NEWS FROM THE LAB - Monday, August 29, 2005

So who is Diabl0? Posted by Mikko @ 14:30 GMT

The big news of the weekend was the arrest of two guys related to the Zotob worms ("Diabl0" and "Coder").

But who are these guys really? And who's behind the other PnP worms that were found during the last two weeks?

Well, we know that "Diabl0" had also authored several of the Mytob variants since February this year. However, he's not behind all of them. There's around 70 known variants of Mytob and practically all of them create botnets of the infected machines. Some of these botnets have been controlled by unrelated groups, such as Blackcarder. And we've found new Mytob variants just yesterday, which obviously are not written by Diabl0. So several people have access to Mytob source code and have been making their own variants.

However, we do know that Diabl0 aka Farid Essebar was associated with 0x90-Team. For example, some earlier Mytob variants downloaded additional components www.0x90-team.com/~diablo/.

The website of 0x90-team has been operating as an underground gathering site for bot authors for quite a while:

0x90-team.com before defacement

Interestingly enough, right after Diabl0 and Coder were arrested, someone defaced the site with an educational message - and a threat: "If you continue to hold this place to train script kiddies, we will come back".

This is what the site looked like on Saturday:

0x90-team.com after defacement

And then again, there are the competing groups, such as m00p. They seem to be behind several of the IRCBot variants that were using PnP vulnerability to spread. This group seems to be active although they had at least one of their members arrested last year.