Hackware Author Arrested -- Maybe

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,55515,00.html

By Brian McWilliams 
2:00 a.m. Oct. 4, 2002 PDT 

When Scotland Yard jubilantly announced the arrest of a London-based
malware author nicknamed Torner last month, most Internet users
probably drew a blank.

After all, Torner's Linux-based Tornkit hacking program was hardly in
the same league as Melissa or Love Bug, the mainstream Windows worms
created by David Smith and Onel de Guzman, respectively.

But to Teresa Hall and a group of other system administrators and
Internet users, Torner was public enemy No. 1.

"He was a cyberterrorist ... an abuser and a low human," said Hall, a
Tennessee grandmother of three who volunteers as an operator for
IRCnet, an Internet relay chat network where Torner and his crew ran
wild for much of 2000 and 2001, according to Hall.

Hall and her fellow "IRCops" contend that Torner not only wrote
Tornkit -- a "rootkit" program that lets a computer cracker take
control of a compromised Linux computer without being detected -- but
also that Torner and his cohorts were the program's most active users.

"Everybody knew that they were running a huge DDoSnet, built using
Tornkit," said Tony den Haan, operator of an IRCnet chat channel
devoted to Linux that den Haan said was repeatedly brought down by
distributed denial-of-service (DDoS) attacks.

What's more, Torner's victims allege that the hacker headed up the
X-Org Web defacement group and that he was one of the founders of
Fluffy Bunny, a notorious hacking crew that vandalized numerous
high-profile websites.

A Scotland Yard spokesman would not comment on the allegations against
Torner. In fact, authorities have not yet identified or even charged
the 21-year-old man arrested on Sept. 17 at his home in the swank
Thames-side neighborhood of Surbiton.

But Hall said Torner essentially confessed to her and others, brazenly
announcing when he was about to launch a DDoS attack, and even
revealing his true identity and posting pictures of himself with other
hackers on the Web.

As a result, Torner's trackers said they were able to deliver him to
law enforcement last year on a platter -- actually on a CD-ROM
containing chat log files, Web pages, photos and other evidence.  
Included among the files was a list of dozens of systems the group
claims Torner and associates compromised.

But not everyone who has encountered Torner or his gang considers them
worthy of the Internet's most-wanted list.

"The fact that some of them manage to root insecure boxes does not
make them unique," said Johan Boger, an IRCnet coordinator. "There are
far more organized hacker groups out there."

Indeed, news of the arrest of Tornkit's alleged author has caused some
hand-wringing among security researchers. They fear police may have
overreacted by hauling in a hacker on charges of merely writing a
potentially malicious program.

A German security expert who uses the nickname Mixter, however, noted
that Tornkit contained "back doors," so that whenever a cracker used
it to "root" a computer, Torn and his friends secretly gained control
of it.

"Torner has been a black hat all the way ... this is something that
clearly should be prosecuted," said Mixter.

An analysis of Tornkit posted online in 2001 concurred. The author of
the document, a hacker who uses the nickname Mostarac, said the
program's secret back doors appear to send information back to Torn
whenever Tornkit is installed on a compromised computer.

Detective Constable Andrew Crocker, head of the computer crime squad
of the Surrey police, confirmed that the unit is investigating
"numerous cases where the Torn rootkit has been used." But Crocker
refused to comment specifically on the Torner case.

According to Hall, Surrey police have privately confirmed what the
hacker revealed to her -- that Torner was the online handle used by
Samir Rana, a London resident who is the grandson of Talat Mahmood, a
popular singer from India.

Joshua Dodds, a Torner associate who uses the hacker alias AnnihilaT,
and who is listed in Tornkit's Read Me file, confirmed in an online
chat interview last week that Torner owned the pink stuffed toy
depicted in website defacements by Fluffy Bunny.

And in its August 2001 defacement of CNN's N-tv.de site, Fluffy Bunny
included a greeting to Richard Brownhall, a Surrey police agent who
had previously led the investigation into X-Org.

The London man arrested for writing Tornkit is currently free on bail,
which does not involve a financial commitment, according to Scotland
Yard. The suspect is scheduled to return Oct. 29 for more police
interviews and possible charges.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.