Mac worm hacker vanishes from blogosphere

Just days after claiming to have written a worm that could be used to attack Mac OS X systems, the anonymous blogger known as Infosecsellout has gone quiet.

His (or her or their) blog has been renamed. Old posts have been removed, the blog has been renamed “Security Information,” and Infosecsellout says the blog is finished. Mysteriously, however, there are two new posts on the blog, one of which provides a link to information on the alleged worm.

But they are fake posts, according to Infosecsellout, who said the blog was hacked on Tuesday night and will not be revived.

“Infosecsellout is now dead,” the anonymous blogger said in an e-mail message. “It was a great experiment to see how the industry could handle some honesty, which they can’t. They are quick to attack the credibility of others in order to hide their own flaws.”

Since he started blogging last year, Infosecsellout made his share of enemies, offering uncensored and occasionally amusing observations on computer security research and its practitioners. (He once called this reporter a “ mindless hack ” for reporting flaws in the beta version of Safari 3.0.)

The blogger said he needed to remain anonymous because of his unpopular opinions. “The last thing I want is some cry baby to involve my employer in things that I say on this blog,” he wrote in January.

On Sunday, however, he may have crossed a line, in reporting that he had been “compensated” for writing a worm that could exploit a variation of a bug in Apple’s Bonjour automatic network configuration service that was initially patched in May. The flaw lies in Bonjour’s mDNSResponder, which is used to do things like discover printers or share iTunes files on a local area network, he wrote.

Though Infosecsellout provided nothing to back up his claim, the story was widely reported and security researchers began to investigate who may have been behind the blog.

Metasploit developer HD Moore said that he’s “70 percent” sure he knows Infosecsellout’s identity, based on a study of his posts and of e-mail messages from known people performed using a writing analysis tool called Unmask.

Moore wouldn’t say whom he suspected, but he noted that Infosecsellout’s blog vanished soon after he contacted his suspect. Like every other security researcher contacted Wednesday, he didn’t buy Infosecsellout’s story that the blog had been hacked.

“It seems like someone’s getting worried that their cover is getting blown and they’re doing cover-up,” Moore said. “There’s been a lot more attention from folks trying to unmask [Infosecsellout] in the past day or two.”

A blogger going by the name of Cutaway, suggested that a hacker known as LMH could be behind the blog, but Moore said that this argument did not seem credible.

Thomas Ptacek, a researcher at Matasano Security LLC, agreed that the blogger was probably not LMH. “My theory right now is that it’s more than one person,” he said.

In an e-mail message Infosecsellout said that the blog was written by a group of self-employed authors, but that appeared to contradict the blog’s January post claiming that the author was worried about his employer being approached.

When asked to explain the apparent contradiction, the blogger said, “Even the self employed have employers that are subject to crybabies.”

Subscribe to the Best of Macworld Newsletter

Comments