Hacker News new | comments | show | ask | jobs | submit login
Have you ever chatted with a hacker within a virus? (avg.com)
312 points by jhchabran 1529 days ago | hide | past | web | 99 comments | favorite



Well, back in my pre-teen script kiddie days of using BO2K/Netbus and early Sub7 builds I was on the other side of the screen. Sub7 I recall distinctly had all the listed features and a lot more - keylogging, chat client, webcam viewing, screen capture, open/closing CD tray, etc. There was a GUI interface that would let you select any of the above features that would create a payload that could be injected into any .exe file. You could also provide an ICQ account number that would get a message any time the client comes online, with the relevant IP:port to connect to. These were in the days before anti-virus or firewalls were prevalent, so it was pretty easy to trick people into opening an infected .exe.

I think I ended up having around 80 people infected, so there was always someone online. I never did anything malicious with it, just chatting and opening/closing CD-ROM drives mostly (and juvenile things like sending my friend's browser to bigboobs.com ... unfortunately his dad was standing behind him at the time). I had dial-up so the webcam viewing wasn't feasible. If someone was freaked out and wanted me to go away I could remotely destroy the trojan. Come to think of it, most people were just curious about what was going on and didn't seem to mind the chat very much (but obviously they usually wanted me to remove it / delete it afterward). Then again, I infected people by random selection on ICQ, so maybe they were just chatty people.


I used to do the same stuff, we didn't even see it as malicious back then, just a "prank" really. Most the people we "infected" were via IRC and ICQ, embedding the exe client into a JPG (or just changing the exe icon to a JPG one) and DCC'ing it to them.

Once infected, we'd screw around, make errors pop up on their screen like "Computer Is Low On Coffee, Please Insert Coffee Cup" then make CD tray eject, etc. Then we'd chat to them, and they usually had a good laugh, and we'd tell them how to not get infected in the future, then self-destruct the client.

We didn't really investigate it much or ponder the deeper implications behind it, so it took us a fair while to realise the level of maliciousness that was possible, which scared us off, so we stopped messing with it (we'd already been in trouble for other stuff so didn't want to push it!)


How did you embed the exe client into a jpg (rather than just changing the icon)?


IIRC, Sub7 had a tool which did this. You could also 'pack' the executable.

My infection vector of choice was embedding it into fake resumes and sending it to job ads...ahh, the memories...


The fake resume idea is brilliant. How could I have overlooked that back in the days. All I did as a script kiddie was scanning IP ranges and playing with infected accounts. Good times.


You can add the contents of the .exe to the JPG but when the computer opens it then it isn't going to try and execute the code (it will try and render it as a graphic and probably fail) unless there is some unpatched exploit in the image viewer.


It would create a .exe file that was a simple image viewer and give it the standard .jpg icon. You would name it something like picture003.jpg.exe and most people's computer would conveniently hide the true file extension.


I was reading that article thinking "I remember all of those features (and more) being in Sub7 about 12-13 years ago". Not so advanced, really.


Did BO2K/Sub7 allowed to be notified when being debugged ? Maybe it's an easy 'plugin' to write when you have a flexible payload generator I guess.


> so it was pretty easy to trick people into opening an infected .exe.

I remember telling this guy it was a fake virus (the jokes you could download on internet before) and that he had to turn off his anti virus to launch it. It worked.


I remember the joys of LAN gaming with friends. "Oi, who rotated my screen!"


Ahhh, so you were the guy that used to keep sending me messages on ICQ that just contained random URLs pointing to .exe files..

I should have probably turned my auto discoverable options off but it was actually a good way to meet chicks.


Does anyone know if all webcams have the activity light hardwired in-line with the webcam itself. I have always wondered if the light is a definitive indicator whether the cam is on, or if the light can be deactivated. Sorry, I guess this only applies to non-Mac, mostly Win, machines as something so plebeian as an indicator light would never make it into a Mac.


Nice try with the jab at Apple—MacBook Pros have a small green light to indicate whether the camera is in use or not.


Yeah, you can just take a quick pic using the camera; the light flashes for barely a second and you won't notice. Metasploit has a stager for exactly this purpose: http://www.metasploit.com/modules/payload/osx/x86/isight/rev...


