Hacker plan: take down the Net

Hacker plan: take down the Net

Associates tell feds Coolio started last month’s Web attacks; teen’s New England home searched, computers confiscated

By Bob Sullivan © MSNBC


March 1 — He took down Yahoo, the world’s most popular Web site, and started a rash of attacks on the Internet’s biggest companies. Authorities still don’t know for sure who’s responsible. But investigators have been told that “he” is “Coolio.” And according to one associate, he wanted to use the power he’d amassed — over 1,000 so-called “zombie” computers — to cripple the entire Internet.


		Details on the new Windows version of the Trinoo virus Attrition.org Tribal Flood -- FBI Tribal Flood attack -- CERT

SEVERAL SOURCES HAVE come forward to tell MSNBC — and say they’ve told the FBI — that Coolio (a 17-year-old New England high school dropout who regularly gets high by drinking cough syrup) attacked Yahoo and several other Web sites last month. Furthermore, they say, Coolio was seeking to bring down the entire Internet.
Why the accusations? In part, they say, because Coolio had much more ominous plans.
The FBI has not made any arrests in connection with the Web outages that hit Yahoo, Amazon, eBay, CNN, Buy.com and several other sites beginning Feb. 7. And the FBI won’t offer any details about its investigation other than to say it is “ongoing.”

‘Coolio’ to face defacement charge

But MSNBC has learned that several of Coolio’s associates are cooperating with federal authorities and have named the teen-ager as the culprit in the original attacks. MSNBC has also learned that the FBI executed a search warrant at Coolio’s New England home and has confiscated all of his home computers in connection with their investigation of the Web attacks.
Coolio is not the only suspect; investigators believe there were at least one and perhaps several copycats involved in the flurry of attacks.
Someone using the name Coolio took credit for defacing RSA.com and Dare.org in recent months. There is much evidence that that Coolio is in fact the 17-year-old identified by MSNBC’s sources.
Despite the accusations by associates, MSNBC has not obtained evidence directly tying Coolio to the February attacks.
And a school-aged friend of Coolio’s interviewed by MSNBC said the teen-ager has denied any involvement in the attacks — both to the FBI and in private conversations. During that interview, the source claimed Coolio was in the room. Someone in the room could be heard saying, “I didn’t do it.” But MSNBC could not positively identify the speaker as Coolio.
Still, several friends and associates from the Internet chat room #goonies have told MSNBC they believe Coolio is responsible.
“He did it,” said one. “He talked about doing it before the fact, he named Web sites that would go down before they were mentioned on the news, and he left, in his own estimation, no trail of his doing it.
“I seriously doubt if there will ever be enough hard evidence to obtain a conviction for this, as he is rather good at what he does.”

.
Through intermediaries, Coolio has not responded to requests for an interview, and people who answer the telephone at his house have repeatedly told MSNBC, “No one by that name lives here any more” and have immediately hung up.
MSNBC has decided to withhold his name and any other uniquely identifying information. The sources quoted in this story have all requested anonymity, but each has been positively identified by MSNBC.

WHO IS COOLIO?
Friends described Coolio as a 17-year-old from a poor family in a small New England town. They said he is a smart young programmer with the skills and the disposition to have attacked the Net’s biggest sites. A high school friend said he dropped out last year and now “never leaves his house other than to get the mail or cough syrup.”
“The night after it happened, he told me he did it. I believed it because that kid’s crazy and he’d do anything,” the source said.

“We should all be thankful he got scared and didn’t carry out his next idea.”
— ASSOCIATE OF COOLIO

The source also said he came forward because he wants Coolio to get fair treatment from the justice system and believes the more people know about the crime, the better Coolio’s chances are.
“Whenever I used to go over to his house, he was always hacking boxes. I used to say, ‘Why? You hack one, you hack them all.’ Now I know why,” the source said.
But another former Coolio schoolmate interviewed by MSNBC said he didn’t think the teen-ager was responsible for the attacks.
“He told me he didn’t do it, and I believe him,” the source said. “It doesn’t seem like he would do something like that.”
Several Coolio associates said he not only bragged about the Web attacks before and after they happened, but he has continued to brag about the FBI’s inability to arrest him. He believes the kind of attack used against Yahoo leaves no traces. In a so-called smurf attack, like the one used on Yahoo, the originating address is falsified, making it hard to determine where the attacking computer is.


