[ISN] US and UK arrests in computer worm probe

From: InfoSec News (isnat_private)
Date: Mon Feb 10 2003 - 00:31:42 PST

  • Next message: InfoSec News: "[ISN] Police draw more cyber attacks"

    By John Leyden
    Posted: 06/02/2003 
    Two UK men were arrested this morning following police raids in the UK
    and US aimed at dismantling an international hacker group believed to
    have created a virulent computer worm.
    Officers from the Durham Constabulary arrested a 19 year-old
    electrician and a 21 year-old unemployed man after seizing evidence
    related to computer and drugs offences during a raid on two addresses
    in County Durham this morning.
    The pair are being interviewed today by officers of the UK's National
    Hi-Tech Crime Unit (NHTCU).
    Police believe the two UK based men are members of an international
    hacking group calling themselves the "THr34t-Krew".
    The group has created an Internet worm, called the TK worm, which
    infected approximately 18,000 computers around the world, according to
    a statement by the NHTCU.
    Investigators estimate the worm caused disruption and damage to
    computer systems in the UK and overseas estimated at 5.5 million.
    The operation against the THr34t-Krew group was jointly planned by
    officers from Durham Constabulary and the US multi-agency CATCH team
    (Computer and Technology Crime Hi-Tech Response Team).
    The California-based CATCH team consists of representatives from the
    United States Secret Service, Department of Justice, and the FBI among
    While UK police were searching homes in County Durham, a simultaneous
    search warrant was executed at an address in Illinois, USA, where
    additional evidence in the case was seized and one man arrested.
    None of the arrests are connected to the recent SQL Slammer Worm, the
    NHTCU states.
    What the heck is the TK worm?
    Antivirus experts we contacted were not immediately familiar with the
    TK worm, so (for now) we need to rely on a police description of the
    malicious code which first came to the attention of the NCTCU in mid-
    The worm known as the TK worm has been found to be present in a number
    of computers in the UK. The cost of the disruption is estimated at
    Once connected to the Internet, the infected computer connects to a
    number of computers under the control of the THr34t-Krew, who are able
    to send commands to the infected hosts. These commands could range
    from scanning other computers for vulnerabilities, starting
    Distributed Denial of Service attacks on other computers and web
    sites. The TK worm is self-replicating and is able to spread itself
    across the Internet distributing itself to other computers.
    A search on Google for THr34t-Krew reveals one user's experiences of
    dealing with this worm but not much else.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 03:23:18 PST