There's always a bit of black cardboard and tape. Try to take a picture now. :)


Lol, I actually have a bit of duct tape over my eeePC web cam.


The idea is for the light to be definitive, but I am not sure how secure they are. Also, as far as I can tell/remember all Macs have indicator lights on their cameras.


A GUI interface, eh? :P


Not the same, but similar story... 6-8 years ago, I chatted directly with the person responsible for breaking into a web server on the server itself. It's a strange feeling to ssh in and watch someone browsing through files. I did a 'echo "hello?" | wall', showed the guy how to answer me back, and we eventually moved the conversation to IRC. I was using some website to convert English to Portuguese.

Turns out it was a (young) teenager from Brazil. His compromise was that he wouldn't touch our files or deface our websites so long as he could remain in control of the server. I carelessly tried to kick him off, uninstall the rootkit and restart the server only to find out that he could continue to use the same exploit to get access. Then we just called our host and asked them to take down the box. Lost a whole day to it, but I walked away understanding a little bit more about motivation, and learned about an exploit that I hadn't known about previously.


Steve Gibson (grc.com) famously used chatroom credentials in a trojan he reverse-engineered to get in and chat with the bot maker.

And, infamously, got DDOSed for it.

Can't find the transcript now, which is a shame; I think he took it offline to let the intertubes cool down.


http://www.crime-research.org/library/grcdos.pdf I think this is what you are talking about, really interesting read if I remember correctly.


>When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.

He was right, too.

EDIT: That was an absolutely fascinating read. Thank you.


Very nice read, thanks for sharing


The Steve Gibson story was really interesting. He's a really cool guy, too. My botnet adventures happened around the same time as his, and I too was DDoS'd. We even exchanged a few e-mails about botnets and the script kiddie culture. Those were fun times.


Except when he went on record opposing the addition of raw-sockets to Windows XP saying it would help hackers and spell the end of the world. I remember clutching my Redhat CD, just in case raw sockets were banned ;-)

http://www.theregister.co.uk/2001/06/25/steve_gibson_really_...


And then you know they banned them with a nonremovable patch, right? http://seclists.org/nmap-hackers/2005/4


Who cares about XP? I was fearing legislation because his cry of wolf was heard far and wide.


Ah, yeah, I remember that too now :)


Back in 2000, when I was in high school, I developed a trojan similar to netbus and sub7, but just to use it in the school comp labs. The objective was only to have fun. Telling my friends their login passwords, controling their pcs, (screen streaming, key logging, file management, mouse and kb control, some nice screen effects like making the screen move like ocean waves, launch programs, it was fun, lol). There were like 200 machines connected. The infection was simple (auto-installed in services/run) and later it was even network-automated (when I got the admin pass). Then, I handed the commanding program to some friends who used it a little bit too uch. We even had the net admins credentials, so we started to get some extra benefits (like internet outside the internet lab, etc). The admins realized what was happening, and started to use Norton ghost in every pc, first once a week (before it was once every 2 weeks), then, as the infections didnt stop and they started to get very paranoid, they run Norton ghost every single day. It all ended when they discovered a copy of the the source code I had given to a friend of mine. They confronted him, but luckly he took the blame (as he later told me, it was very dumb of him to have saved a copy in his own account. But he managed to convince them that it was just a learning project that went little bit too far. They reprimanded but nothing serious happened to him. So, he is still one of my closest friends,=)


Most of the time those moments of getting caught turn into great opportunities to get out of trouble by going white hat for them. I figure if they threatened him with any real punishment, just offer some free security consulting.


In a perfect world that might happen. Sadly people are not happy, if you point their mistakes at them and they can get very agressive against you, especially when their job or their public reputation might be at stake. Add some age difference of over 20 years and an IT education that started with punching holes into cards and you are fd. Then going to offer them your assistence wouldn't be the smart thing to do, don't u think?


It really would make great sense to create an 'report exploits' link on your site/software so that people know they can freely contact you about this kind of thing without repercussions. I actually got one about 2 days ago for a forum I coded because of such a link I put there.

It might be interesting to even make a whole website dedicated to exploit hunting and allow companies to register themselves.


