Poor old Stephen Dendtler — aka the Optus hacker — who is being held up as an example of the government's tough new computer crime laws.
When he isn't battling DPP appeals against his original sentence, Dendtler is being used as a case study by the NSW Police or scorned by IT security vendors who want blood from those who dare compromise corporate information systems.
Speaking at the AusCert conference last week, Detective Inspector Bruce Van Der Graaf of the NSW Commercial Crime Agency, gave a detailed presentation of how Dendtler was able to compromise 435,000 usernames and passwords utilising machines in Sydney, Japan, the US and Germany which provided multiple points of entry.
Van Der Graaf said Optus administrators first became aware of suspicious activity on December 18, 2001 and checked SSH records only to find a trojan and so began a reconstruction of the network compromise.
The attacker was observed listing files in a directory which contained the rootkit that was captured by Optus staff, burned to CD and passed on to Police as evidence.
Van Der Graaf said the most important pieces of evidence were traces of the rootkit and files containing the letters SeN.
He said the trojan was identified as a program activated by a particular ping packet that was 240 bytes in length creating a back door program on port 23282.
This port is associated with a DVP protocol and Van Der Graaf said it was selected as a means of passing through firewalls.
Known as the mingetty back door, it attracted the attention of a honeypot project. A paper containing detailed analysis can be found at http://project.honeynet.org/reverse/results/sol/sol-21/analysis.html.
The honeypot analysis showed that the password SeNiF was used to open the back door, another interesting string of letters from the author, which proved critical in the latter part of the investigation.
Another program found in the rootkit was called Ozidler, which joined a cyberchat channel and contained IP addresses for the servers hosting the channel.
Using the Ozidler program Police then used an independent consultant to engage the attacker locating a user which used the handle SeN. By entering the IP address in a browser Police found a Web page and links with pictures of young people which identified the attacker and his friends. This was open source information published on the Internet.
Van Der Graaf said police then had a name and address for their person of interest who was identified on the Internet as FiNest.
Reversing the letters of FiNeSt and removing the "t" reads SeNif, which was the password for the trojan. It also contained SeN, the name found in some of the rootkit files.
Police then executed a search warrant, entering Dendtler's home in Bankstown and finding two computers which were seized for examination.
A software engineer accompanied police to ensure machines were shut down in a forensically sound manner.
"We had to consider if there was a hidden script running that might cause damage or shutdown or whether data was encrypted; neither was encrypted," he said.
Van Der Graaf said a bit stream image was made using the Linux dd command and some interesting evidence was found including a partial list of usernames and passwords copied from the Optus server and a list of IP addresses with comments beside them such as worm, wiped, ripped, slow, can spoof but very unresponsive, no spoof.
The toughest challenge when trying to prosecute, he said, is taking technical evidence in statement form that can be understood by a layman jury.