Israeli Teens Held in Goner Virus Probe

 
 
By Dennis Fisher  |  Posted 2001-12-09
 
 
 

Four Israeli teens are in police custody after admitting Saturday to writing and then distributing the Goner virus, which tore through corporate networks worldwide last week, according to officials at Israels national police headquarters in Tel Aviv.

The youths, aged 15 and 16, are high school students from Nahariya, in the northern part of Israel, according to a police statement. Under Israeli law, the suspects could face between three and five years in jail if convicted, officials said.

The English-language daily newspaper Haaretz in Tel Aviv reported that the initial police investigation, which began nearly a week ago, indicated that the four teens built and spread Goner as part of a fight with another group of boys over control of communications networks.

The Jerusalem Post newspaper quoted Meir Zohar, the head of the Israeli police computer crime squad, as saying the teens modeled Goner after the Melissa virus.

Goner is simply one more bit of evidence that virus writers and crackers -- even young ones -- are growing ever more skillful and adept at their crafts, security experts said.

While its infection method is unremarkable and reminiscent of numerous previous mass-mailing worms, Goner carries a destructive payload that not only deletes anti-virus files but also installs a DDoS client on infected machines. Such blended threats, as theyre called, are the unfortunate result of the ready availability of malware programs on the Internet and will become more and more prevalent in the future.

"This is one more step in the evolution of viruses," said Steve Trilling, director of research Symantec Corp.s Security Response center in Cupertino, Calif. "Were going to see more and more blended threats."

Goner began showing up in the United States last Tuesday and spread rapidly for the next several days. By the end of the week, MessageLabs Ltd., a U.K.-based virus-tracking firm, reported stopping more than 100,000 copies of the worm.

Known as W32/Goner.A, the virus spreads via Microsoft Corp.s Outlook e-mail client and is also showing some indications of propagating through the popular ICQ chat network, according to anti-virus officials at Computer Associates International Inc.

The worm also tries to install a DDoS client on infected machines via IRC (Internet relay chat). IRC is a popular IM-type program used extensively by hackers, especially DDoS attackers, who use it to control their zombies.

The virus arrives with a subject line of "Hi" and an attachment labeled Gone.scr. The body of the message reads: "How are you? When I saw this screen saver, I immediately thought about you I am in a harry [sic], I promise you will love it!"

CA officials say more than 20 of their customers reported seeing the virus, which was first spotted by the staff of their German lab.

The worm spread rapidly in the United States, with dozens of companies reporting infections. McAfee.com reported that when executed, the worms attachment copies itself to the machines registry so it will start on bootup. Also, the worm attempts to delete a number of files, including anti-virus and firewall programs and several security tools. McAfee has given the worm its highest risk rating.

Because the worm deletes anti-virus files, some users found themselves powerless against Goner.

"Goner is one of the most incredibly fast-moving and potentially dangerous e-mail viruses weve seen," said Mark Sunner, CTO of MessageLabs. "From what weve observed, Goner tries to disable the local AV/firewall settings, so anyone using traditional desktop gateway solutions who attempts to download the signature patch, may find that their software has been shut down. In order to get it back again, it will need to be reinstalled."

"Its still amazing to see environments are allowing in things that have no business value like screen savers," said Ian Hameroff, business manager for security solutions at CA, based in Islandia, N.Y.

Rocket Fuel