Well, we were kids back then, and I think they took it as one of the risks involved in teaching programming. They surely threatened him, but they just wanted us to stop. So, as we knew that if we kept on infecting the pcs, they would punish my friend, we had to stop. But at least we kept some of our benefits (internet access, etc)


Back a bit (yes, I am dating myself here), I worked for a floppy disk duplicating company that was hired by a certain software company to attempt to duplicate the disks with built-in copy protection. The customer provided a routine where they would have the end-users' disk controllers read a hidden half sector at the end of a half-sized normal ninth sector, I think was the gist of that particular scheme.

If I remember correctly, they had typed some example code in plain ascii, so we obliged with the typical "help, I'm being held captive in a Chinese disk duplication company." Which was almost true, as the owners of our company were of Chinese decent. And in my defense, we did have a number of all-nighters (with Pizza) when another software company would call us with a sudden "we've changed the masters - erase and re-dupe whatever you have)." I was younger, then...

Anyway, a few messages were passed back and forth this way, before we got back to serious business and implemented the copy protection scheme. Not really a virus, but still geeky fun.

Did you know that 8" floppy disks had excellent aerobatic qualities when flung from the top of a building? The trick was holding them by the corner during the wind-up...


Sorry for the tangent, but did the author really have to assert his or her endorsement of Chinese nationalist politics and write "Taiwan, China" instead of the neutral "Taiwan"? Taiwan is not currently controlled by the PRC, regardless of whether or not one believes it "should" be. Taiwan's acting government, the ROC, believes it shouldn't be, and China's government, the PRC, believes it should be. Most Taiwanese people seem to agree with the ROC, but I've met some who identify as Chinese and would be fine being governed by the PRC. To refer to a disputed land as objectively part of a specific country, one that doesn't even currently govern it no less, really bothers me.


Fellow web developers, I can tell you from experience that you must edit this list before deploying it in an application:

http://www.iso.org/iso/country_codes/iso_3166_code_lists/cou...

My understanding is that we have the UN to thank:

http://www.iso.org/iso/country_codes/background_on_iso_3166/...


I can confirm, if you don't you will receive angry emails.


Is it just Taiwan, or are there other countries in similar situations?


The ISO list shows Occupied Palestine in its preferred UN nomenclature, PALESTINIAN TERRITORY, OCCUPIED. This is a politically controversial area as well. How you should choose to identify the area depends in part on to which region you're targeting your site/app.


That's sad considering that Taiwan isn't even in the UN.


Both the PRC and ROC lay claim to the whole of China, with Taiwan as a part of it. It's absurd, but they both agree that Taiwan is part of China, they simply disagree on who should be ruling that greater part.


That's partly true. The PRC and the Guomindang (the Nationalist Party) of the ROC both officially claim that they should be ruling all of China, but the Minzhujinbudang (the Democratic Progressive Party) of the ROC views Taiwan as having developed its own culture and identity that's distinct from Chinese, and they don't try to claim ownership of or any relation to the mainland. And in English the phrase "Taiwan, China" really means 中国台湾 and not 中华台湾, i.e. "China" there refers to the PRC rather than the land of the Chinese people. So both parties in the ROC reject the phrase "Taiwan, China."


They are most likely Chinese and consider Taiwan part of China, without thinking about it.


I noticed that too. There's no reason to not write simply "Taiwan," since that won't offend anyone's sensibilities.


I've told this story once or twice on HN before so apologies for anyone re-reading it, but it seems relevant: I was doing some IPTV stuff in China a couple of years ago and we were warned that, among the things the government would be watching our streams for, was use of the word "Taiwan". We absolutely weren't allowed to use it, instead using "Chinese Taipei".

