Clue May Lead to Hacker Arrest, Consultant Says

A security consultant working with Stanford University said Monday that he believes he has identified the screen name of the computer hacker involved in last week’s attacks on Yahoo and Amazon.com and believes that an arrest in the case may occur within a week.

The hacker was identified in Internet chat groups frequented by computer hackers, said the consultant, Joel de la Garza, of Securify.com in Palo Alto. That hacker, using the name “Coolio,” also claimed responsibility for defacing a Web site of the security firm RSA Data Security on Sunday.

“There is pretty convincing evidence in some of the [chat] logs I have. They express knowledge of the attacks that no one else [but the attacker] could know,” said de la Garza, who joined the chat rooms and created the logs as a record.

Other participants in the hacker chat area identified Coolio as responsible for the Yahoo attack, de la Garza added. He believes that another hacker, identified in the attack on the RSA site as “Aforce,” may be working with Coolio.

De la Garza, who is working with Stanford officials on the chat lead and on research about the unwitting role of university computer equipment in last week’s barrage, turned over his evidence to the FBI.

The FBI declined to comment on this or other leads in the case.

If an arrest results from the chat room trail, as de la Garza predicts, it would validate those who believe that the best chance of catching the saboteurs will be from the tendency of successful hackers to boast about their exploits to peers.

But bragging may be deceiving. De la Garza discounted reports suggesting that a third hacker, “Mafiaboy,” may be responsible for last week’s attacks after making provocative comments in online chat groups. Comments by Mafiaboy show insufficient technical sophistication for attacks on the scale seen last week, de la Garza said.

Another expert who has conversed with Mafiaboy online disagreed. Michael Lyle, chief technology officer of the security firm Recourse Technologies, Inc., in Palo Alto, said that Mafiaboy may be involved in copycat attacks that followed the initial strike on Yahoo on Feb. 7.

These comments follow a flurry of efforts to find the perpetrators of one of the most disruptive cases of Internet sabotage. Last week some of the most popular Web sites, including Yahoo, EBay, Buy.com and Amazon.com, were hit with a massive “distributed denial of service attack” that cut access to millions of users.

Hackers turned up to several hundred machines into the computer equivalent of zombies by directing them to unleash an avalanche of bogus requests for service to the targeted Web sites, overwhelming those sites’ computers and blocking out legitimate users.

Computers at Stanford, UCLA and UC Santa Barbara have been implicated as unwitting tools in the attacks.

On the UCSB machine, some critical identifying signs were left behind--the equivalent of computer fingerprints that could help investigators trace the attack on CNN.com, another Internet site that was attacked.

After the first Yahoo attack, even inexperienced hackers could have used specialized software to locate previously established zombie networks and directed them to attack other sites in a copycat fashion, Lyle said.

Network Associates, a Santa Clara, Calif.-based security firm that offers free security scans to check for tools that could be involved in efforts to shut down Web sites, has identified 10 computers--one in Canada, one in Europe, and eight in the United States, that were infected with one of the three zombie programs capable of launching such attacks.

This represents about one infection per 1,000 machines tested, said Zach Nelson, chief executive of Mycio.com, the division of Network Associates offering the testing, implying there could be thousands of computers tarnished with the programs. The presence of the software does not necessarily mean that the machines are implicated in an attack, but Nelson has put the FBI in touch with the companies involved.

“I would not be surprised if search warrants against some individuals were out soon,” given the combination of evidence now in hand, Lyle said.