http://www.wired.com/news/technology/0,1282,55515,00.html By Brian McWilliams 2:00 a.m. Oct. 4, 2002 PDT When Scotland Yard jubilantly announced the arrest of a London-based malware author nicknamed Torner last month, most Internet users probably drew a blank. After all, Torner's Linux-based Tornkit hacking program was hardly in the same league as Melissa or Love Bug, the mainstream Windows worms created by David Smith and Onel de Guzman, respectively. But to Teresa Hall and a group of other system administrators and Internet users, Torner was public enemy No. 1. "He was a cyberterrorist ... an abuser and a low human," said Hall, a Tennessee grandmother of three who volunteers as an operator for IRCnet, an Internet relay chat network where Torner and his crew ran wild for much of 2000 and 2001, according to Hall. Hall and her fellow "IRCops" contend that Torner not only wrote Tornkit -- a "rootkit" program that lets a computer cracker take control of a compromised Linux computer without being detected -- but also that Torner and his cohorts were the program's most active users. "Everybody knew that they were running a huge DDoSnet, built using Tornkit," said Tony den Haan, operator of an IRCnet chat channel devoted to Linux that den Haan said was repeatedly brought down by distributed denial-of-service (DDoS) attacks. What's more, Torner's victims allege that the hacker headed up the X-Org Web defacement group and that he was one of the founders of Fluffy Bunny, a notorious hacking crew that vandalized numerous high-profile websites. A Scotland Yard spokesman would not comment on the allegations against Torner. In fact, authorities have not yet identified or even charged the 21-year-old man arrested on Sept. 17 at his home in the swank Thames-side neighborhood of Surbiton. But Hall said Torner essentially confessed to her and others, brazenly announcing when he was about to launch a DDoS attack, and even revealing his true identity and posting pictures of himself with other hackers on the Web. As a result, Torner's trackers said they were able to deliver him to law enforcement last year on a platter -- actually on a CD-ROM containing chat log files, Web pages, photos and other evidence. Included among the files was a list of dozens of systems the group claims Torner and associates compromised. But not everyone who has encountered Torner or his gang considers them worthy of the Internet's most-wanted list. "The fact that some of them manage to root insecure boxes does not make them unique," said Johan Boger, an IRCnet coordinator. "There are far more organized hacker groups out there." Indeed, news of the arrest of Tornkit's alleged author has caused some hand-wringing among security researchers. They fear police may have overreacted by hauling in a hacker on charges of merely writing a potentially malicious program. A German security expert who uses the nickname Mixter, however, noted that Tornkit contained "back doors," so that whenever a cracker used it to "root" a computer, Torn and his friends secretly gained control of it. "Torner has been a black hat all the way ... this is something that clearly should be prosecuted," said Mixter. An analysis of Tornkit posted online in 2001 concurred. The author of the document, a hacker who uses the nickname Mostarac, said the program's secret back doors appear to send information back to Torn whenever Tornkit is installed on a compromised computer. Detective Constable Andrew Crocker, head of the computer crime squad of the Surrey police, confirmed that the unit is investigating "numerous cases where the Torn rootkit has been used." But Crocker refused to comment specifically on the Torner case. According to Hall, Surrey police have privately confirmed what the hacker revealed to her -- that Torner was the online handle used by Samir Rana, a London resident who is the grandson of Talat Mahmood, a popular singer from India. Joshua Dodds, a Torner associate who uses the hacker alias AnnihilaT, and who is listed in Tornkit's Read Me file, confirmed in an online chat interview last week that Torner owned the pink stuffed toy depicted in website defacements by Fluffy Bunny. And in its August 2001 defacement of CNN's N-tv.de site, Fluffy Bunny included a greeting to Richard Brownhall, a Surrey police agent who had previously led the investigation into X-Org. The London man arrested for writing Tornkit is currently free on bail, which does not involve a financial commitment, according to Scotland Yard. The suspect is scheduled to return Oct. 29 for more police interviews and possible charges. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 04:32:36 PDT