So I'd suggest it could offend some people :)


I spent half a year in China, and I didn't find the word Taiwan as a location offensive to anyone. Could it have been the case that you weren't allowed to say Taiwan specifically when referring to it as a political entity? I was under the impression that Chinese Taipei is the compromise name the two governments agreed on using when referring to Taiwan as an independent entity in sporting events, since having an independent team called Taiwan would not be compatible with China's position that Taiwan belongs to China. However, when referring to Taiwan geographically as the author of this article did, I never once heard Chinese people say Chinese Taipei (neither 中华台北 nor 中国台北). I think in general when people refer to a country by its capital (e.g. Washington or Beijing) they're specifically referring to the country's government. So it makes sense that people wouldn't use Chinese Taipei to mean the whole island of Taiwan if they're not talking about the ROC but rather just the region. I found that people just referred to the island of Taiwan as 台湾 (Taiwan), but certain Chinese government propaganda did the Taiwan, China thing like the author of this article. A video they showed us on an Air China flight showed a photograph of Taipei and labeled it as 中国台湾省台北市 (Taipei, Taiwan Province, China).


Sounds like you know a lot more about it than me, and certainly makes sense - I was at an esports tournament (so would likely follow the rules of sports events), the 2002 World Cyber Games Grand Final. We weren't given any background, just a list of words not to use on air.


You probably used English as a lingua franca, what happens is that whoever watches you doesn't understand 99% of what you're saying except for a few keywords. This has caused a lot of diplomatic grief even between allied countries, because without context the worst is always assumed (cognitive bias, I guess). It seems to me a similar situation applies here so a list of words to avoid or replace would be a sensible thing to use.


Sounds reasonable, but we weren't given it as "the Chinese might make a mistake, be careful" it was "here's a list from the people who will be watching, they say you can't use these words".


"The island formerly known as Formosa"


Recently a friend of mine sent me a piece of obfuscated JS that was in a phishing page that was being posted around his large gaming related website. Threw the JS into closure compiler with advanced optimisations and pretty print and out comes relatively unobfuscated code- it cleared up the series of horrible regexes anyway. The code injected a Java applet that downloaded a botnet virus. Decompiling the Java applet revealed the steamid of the guy orchestrating this. Added him on steam and had a great conversation in which he accidentally indirectly admitted the botnet was under his control. A fun use of a Sunday. The evidence was never sent to anyone, thinking nothing would come of it.


> Threw the JS into closure compiler with advanced optimisations > and pretty print and out comes relatively unobfuscated code...

Boss hack. That strategy would have never occurred to me. Thanks!


Any idea why would he put his Steam ID in the applet?


It was on a website for trading items on steam. Perhaps he wanted to force them to trade items, then sell the items on for real life money.


To answer the title: yes.

It was my freshman year of college and my first introduction to broadband in 1998. I discovered irc via mIrc and somehow somebody put something on my computer where they could control the mouse/keyboard.

I watched the guy move the cursor around for a while then begin to type to him. He was cool, and told me how to prevent it from happening again.


This happened to a lot of people when they started out using IRC. I remember chatting with someone using mIRC and the started opening and closing my CD-ROM. I got duped into running a Sub7 client script or something.


How did he do it?


I have no idea. I wish I did though


When I was a teenager I found it fun to intentionally infect myself with malware and try to study it. I know realize this wasn't the most responsible thing to do, as I wasn't in a sandboxed environment, but it was a great learning experience and taught me a lot about networking and security.

One of the biggest malwares I ever managed to infect myself with was a bot, which caused my computer to become a zombie on a ~10K botnet. I spent hours running a packet sniffer and seeing how the client interacted with the IRC network it called home to. Upon connecting to the privately run IRC network, the bot would authenticate with a user and pass. I assume it created one upon connecting the first time to the network. My best guess as to why this is is so that the bot master could track the total number of zombies and compare it to how many were actively connected to the botnet. Kind of a cleaver way to get metrics, now that I think about it.

When I temporarily stopped the bot from connecting to IRC, I decided it might be fun to login as the bot and join the channel I saw it connecting to. Upon joining the channel, I saw thousands of other users on the channel. I spent a couple of days sitting there, masquerading myself as a bot, and watching the botmaster interact with the bots. The botmaster would issue commands that I can't really recall anymore, but I do remember seeing a lot of commands that I assumed told the bots to download extra malware from a remote host. I remember seeing URLs for zip and exe files.

Eventually I got a little bored of this, so I decided to message the botmaster. It was easy to spot him; out of the three ops on the channel, he was the only full op. I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network.

The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests. I had pissed off the botmaster by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a small number of the bots to do this. It wouldn't take many... I imagine back then, given my bandwidth, 10-15 would have done it.

