Child's play: The 'kiddies' behind latest e-mail assault

AnchorDesk

Child's play: The 'kiddies' behind latest e-mail assault

Robert Vamosi
Senior Editor, Reviews
Wednesday, December 12, 2001

Add your opinion

Forward in

Format for

It appears that a childish rivalry between gangs of script kiddies (youths who cut-and-paste existing code to create malicious programs) led to the creation of last week's Goner worm, which has caused an estimated $5 million in damage worldwide. Over the weekend, four Israeli youths age 15 to 16 were charged with authoring Goner. Under Israeli law, the alleged virus writers could each face sentences of between three to five years in prison.

The Israeli newspaper Ha'aretz Daily reports that the teenage authors of Goner, also known as Pentagone, were embroiled in a turf battle over Internet communications. One of Goner's payloads was to launch a denial-of-service attack against a rival gang of script kiddies over Internet Relay Chat (IRC). According to the London-based The Register, security experts at the DALnet IRC Network were able to trace the origin of the IRC channel #pentagonex back to the alleged teen creators.

GONER'S CREATORS first gave themselves away by signing the worm with "greetz," simple messages from one group to another that are akin to spray-painting graffiti on city walls. For years, script kiddies have passively defaced commercial, government, and educational Web sites by substituting real Web pages with their own creations, or just their greetz. But Web sites are static, and defacements can be removed. Mobile code such as viruses and worms, however, tends to leave a more lasting impression.

Where virus writing was once seen as beneath the typical script kiddie, it's now apparently the cool thing to do. It made Goner's authors famous overnight. According to e-mail screening service MessageLabs, Goner, at its peak, spread at the rate of 1 in every 30 e-mails. By comparison, the ILOVEYOU virus spread at the rate of 1 in every 28 e-mails.

On infected systems, Goner displays the typical script-kiddie greetz. One of the messages takes credit for the worm. It reads: "Pentagone coded by: suid, tested by: ThE_SkuLL and Isatanl." The other is a more traditional message: "Greetings to TraceWar, k9unit, stef16, ^Reno. Greetings also to nonick2 out there where ever you are." Displaying these messages, the worm spread across the world via e-mail and the ICQ instant-messaging service, and deleted antivirus and firewall products from the infected systems.

I OBTAINED SEVERAL IRC transcripts recorded between a curious IRC user and an Israeli youth who uses the handle TraceWar. In one IRC transcript, translated from Hebrew, TraceWar boasts that the Goner worm is "very sophisticated code." When asked if he created Goner, TraceWar replied, "Yes." Apparently, the code's success came as a surprise to him. He wrote, "I can't believe it; the worm that we have built has [be]come that popular?"

News reports suggest the youths wanted to author code similar to the Melissa virus, which could evade antivirus and firewall detection. But it seems they actually manipulated existing viral code available from shadowy Web sites. These so-called "haxor" sites host crude programs to construct generic VBS-based viruses, or provide ready-made Trojan horses, such as SubSeven or BackOrifice. A few contain keystroke-logging programs like those used in the recent Internet worm Badtrans.B. These haxor sites tend to exist only until their ISPs discover their content and shut them down.

TRACEWAR INSISTED in the IRC transcript that he wrote the code that "disables firewalls/antiviruses," and that another script kiddie, suid, wrote the main code for Goner. When asked if he and suid may have stolen existing code off a haxor site, TraceWar responded, "I swear to God I didn't. People also said that suid took stolen [source code] and modified [it]. It's a lie." He then boasted: "What is [it] to code a small program that erases some files[?]." When asked if he would forward a copy of the worm, TraceWar replied, "I don't have it. I formatted my computer."

While Goner did succeed in spreading itself across the Net in a short amount of time, tagging the worm wasn't very bright. Since TraceWar's nickname appeared within the Goner worm, he was relatively easy to find. The IRC user who contacted him asked, "Are you an idiot?" He replied, "nachon," which means "yeah." Now the internationally famous TraceWar and his friends will have their day in court.

What can be done to stop the spread of worms and viruses? TalkBack to me!

Special sponsor stores

Dell Home