By Tom Espiner, ZDNet UK
Tuesday, July 04 2006 01:07 PM
URL: http://www.zdnetasia.com/techguide/security/0,39044901,39372312,00.htm

Police in London, acting in conjunction with Finnish law enforcement authorities, arrested three suspected virus writers last month.

A 63-year-old man in Suffolk, a 28-year-old man in Scotland, and a 19-year-old man in Finland were arrested in connection with "an international conspiracy to infect computers using viruses attached to unsolicited commercial e-mail," a representative for the Metropolitan Police said.

The Metropolitan Computer Crime Unit, the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department collaborated to arrest the men, who are all suspected of being members of the M00P cybercriminal gang.

In addition to the suspects' servers, a number of computers have been seized at residential addresses in England, Scotland and Finland, the Metropolitan Police said.

"This highly organized group (is) suspected of writing new computer viruses in order to avoid detection by antivirus products. They have been primarily targeting U.K. businesses since at least 2005, and during this time, thousands of computers are known to have been infected across the globe," the Metropolitan Police representative said.

Antivirus vendors McAfee and Sophos said they believe that the suspects may have been involved in writing a Trojan horse variously known as Stinx, Breplibot and Rykanos. The Trojan was sent in spam to many thousands of businesses in an attempt to infect computers. Once compromised, the computers could be controlled using Internet Relay Chat (IRC), a protocol used for instant online communication.

The computer viruses ran in the background on an infected computer without the knowledge of the computer's owner, allowing the criminals behind the virus to access any private and commercial data stored on the computer, the Metropolitan Police said.

McAfee U.K. security consultant Greg Day said that in addition to installing a backdoor, the Trojan would attempt to hide itself by exploiting the rootkit-like properties of any Sony BMG digital rights management, or DRM, software installed on a system.

Graham Cluley, senior security consultant for Sophos, said the group could also have been responsible for writing a worm the security calls "Tibick," written in 2004. The worm spread via file-sharing networks and again created a backdoor that connected the compromised machine to an IRC channel.

Cluley added that the group may have written software designed to exploit computers previously compromised by other cybercrime gangs.

"They may have been involved in trying to release bot worms that exploited machines previously infected by Zotob and Rbot to take over compromised computers," he said. "Rival gangs fight for the ownership of zombies. They find other botnets and take them over because they're such a valuable commodity. The OX90 gang that created Zotob would be natural rivals to M00P."

The Metropolitan Police said international cooperation between the specialist law enforcement units had produced "this really significant result."

"These men appear to be connected via an online company," detective constable Bob Burls of the Metropolitan Police Computer Crime Unit said in a statement.

"We believe the suspects created and adapted viruses with the aim of causing massive infection by spamming. Today's arrests will send a clear worldwide signal to the authors of malicious software that national borders will not limit the ability and commitment of law enforcement authorities to clamp down on this criminal activity," Burls added.