[ISN] Hackware Author Arrested -- Maybe

From: InfoSec News (isnat_private)
Date: Mon Oct 07 2002 - 01:38:11 PDT

  • Next message: InfoSec News: "[ISN] 'Hacker' is too cutesy a word to describe what's really going on"

    By Brian McWilliams 
    2:00 a.m. Oct. 4, 2002 PDT 
    When Scotland Yard jubilantly announced the arrest of a London-based
    malware author nicknamed Torner last month, most Internet users
    probably drew a blank.
    After all, Torner's Linux-based Tornkit hacking program was hardly in
    the same league as Melissa or Love Bug, the mainstream Windows worms
    created by David Smith and Onel de Guzman, respectively.
    But to Teresa Hall and a group of other system administrators and
    Internet users, Torner was public enemy No. 1.
    "He was a cyberterrorist ... an abuser and a low human," said Hall, a
    Tennessee grandmother of three who volunteers as an operator for
    IRCnet, an Internet relay chat network where Torner and his crew ran
    wild for much of 2000 and 2001, according to Hall.
    Hall and her fellow "IRCops" contend that Torner not only wrote
    Tornkit -- a "rootkit" program that lets a computer cracker take
    control of a compromised Linux computer without being detected -- but
    also that Torner and his cohorts were the program's most active users.
    "Everybody knew that they were running a huge DDoSnet, built using
    Tornkit," said Tony den Haan, operator of an IRCnet chat channel
    devoted to Linux that den Haan said was repeatedly brought down by
    distributed denial-of-service (DDoS) attacks.
    What's more, Torner's victims allege that the hacker headed up the
    X-Org Web defacement group and that he was one of the founders of
    Fluffy Bunny, a notorious hacking crew that vandalized numerous
    high-profile websites.
    A Scotland Yard spokesman would not comment on the allegations against
    Torner. In fact, authorities have not yet identified or even charged
    the 21-year-old man arrested on Sept. 17 at his home in the swank
    Thames-side neighborhood of Surbiton.
    But Hall said Torner essentially confessed to her and others, brazenly
    announcing when he was about to launch a DDoS attack, and even
    revealing his true identity and posting pictures of himself with other
    hackers on the Web.
    As a result, Torner's trackers said they were able to deliver him to
    law enforcement last year on a platter -- actually on a CD-ROM
    containing chat log files, Web pages, photos and other evidence.  
    Included among the files was a list of dozens of systems the group
    claims Torner and associates compromised.
    But not everyone who has encountered Torner or his gang considers them
    worthy of the Internet's most-wanted list.
    "The fact that some of them manage to root insecure boxes does not
    make them unique," said Johan Boger, an IRCnet coordinator. "There are
    far more organized hacker groups out there."
    Indeed, news of the arrest of Tornkit's alleged author has caused some
    hand-wringing among security researchers. They fear police may have
    overreacted by hauling in a hacker on charges of merely writing a
    potentially malicious program.
    A German security expert who uses the nickname Mixter, however, noted
    that Tornkit contained "back doors," so that whenever a cracker used
    it to "root" a computer, Torn and his friends secretly gained control
    of it.
    "Torner has been a black hat all the way ... this is something that
    clearly should be prosecuted," said Mixter.
    An analysis of Tornkit posted online in 2001 concurred. The author of
    the document, a hacker who uses the nickname Mostarac, said the
    program's secret back doors appear to send information back to Torn
    whenever Tornkit is installed on a compromised computer.
    Detective Constable Andrew Crocker, head of the computer crime squad
    of the Surrey police, confirmed that the unit is investigating
    "numerous cases where the Torn rootkit has been used." But Crocker
    refused to comment specifically on the Torner case.
    According to Hall, Surrey police have privately confirmed what the
    hacker revealed to her -- that Torner was the online handle used by
    Samir Rana, a London resident who is the grandson of Talat Mahmood, a
    popular singer from India.
    Joshua Dodds, a Torner associate who uses the hacker alias AnnihilaT,
    and who is listed in Tornkit's Read Me file, confirmed in an online
    chat interview last week that Torner owned the pink stuffed toy
    depicted in website defacements by Fluffy Bunny.
    And in its August 2001 defacement of CNN's N-tv.de site, Fluffy Bunny
    included a greeting to Richard Brownhall, a Surrey police agent who
    had previously led the investigation into X-Org.
    The London man arrested for writing Tornkit is currently free on bail,
    which does not involve a financial commitment, according to Scotland
    Yard. The suspect is scheduled to return Oct. 29 for more police
    interviews and possible charges.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 04:32:36 PDT