Fun times. I remember posting about my botnet adventures to Security Focus way back when. Some people got really interested and followed my posts, while other professionals asked me to stop because I wasn't running a sandbox.

IMO, those were different times. I'm not sure I'd recommend something like this these days. After hearing about certain botnets being tied to various mafias and gangs around the world (which is probably more common than you think. See http://www.ibtimes.co.uk/articles/321149/20120329/mafia-cont...), I'm not sure I'd really want to risk interfering with their activities.


It's funny you should say this. I practically did the same thing, from a different perspective.

I ran my own little IRC server when I was a teenager, and one day I noticed a lot of my friends were being disconnected from the server. After some more investigation, it seemed like they were actually being disconnected completely from the Internet. Bit odd.

Upon more investigation, I found an acquaintance had something like 10,000 bots (spybot/rxbot) going through my server (yes, a simple /list could have sufficed...) and when I looked at the topic of his channels, and noticed they consisted primarily of commands to control to the botnet. "startkeylogger" sort of thing.

A few more pokes, I realised it was Norton Antivirus that was listening to port 6667 for any "bad" commands, and then disconnecting the user from the internet. I thought this was hilarious, and went to Efnet, tried it in a large channel and watched 400 people disconnect. Then I felt quite bad, so I emailed Norton, and received no reply.

Something like two years later, I notice the same exploit on the main page of Slashdot, and chaos ensured. It did make me feel pretty cool, "ha! I knew something before all you big uber leet haxxors!" :]

Sadly, my acquaintance didn't mature like the rest of us and decided to use his knowledge and skills to do naughty things, and the FBI got him. Good riddance.


That's a neat variation on the old PING +++ATH0 trick.


NO CARRIER


If you can and want to, would you mind elaborating on your acquaintance? I'm intrigued on what did he do and how he got caught :-)


> I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network. The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests.

I'd probably do the same, upon discovering that one of my bots had become sentient.


Exactly what I would have done. DC'ed and headed for the closest bunker.


I do think the appropriate course of action is to /nick SkyNet and start shouting killAllHumans


I'm sure. I'm not exactly surprised that it happened now ;)


This is fantastic. I did the same with a very similar botnet way back when, except my "hello" in IRC wasn't as friendly. Left to eat for an hour, then came back to my hard drive erased. Live and learn...


Thanks! I agree that things like this are pretty fantastic. Part of me misses those days of being so experimental and new to tech. Sorry to hear about your hard drive, though :)


Perhaps a rather naive questions, but: were the username and pw transfered in plaintext?


Think of the username and password as a tracking cookie, more than actual authentication.


Yep, I remember both being sent via plaintext.


RFC 1459 Internet Relay Chat[1] clearly shows in its example that it uses plaintext passwords:

  Example:
    PASS secretpasswordhere
It also explains how the server password can be set either globally or per client.

[1] http://tools.ietf.org/html/rfc1459#section-4.1.1


Interesting but when I ran into a similar backdoor on a clients server, it had been infected through a phpbb upload script, I found the password to the IRC server in clear text by using either hexdump or string. Not sure which of the tools but I also tried connecting and found a channel with just around 20-30 bots at the most. Fun experience just like yours.


Reminds me of those good times when we discovered Trojan me and my friends. We kept infecting people, until they found out about it and started doing it as well. It became a war between us. Almost everyone got infected in our class.

I remember the pranks we used to pull, like printing "Help me I'm trapped inside the printer!", changing the wallpaper for a porn one, typing messages instead of the person on MSN.

Once we infected some random guy we didn't know, and popped up a black chat screen (like the one in matrix) and before we could write "Hi Neo" the guy was already writing to us "hey what's up?". The guy was so stupid he chatted with us like it was a normal thing.

Then we all grew up and we fell a bit bad for finding stuff we shouldn't have found, so we stopped.


"I am sorry but AVG blogs are currently undergoing essential maintenance.

Normal service will be resumed shortly, in the meantime go to AVG.com for more information about AVG products or go to our Facebook page to join our thriving online community.

We apologise for any disruption this may have caused."


http://webcache.googleusercontent.com/search?q=cache:blogs.a...

No screen shots or links in this, obviously.


