The “Goner” computer worm contained tell-tale clues that helped lead police to its suspected authors, according to independent experts who helped with an international investigation.
Four Israeli college students were arrested on 7 December on suspicion of creating the worm after being traced through an Internet Relay Chat (IRC) channel. They are reported to have confessed to creating the worm.
The worm’s malicious activity provided some vital clues. Once an unwitting recipient had activated the worm, the program would attempt to de-activate anti-virus tools and delete files used by this software.
But the worm also attempted to connect a host computer to an IRC channel named “Pentagonex”. This was registered with a volunteer-run service provider called DALnet.
Advertisement
DALnet system administrators were alerted to the worm’s IRC functionality and helped identify its alleged creators. They found an Internet Protocol (IP) address and email address, logged during registration of the channel, that led to an internet service provider based in Israel, which enabled individuals to be identified.
Naming names
Anti-virus companies first issued alerts about Goner on 4 December. The worm spread via email to many thousands of computers worldwide over the next few days.
When activated, the worm displays a number of online pseudonyms, or handles, including “suid” “ThE_SKuLL” and “|satan|”. By monitoring the IRC channel, DALnet experts were able to track down further IP addresses.
“For computer crime authorities these can be vital clues,” says Graham Cluley, a consultant with Sophos Anti-Virus, based in the UK. “Handles act as virtual fingerprints: if the author uses the nickname elsewhere links can be made and the authorities can investigate.”
Zombie computers
DALnet administrators contacted the FBI as well as the US government’s Computer Emergency Response Team (CERT), who in turn informed Israeli investigators.
The worm was designed to automatically connect personal computers to the IRC channel so that they could be used to attack other, more prominent, targets.
Using a string of such “zombie” computers it is possible to overload other computer systems with false traffic. DALnet experts prevented the IRC channel from providing this functionality.
