To get a better handle on the identity of the attacker, I took a closer look at the network data I had recorded. Interestingly, the attacks tended to start after 3pm and had stopped by 1am at the latest. I figured this must mean that the attacker was still of school age and was firing up his computer on getting home from school. This gave me an idea. What if he had a forum account? This would at the very least give me the email address he had registered under. Maybe he was even a player who... but one step at a time.
I opened up one of the trace files just before an attack and isolated all the attacker's connections. He was easy to identify through the attack pattern and the AOL IP address. I found some HTTP queries about 46 seconds before the start of the attack wave and set about extracting the HTML page content from the packets.
My first attempt to view the complete HTTP session using Wireshark's 'Follow TCP stream' function came up short as a result of the fact that the server had sent the data in compressed form and I don't speak gzip. So I activated the 'Allow Subdisectors to reassemble TCP streams' option from the TCP protocol options. And there it was right in front of me, served up on a platter. The protocol analyser was showing me the web traffic. The attacker had been rummaging through a thread on the DoS attack – clearly basking in the success of his attacks. But in doing so he had slipped up. In addition to forum postings, the top right corner of the extracted web page contained a message generated by the server:
"Welcome, Blackhat6200". Bingo! This was something I could work with. I logged onto the forum as an administrator, tracked down the user account and in no time at all I had the email address used to register the account. I did an online search for matches for this address and came across several postings in wannabe hacking forums, some of them asking for information on attacking forum servers from exactly our forum server software vendor. This I recorded, just as I had the results of the trace file analysis.
Now I had to hope that the interest in this specific forum was not just a matter of chance and that I was dealing with a disenchanted gamer. And, just as I suspected, searching for the email address in the payments system led me to a subscription with the user's address, which was indeed, as expected, in the UK, and payment details. I had now gathered all the information I was going to be able to gather.
I arranged a meeting with the publisher. They decided that the matter had cost them sufficient time, effort and money that they were going to pass my records on to the police and file a complaint. The case was now in the hands of our attorneys and my involvement in it was finished.
But a few of weeks later, out of the blue, I received an email from Scotland Yard. The case had landed on the desk of a constable there, who asked me to forward him my records. The police in Berlin had obviously forwarded the case to England and then washed their hands of it.
I had the records translated and sent to London. A few weeks later, I received another message from Scotland Yard. They had arrested a suspect, confiscated and forensically examined his computer and questioned him. He admitted to everything right from the off and told the police that he had done what he had done because he was angry at being thrown out of the game by one of the gamesmasters. He was released and so, eventually, I suppose, was his computer. And here's hoping that our wannabe black hat got some serious grief from his parents. (ju)
In our "Crime Scene Investigation:Internet" series, experts examine suspicious files using every trick in the book. Watch over their shoulders as they track down malware – because all this really could have happened. All the malware samples shown in CSI:Internet have been used in real attacks and have been analysed using methods including those described. The accompanying narratives are inspired by real incidents.
Jasper Bongertz, our expert for series two episode one, works as a senior consultant at the Fast Lane Institute for Knowledge Transfer in Düsseldorf, Germany. He has worked in IT security since 1992 and specialises in network security. His preferred bedtime reading consists of interesting looking trace files and packet dumps.