Site seems to be going up and down. Just keep refreshing, and you should get the site again. With images.


Is it just me or do the "features" of this trojan resemble a late 90's Netbus


Back in the days I used to do this. I would stay up better part of the night adding random people to MSN or ICQ and sending the Trojan saying it was my picture. So before sending it I would describe myself as someone they'd want to see, to drive up their curiosity, basically I'll be what they'd want me to be. This was very successful. I never maintained a big list of zombied boxes, I'd infect remove on a per night basis depending on how bored I was.

I also saw the progression of hiding IP's in MSN connections. At first they would make a direct connection, later they only made a direct connection while transferring files bigger than a certain size. They completely removed it after some point, don't remember very well.

After I got to know more about networking how things are connected, I realized that my ISP allowed to initiate NULL sessions to other customers. I remember how excited I was to find this. I would place the RATs everywhere with curious names in hopes for them to click or just test exploits on them.

Another interesting thing I found was I was able to invite anyone, even random emails (Hotmail) while having a group chat. I had so much fun doing that back then.

After infection it was basically just chatting, messing with the LED's, CD-ROM's.. people were more interested in finding out how I did it and just chat rather than being mad. I remember one time when I did this to a friend he got scared and ripped of the cable breaking the wall socket.

It was really easy to evade anti-virus programs at the time. I usually just split the file into half, run the scanner on it, split again until I narrowed down to the signature and would just change a value or two.

It was interesting to see how many times people change the text before hitting send while chatting. Obviously I was too naive to know and respect privacy back then.


Yeah, when I was at boarding school (high school), we had a LAN in the dorms full of everybody's shiny new Windows 95 desktops. So everybody just had SMB shares, and nobody was careful about what they clicked on. I put a trojan exe with the icon made to look like a text file in mine. Someone clicked on it, and then I popped up a dialog box that said "Hello! You've got a trojan. Open notepad and let's talk about it" and he typed into notepad and I watched with the keyboard sniffer and answered back by injecting keypresses. (I couldn't see video of the screen - I think I could take screenshots, though) I learned a lot about networking that year.


A long time ago (windows 98 I believe) my screen went blank and green text appeared saying "Hello, how are you?" I was about 12 at the time so I had no idea what was going on. I don't recall my response, but I remember the "person" on the other side saying "You left a back door open. Would you like me to close it?" I restarted my computer and I still have no idea what it was.

Was this a virus, a hacker, something else? I completely forgot about it until this thread.


Probably a worm.


I am the creator of the PTN FUN TROJAN from 2003. I was just starting to learn coding and created this simple server/client program using visual basic and numerous code VB snippets I found online. I was able to open/close CD trays, turn off monitors, disable CRTL+ALT+DEL, send screenshots, hide the mouse pointer and other stuff. I created an autostart CD with the title "CS MAPS" and handed it around on private LANs infecting all my friends computers. I had quite a few computers depending on my mercy. On one occasion, one of my friends realized, he wasn't in full control of his computer. He opened notepad and tried to communicate with me, the hacker, by typing messages. I could read his messages from the screenshots and found it pretty hilarious at that time. I responded by turning his screen up-side-down.


Reminds me of all the fun I had playing with malware on my own computer during the mid-to-late 90's. Being quite ignorant about the whole thing allowed me to look and find things that would not be considered safe. Hacker websites (like the old cult of the dead cow folks), exploits, etc. I remember downloading the LOIC and wondering what the hell it was.

Of course, I wanted to be a "hacker". You know, make ATM's spit out cash so my brother could buy a more powerful engine for his mustang. That kind of thing. Never really meant or even did harm, because my limited knowledge back then kept me out of trouble.

I did however get to do something very important while looking for people to "hack" (not really) on ICQ. I met my wife. Wonderful things happen by serendipity.


How about recommending movies to the person who hacked your Netflix account?

http://www.reddit.com/r/AskReddit/comments/v0z53/for_the_pas...


When I was about 11 or 12 years old, I was chatting with a friend on AOL Instant Messenger and suddenly was forced into a black screen with green text where I communicated briefly to someone who was forcing this new chat session onto me. The crack scared the absolute crap out of me. It ended once I told the person that I was irritated and that I was going to contact the police (I didn't and I doubt there was anything that really could have been done). Once the fear subsided I became more interested in how this person did what they did. It's one of those weird technology-related moments that sticks out in my mind to this day more than 10 years later.