More 'Goofs and Glitches'

	Bugs, viruses, attacks, vulnerabilities, hacks

	•	Click here to bookmark

Another Coolio associate said the teen-ager had spent at least several weeks amassing an army of over 1,000 “zombie” computers — PCs infected with a special program giving a hacker remote control. But in the Yahoo attack, he simply loaded up compromised machines with a basic “smurf” attack.
“He was plotting it for around two weeks, jokingly, saying he was going to extort money from these companies. Then all of a sudden he got dared to do it, and 10 minutes later Yahoo was down. He never made extortion demands,” the source said.
The source, one of Coolio’s associates from the #goonies group, which meets regularly on the Internet, painted an alarming picture of what Coolio’s grand plan was.
“We should all be thankful he got scared and didn’t carry out his next idea, and that no one else feels the need to do this either,” the source wrote. “He had a DDoS (distributed denial of service) tool that he wrote installed on all of his hacked boxes. He was planning on using all 1,000 machines in a combined attack on the Root Nameservers, flooding the Nameservice ports with UDP packets.”

Internet Underground: MSNBC's special report on the dark side of the Net

Such an attack could render the Internet useless for most users. All Internet sites have a numerical IP address and a common English-language name. Nameservers map the common name to the numerical address; were they overwhelmed in an attack, name resolution would not take place. The only way to access a site like MSNBC.com would then be to type in the numerical address.
“That’s a real possibility,” said Joel de la Garza, a security expert at Securify.com. He provided the FBI with a file on Coolio last month. “If an individual were to have enough compromised hosts, it would be possible.”

FINGER POINTING
Several sources have given MSNBC Coolio’s real name, hometown and telephone number. For confirmation, MSNBC was pointed to a Web site registration bearing Coolio’s name. The site is not functioning but is registered to Coolio’s family.
The hosting company that registered the name told MSNBC that Coolio’s father removed his Web site two years ago. The spokesperson also remembers Coolio.
“He was a smart kid. He liked to brag about his escapades, about being able to build Web site at 15,” he said. He described the Web site as a typical vanity site.

		The terrific Tech array

		•	Hacks, Attacks & Scams: The latest on Web attacks, hacks, online scams and credit card fraud

		•	Tools & Toys: Products for productivity and fun

		•	Viruses & Vulnerabilities: Bug of the Day, Bug Alerts, viruses, vulnerabilities and more on Net security

		•	On the Frontier: Cutting-edge innovations

		•	Tech & Society: Inside our increasingly digital world

		•	Tech Policy & Law: From piracy to privacy

		•	Reviews, tips and more

		•	Space News: Developments on the final frontier

		•	Discussion Board: Talk about tech issues

Another source, a university student who said he’d known Coolio for three years, said he had no evidence Coolio attacked Yahoo, but that is “the kind of thing he has the resources to do, and ... the kind of thing he might do for ‘prestige’ or ‘fame’ or whatever motivates him.”

LOGS TELL A STORY
Almost immediately after the first attack, MSNBC was alerted to the #goonies chat room and told that Coolio was responsible. “I think it’s childish and I think he should be stopped,” the anonymous writer said.
MSNBC entered the chat anonymously. Coolio, unaware he was being observed by a journalist, made several comments suggesting he had special knowledge of the attacks.

In the first excerpt of the chat reproduced below, participants are watching CNN’s coverage of the hacker attacks, often commenting on the report’s accuracy and inaccuracy. When discussing the attack, far from the false boasts typical of hackers trying to take credit for attacks they did not perform, Coolio is deliberately coy. He takes pains, for example, to refer to the attackers in the third person.
In the log excerpts that follow, all nicknames other than Coolio’s have been altered, but the rest of the statements, including typos, are published as they appeared:

[17:33]<Coolio> i don’t think the same hackers that did yahoo had anything to do with cnn
[17:33]<person2> they heard what happened to yahoo yesterday
[17:33] <person2> so they decided to copy it
[17:34] <person3> did they have anything to do with amazon.com?
[17:34] <Coolio> person3, yes they did
[17:34] <Coolio> since 45 minutes ago
[17:34] <person3> alright.
[17:34] <Coolio> tehye switched from ebay to amazon.

But there are several references to Coolio “making the news,” even though that nickname didn’t appear in news reports until one week later.

