Zotob worm from Turkey?

MessageLabs says it has a lead on who might be responsible for the Zotob worm and some of its variants. The e-mail security company believes the same person who created some of the Mytob pests is behind Zotob. One problem is, it is unknown who that Mytob creator might be. There is no information beyond a nick name, "Diabl0," and that the individual speaks Turkish.

"A signature in the zotob worm code suggests it is written by somebody called Diabl0 and the IRC server it connects to is the same used in previous version of Mytob," said Alex Shipp, senior antivirus technologist at MessageLabs. " We have seen posting by Diabl0 on message boards in Turkish."

Diabl0 may be based in Turkey, Shipp said. Although the availability of source code for various versions of Mydoom and MyTob do cloud the picture somewhat, according to MessageLabs.

Mikko Hypponen, chief research officer at F-Secure, said there are no clear leads to who may be responsible for Zotob. "It is possible that the Mytob guy is behind Zotob, but we have no concrete information," he said.

For its part, F-Secure has some leads when it comes to the origins of pieces of the Zotob code. The actual exploit of the Microsoft vulnerability used by Zotob was written by a Russian individual who goes by the name "Houseofdabus," according to F-Secure. The same person also wrote the exploit code that was used in Sasser worm, which spread last year and infected many more machines than Zotob.

Microsoft has said it is working with law enforcement officials to help find those responsible for the many worms that hit Windows users--Windows 2000 users in particular--over the past days.