Just as a side note, the post was made in Taiwan's D3 forum, but from the use of simplified Chinese, it seems the hacker was from China.


I am a convicted malware coder (Agobot/Gaobot/Phatbot/etc...) and it all started because of a chat I had with a botmaster.

Back then I needed a key for Warcraft III, which just came out, so I tried some keygen I found on the net, without any antivirus. When the keygen did not work I knew something was wrong, so I checked for suspicious network traffic and saw some IRC connection, quickly found the process responsible for causing the traffic and fired up a disassembler. After UPX unpacking I had the assembler code to the program and was able to determine the IRC server, the bot password (they didn't use password hashes or hostmasks back then) and I got a command reference for the specific bot (SDBOT). I joined the channel disguised as one of the bots, logged in and sent the remove command. This kills the botnet. The bot herder was pissed, but I started talking to him and I got interested in malware to get CD keys, which I couldn't afford at the time.

I started modifying SDBOT for my usage, writing scanners and fixing bugs in the IRC connection code. After I while I felt limited by the codebase and started my own called Agobot. Agobot quickly grew into one of the most capable trojans at the time, with thousands of variants. I also quickly got a team of at peak ~15 people together who helped with testing and coding. Coding was mostly done by me and at most 3 other coders. We were having really cool stuff, like wormride which was a tool to make other malware/worms spread Agobot instead of itself. It also contained an exploit that I wrote for the LSASS hole that Sasser used only a few days after the advisory. My LSASS exploit did not crash the target, which let it spread a few days without being noticed. ISC noticed it after a while and raised the threat level to orange.

There was also a variant of the bot that used the waste network to communicate and the gnutella network to find themselves. It made the DHS shit their pants and release an advisory :)

First I hosted the bots on public IRC, but after being detected very quickly I got to talk with some IRC opers that offered me a private server to run the botnet in exchange for usage rights. These were powerful servers, holding around 50k bots at peak. Basically this all got busted by the FBI, which caused the Foonet/CIT shutdown. For more infos, check these URLs:

http://www.theregister.co.uk/2004/08/27/ddos_mafia_busted/

http://regmedia.co.uk/2008/10/03/03116720232.pdf

http://www.securityfocus.com/news/9411

http://newssocket.com/foonet/

http://www.techimo.com/forum/imo-community/100728-your-isp-n...

Anyway, they caught me because I accidentally let a bot start a short scan from the linux host where we hosted the SVN repository and IRC. The company running the datacenter detected the scan and decided to investigate the server (illegaly) and found all the stuff (I didn't even think about encrypting all that). I got 2 years probation for this as well as hacking Valve Software.

Hers some more info:

http://en.wikipedia.org/wiki/Agobot

http://www.honeynet.org/node/55

http://www.infectionvectors.com/vectors/kitchensink.htm

http://web.archive.org/web/20070423182932/http://www.lurhq.c...


Alternative title: Amateur virus analyst does not take necessary precautions, gets pwned by virus author.


Not all of us are professional virus analysts. No need to mock him, his post is worth reading for mere amateurs like myself.


True. Just find it odd that this gets posted on the official blog. Interesting indeed, but a bit careless.


How did he get pwned or not take necessary precautions? He could have re-imaged it after running the virus to prevent something like this from happening (assuming that's how it did), but it was all in a virtual machine, so there wasn't much risk to not doing it.

Disclaimer: I'm not a professional virus analyst.


Why amateur? He was running it in virtual machine to see what the virus is actually doing.


This article REALLY makes me wish I could turn on my Mac laptops built in camera and microphone.


You can't? Here's a MacRuby script that can take a photo with your webcam: https://github.com/pioz/snappy.


Now, given the content of the article a moment ago, the question becomes: "Should I trust science_robot? Or is this a trojan?"


Well, just learn ruby and read the source code of snappy, then write your own camera activation code -> no problem. If you don't trust your link, go to the well known github website and search for the project yourself.

"With growing wish for self responsibility comes growing need for power."




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: