Authorities said Tuesday they hope to arrest 16 more people in connection with the Zotob worm outbreak and may be working on the biggest virus bust in history.The announcement came four days after authorities arrested two men linked to the worm that crashed networks at major U.S. corporations earlier this month (see Two Arrested in Zotob Probe).

Word of the new suspects came as an FBI update on the case revealed that Internet gangs of virus and worm writers may be behind Zotob and other malicious software. These gangs are involved in an increasingly high-stakes game as a new breed of viruses attacks corporations to steal private data and trade secrets (see Zotob Heralds ‘Business Worm’).

The FBI said the Turkish authorities have identified 16 more individuals as suspects in the recent Zotob and the Mytob worm attacks. But Louis M. Reigel III, assistant director of the FBI’s cyber division, said no additional arrests had been made as of Monday.

Based on a code analysis of the worm and its variants, there are at least three gangs of hackers involved with the worm, believes Finnish anti-virus software maker F-secure, according to Mikko Hypponen, director of the company’s anti-virus research. If Turkish officials make the arrests, the action would represent the biggest roundup in the history of the information security business, said Mr. Hypponen.

“Worm writers tend to leave messages or patterns in their code that can be traced back to a group or a few individuals,” explained Mr. Hypponen.

On Friday, the FBI said an 18-year-old Moroccan man, Farid Essebar, and a 21-year-old Turkish resident, Attila Ekici, were arrested in connection with the Zotob worm. The arrest came less than two weeks after the Zotob worm, which attacks a vulnerability in Microsoft Windows’ plug-and-play feature for Windows 2000, was first detected on August 14 (see Zotob Virus Strikes Windows).

Financial Relationship

FBI officials said Mr. Essebar wrote the code for the worm and paid Mr. Ekici to distribute it. The two are also suspected of creating the Mytob worm, discovered in February.

“There was a financial relationship between the two individuals though we don’t know if they were working for a larger organization,” said Mr. Reigel after the news of their arrest.

According to F-Secure, Mr. Essebar, who used the screen name “Diabl0,” was part of a gang called 0x90-Team. The other two gangs, “BlackCarder” and “MetalHit,” are seen as responsible for some of the Zotob and the Mytob variants, said Mr. Hypponen.

The FBI’s disclosure of a financial relationship between the two hackers based in two different countries is the first official acknowledgment that malware writers may be making money off spreading worms. Until this news, profit motives in worm writing had only been the subject of much speculation. So far, it’s unclear whether hackers have made any money off Zotob.

“Increasingly, worms and viruses are being written to steal confidential data from innocent peoples’ computers, hijack resources, or launch spam or denial-of-service attacks,” said Graham Cluley, senior technology consultant for Sophos, a security consultancy company.

Security companies in the past have discussed the possible involvement of hacker gangs, but there has never been an official confirmation or a bust. Mr. Cluley said the recent arrests could conclusively prove the connections between different Internet criminals. But it is unlikely to stem the creation of new worms or viruses.

“There’s so much money to be made out there now that these gangs will have to be more professional and [act] with greater skill to avoid being caught,” he said. “Clearly these arrests are not the end of the virus problem but they will change the way the writers operate in the future.”

Arrest Fallout

Of course, the arrests are welcome news to Microsoft, businesses that were worm victims, and authorities. But they’re also likely to lead to the evolution of more sophisticated and less easy-to-trace groups of hackers, experts said.

For worm and virus writers, what was once a sport has now become a dangerous and increasingly lucrative game, said Pete Lindstrom, research director for SpireSecurity, an industry firm that focuses on information security issues.

“If you are creating a worm or a virus, you can’t really tell anyone about it now,” said Mr. Lindstrom. “So if you are not making money out of it, with the ego motive gone, it just does not make sense.”

However, the hotbeds of virus and worm creation—Turkey, Eastern Europe, and Taiwan—are unlikely to slow down despite the recent arrests.

“There are a lot of people with great computing skills but little opportunity to use them in a productive fashion in these regions,” said Mr. Hypponen. “Without the scope for bragging rights, sooner or later these writers are going to start selling their skills to the highest bidder.”

For software companies like Microsoft, the recent crackdown could mean they may have won the battle against Zotob but lost the war against hackers.

Microsoft, the biggest target of worm and virus attacks, has been aggressively working to trace the attacks on its software. Recently, the company awarded $250,000 as bounty to two informants who helped track down the creator of the Sasser worm (see Sasser Informants Get Reward).

The money came out of the company’s $5-million anti-virus reward fund. The worm writer, Sven Jaschar, was convicted by a German court last month.