Authorities were able to clearly identify Essebar as the author of the worm; not only had he signed it with the words "by Diabl0" buried in the source code, but he'd written the worm using Microsoft's Visual Studio, which embeds information about the computer on which the code is written into the compiled program -- in this case, the directory path "C:\Documents and Settings\Farid." D'oh!
When Moroccan cops seized his computer, Essebar had formatted the hard drive. Forensic specialists helped recover the source code, which had not been completely wiped clean from the drive. In contrast, Turkish authorities had a more difficult time establishing evidence against Ekici because he'd physically removed and thrown out his hard drive days earlier.
Lessons learned: If you don't want to draw attention to yourself, avoid targeting major media organizations with your poorly designed malware attacks. Always throw out your hard drive that contains all the source code and evidence of your criminal malware creations before the cops arrive. Name your account on your malware creation computer something innocuous, like "user." Also, neither Turkish nor Moroccan prisons are places you want to be. Ever.
When the DDoS ain't stoppin' expect the cops to come knockin'
Perps: Ivan Maksakov, Alexander Petrov, and Denis Stepanov
Status: All three are guests of the Russian penal system, sentenced to eight years at hard labor and a 100,000 ruble fine
Dossier: Looking to make a little extra money while at college in 2003, Ivan Maksakov, then 22, devised an inventive, entrepreneurial scheme that probably sounded good at the time: He created a botnet to engage in DDoS (distributed denial-of-service) attacks and then blackmailed online gambling sites based in the UK, threatening to take the sites down during major sporting events.
However, Maksakov -- a student at the Balakov Institute of Engineering, Technology, and Management -- couldn't anticipate that the Russian government, looking to demonstrate its resolve in dealing with cybercriminals, would make an example of him.
The botnet, based in Houston, was directed to launch DDoS attacks against the UK-based bookmaking Web sites and online casinos only if Maksakov's demands weren't met. According to Russian news reports, Maksakov, along with co-conspirators Alexander Petrov and Denis Stepanov, attacked nine Web sites from the US autumn of 2003 until the US spring 2004. The sites were initially attacked for a short time, before a ransom demand was e-mailed.
In one example, the attacks crippled a site run by Canbet Sports Bookmakers during the Breeders' Cup horse races, costing the firm US$200,000 for each day it was offline. But even when the firm paid a US$40,000 ransom to a Western Union account in Riga, Latvia, the attacks continued.
Authorities allege that the attacks for which the trio were convicted cost the UK-based Web site operators upward of US$4 million, not including an additional US$80 million the companies paid out for additional bandwidth and security hardware designed to thwart DDoS attacks. Charges weren't filed for 54 similar attacks the group is alleged to have engaged in, affecting companies in 30 other countries.
Britain's intelligence services tracked the IP address used to send commands to the botnet to Maksakov's home computer. When the British government provided the information to the Russian Federation's Interior Ministry, the three were arrested. Authorities say at least 13 others who have not been arrested were involved in the scheme, including 10 people working as "money mules" in Riga, two other cyberattackers in Kazakhstan, and one more in Russia.