[18:24] <person1> hahaha, coolio made ABC world news tonight, jesus f*ing christ.
[18:24] <person1> how the f...
[18:24] <Dr_Coolio> person1, what’s ABC world news tonight?
{excerpt removed}
[18:24] <person1> Dr_Coolio, ABC’s world news television show, every night.
[18:24] <person3> haha its their network news show coolio
[18:24] <Dr_Coolio> cool what’d they say
[18:24] <person2> Coolio what did you do that is getting so much attention
[18:24] <Dr_Coolio> and did they only talk about yahoo, or buy.com and ebay and amazon too?
{excerpt deleted}
[18:29] <person3> haha the zdtv just acknowledged that amazon was down
[18:29] <Dr_Coolio> on TV?
[18:29] <Dr_Coolio> awesome!

“oh, my god, coolio is way famous.”
— COMMENT IN #GOONIES CHAT ROOM

In this segment, one of Coolio’s associates begins to cross the line, suggesting directly that Coolio is responsible. Coolio reacts sharply:

[18:32] <person1> oh, my god, coolio is way famous.
[18:33] <person1> dude, coolio, sitting at his computer ... disabled yahoo, and fooled people thinking he was a group of f*ing hackers
[18:33] <person2> ya no sH**..don’t
[18:33] < ;person2> heh..
{excerpt removed}
[18:33] <person1> how the f... coolio shouldn’t be allowed to have this kind of power.
[18:33] <Dr_Coolio> SHUT THE F*** UP PERSON1
[18:33] <Dr_Coolio> SHUT THE F*** UP PERSON1
[18:33] <person1> hahahahah

The next day, Coolio was still fielding questions in #goonies about what he did and didn’t do:

[11:58] <person1> did you do all the other ones or were they copycats?
[11:58] <person2> neck hurts bad
[11:58] <Dr_Coolio> cnn znd zdnet were copycats

And in this passage, the goonies chuckle about what what seems to be an accidentally accurate description of Coolio. No reason for real alarm, though, they indicate — the newscaster is wrong when he describes the suspect as a current student:

[12:15] <person1> ahahhahahaha he said “17 year old kid”
[12:15] <Dr_Coolio> person1, WHO DID?
[12:15] <person2> HAHAHA “i wouldn’t be suprised if it was a 17 year old kid”
[12:15] <person1> this guy on cnn
[12:16] <Dr_Coolio> f***
[12:16] <person3> Dr_Coolio: TURN ON CNN
[12:16] <Dr_Coolio> kill him
[12:16] <Dr_Coolio> shut his face up
[12:16] <person3> a former hacker guy who now works in security
[12:16] <person2> he said that he goes to school, though

And finally, Coolio corrects the goonies when one slips up and forgets to use the third person when referring to the hackers as he discusses a television program describing the denial of service attacks as a trivial programming feat:

[12:18] <person1> ahahah this guy on cnn..
[12:19] <person2> man these dudes are sayin you got no skillz
[12:19] <Dr_Coolio> not me, you mean the hackers

PERHAPS, NEVER AN ARREST
Despite the tips from Coolio’s friends and the raid on his home, investigators haven’t arrested him or anyone else in connection with the attacks. An FBI spokesperson declined to say when or if an arrest would be made.

.
Several of Coolio’s associates are convinced there is no way to gather the evidence needed for an arrest. Further, they say, Coolio will not crack under questioning. Because he had a tough upbringing that included being “forced to live in a tent homeless for a stretch ... [it] made him a very strong person, if a little overconfident as well,” one said.
“He is safe and he knows it, he deleted all evidence off his machine. ...He is very well aware that there isn’t any way to prove a smurf attack after the fact.”

Got a tip about this story? Write to tipoff@msnbc.com



		Consumers keep on shopping online Hackers assault online brokers Will hacker attacks dent tech stocks? Hack attacks overshadow Buy.com IPO

	MSNBC VIEWER'S TOP 10

	Would you recommend this story to other viewers? not at all 1 - 2 - 3 - 4 - 5 - 6 - 7 highly

MSNBC is optimized for
• Microsoft Internet Explorer
• Windows Media Player

• MSNBC Terms
	and Conditions � 2001

SONY DCR-TRV330 (dcrtrv330) - .

$588.00

MPSuperstore

More Camcorders