The Real THR34T KR3W: The Story of Hacker Connor Hansen
- Nov 5, 2004
Seth Fogie's commentary:
During the months of fall 2002, I stumbled into an IRC botnet run by a group called the THR34T KR3W (Threat Crew). After poking around for a bit, I figured it would make an interesting story and posted a two-part InformIT article ("Close Encounters of the Hacker Kind: A Story from the Front Line") that described my discovery and my interaction with various THR34T KR3W members. The second part of the article was published on January 7, 2003, and I pretty much forgot about the whole incident. However, about one month later headlines started to appear about the arrest of a hacker group called the THR34T KR3W. I heard tidbits about the members here and there, but one member, who was not part of the initial bust, contacted me and told me more about the details of THR34T. Eventually the authorities did catch up to him, and the conversation stopped. That was the last I heard...until recently.
Somewhere in the middle of August 2004, Connor contacted me once again, except this time there were no handles or attempts at hiding his identity. According to our conversations, Connor had turned a new leaf and wanted to tell his side of the storyand possibly write about other security-related subjects. I thought this was a great idea, so we set the ball in motion. As a result, let me present you with an insider's account of The Real THR34T KR3W.
Everyone has heard about computer groups whose sole purpose is to cause mayhem. They're generally associated with releasing spam and mail viruses. Our group was one of the groups that you only hear about when something goes wrong. Many groups exist and most are never heard of; our group, the THR34T KR3W, was caught.
Our group started as a simple gathering of friends, all interested in computers and security, willing to learn about anything, and talking for days on end. I joined the group in June 2002, and immediately loved it.
Around September 2002, a new idea was thrown around after one of the members found that many machines were still vulnerable to an old exploit. Unicode on IIS 4/5 was over a year old when the discussions started. After doing some research, we found that a self-replicating system to infect vulnerable Unicode machines could be made relatively easily, and we created a bot pack.