to use it to steal financial information. But
they say it is unclear whether he had time to swipe any information or
profit from it given the speed with which they were able to arrest him,
less than two weeks after the worm first spread.
The trial of Mr. Ekici, whom Turkish authorities have charged with
unauthorized access to computers and disseminating a virus, continues in
Turkey. He couldn't be reached for comment.
The Zotob case marked the first time foreign law enforcement has come to
Turkey to assist in a cybercrime investigation, says Mr. Tekeli, the
cybercrime unit chief in Turkey. Without the FBI's help, the
investigation "would have been more difficult and more time consuming,"
he says. Hakim Aarab, an engineer in the Moroccan police's computer
division, says because of the borderless nature of cybercrime,
"international collaboration is an obligation, it's not an option."
(Guy Chazan in Moscow contributed to this article.)
Subscribe to InfoSec News