I think I ended up having around 80 people infected, so there was always someone online. I never did anything malicious with it, just chatting and opening/closing CD-ROM drives mostly (and juvenile things like sending my friend's browser to bigboobs.com ... unfortunately his dad was standing behind him at the time). I had dial-up so the webcam viewing wasn't feasible. If someone was freaked out and wanted me to go away I could remotely destroy the trojan. Come to think of it, most people were just curious about what was going on and didn't seem to mind the chat very much (but obviously they usually wanted me to remove it / delete it afterward). Then again, I infected people by random selection on ICQ, so maybe they were just chatty people.
Once infected, we'd screw around, make errors pop up on their screen like "Computer Is Low On Coffee, Please Insert Coffee Cup" then make CD tray eject, etc. Then we'd chat to them, and they usually had a good laugh, and we'd tell them how to not get infected in the future, then self-destruct the client.
We didn't really investigate it much or ponder the deeper implications behind it, so it took us a fair while to realise the level of maliciousness that was possible, which scared us off, so we stopped messing with it (we'd already been in trouble for other stuff so didn't want to push it!)
My infection vector of choice was embedding it into fake resumes and sending it to job ads...ahh, the memories...
I remember telling this guy it was a fake virus (the jokes you could download on internet before) and that he had to turn off his anti virus to launch it. It worked.
I should have probably turned my auto discoverable options off but it was actually a good way to meet chicks.
Turns out it was a (young) teenager from Brazil. His compromise was that he wouldn't touch our files or deface our websites so long as he could remain in control of the server. I carelessly tried to kick him off, uninstall the rootkit and restart the server only to find out that he could continue to use the same exploit to get access. Then we just called our host and asked them to take down the box. Lost a whole day to it, but I walked away understanding a little bit more about motivation, and learned about an exploit that I hadn't known about previously.
And, infamously, got DDOSed for it.
Can't find the transcript now, which is a shame; I think he took it offline to let the intertubes cool down.
He was right, too.
EDIT: That was an absolutely fascinating read. Thank you.
It might be interesting to even make a whole website dedicated to exploit hunting and allow companies to register themselves.
If I remember correctly, they had typed some example code in plain ascii, so we obliged with the typical "help, I'm being held captive in a Chinese disk duplication company." Which was almost true, as the owners of our company were of Chinese decent. And in my defense, we did have a number of all-nighters (with Pizza) when another software company would call us with a sudden "we've changed the masters - erase and re-dupe whatever you have)." I was younger, then...
Anyway, a few messages were passed back and forth this way, before we got back to serious business and implemented the copy protection scheme. Not really a virus, but still geeky fun.
Did you know that 8" floppy disks had excellent aerobatic qualities when flung from the top of a building? The trick was holding them by the corner during the wind-up...
My understanding is that we have the UN to thank:
So I'd suggest it could offend some people :)
Boss hack. That strategy would have never occurred to me. Thanks!
It was my freshman year of college and my first introduction to broadband in 1998. I discovered irc via mIrc and somehow somebody put something on my computer where they could control the mouse/keyboard.
I watched the guy move the cursor around for a while then begin to type to him. He was cool, and told me how to prevent it from happening again.
One of the biggest malwares I ever managed to infect myself with was a bot, which caused my computer to become a zombie on a ~10K botnet. I spent hours running a packet sniffer and seeing how the client interacted with the IRC network it called home to. Upon connecting to the privately run IRC network, the bot would authenticate with a user and pass. I assume it created one upon connecting the first time to the network. My best guess as to why this is is so that the bot master could track the total number of zombies and compare it to how many were actively connected to the botnet. Kind of a cleaver way to get metrics, now that I think about it.
When I temporarily stopped the bot from connecting to IRC, I decided it might be fun to login as the bot and join the channel I saw it connecting to. Upon joining the channel, I saw thousands of other users on the channel. I spent a couple of days sitting there, masquerading myself as a bot, and watching the botmaster interact with the bots. The botmaster would issue commands that I can't really recall anymore, but I do remember seeing a lot of commands that I assumed told the bots to download extra malware from a remote host. I remember seeing URLs for zip and exe files.
Eventually I got a little bored of this, so I decided to message the botmaster. It was easy to spot him; out of the three ops on the channel, he was the only full op. I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network.
The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests. I had pissed off the botmaster by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a small number of the bots to do this. It wouldn't take many... I imagine back then, given my bandwidth, 10-15 would have done it.
Fun times. I remember posting about my botnet adventures to Security Focus way back when. Some people got really interested and followed my posts, while other professionals asked me to stop because I wasn't running a sandbox.
IMO, those were different times. I'm not sure I'd recommend something like this these days. After hearing about certain botnets being tied to various mafias and gangs around the world (which is probably more common than you think. See http://www.ibtimes.co.uk/articles/321149/20120329/mafia-cont...), I'm not sure I'd really want to risk interfering with their activities.
I ran my own little IRC server when I was a teenager, and one day I noticed a lot of my friends were being disconnected from the server. After some more investigation, it seemed like they were actually being disconnected completely from the Internet. Bit odd.
Upon more investigation, I found an acquaintance had something like 10,000 bots (spybot/rxbot) going through my server (yes, a simple /list could have sufficed...) and when I looked at the topic of his channels, and noticed they consisted primarily of commands to control to the botnet. "startkeylogger" sort of thing.
A few more pokes, I realised it was Norton Antivirus that was listening to port 6667 for any "bad" commands, and then disconnecting the user from the internet. I thought this was hilarious, and went to Efnet, tried it in a large channel and watched 400 people disconnect. Then I felt quite bad, so I emailed Norton, and received no reply.
Something like two years later, I notice the same exploit on the main page of Slashdot, and chaos ensured. It did make me feel pretty cool, "ha! I knew something before all you big uber leet haxxors!" :]
Sadly, my acquaintance didn't mature like the rest of us and decided to use his knowledge and skills to do naughty things, and the FBI got him. Good riddance.
I'd probably do the same, upon discovering that one of my bots had become sentient.
I remember the pranks we used to pull, like printing "Help me I'm trapped inside the printer!", changing the wallpaper for a porn one, typing messages instead of the person on MSN.
Once we infected some random guy we didn't know, and popped up a black chat screen (like the one in matrix) and before we could write "Hi Neo" the guy was already writing to us "hey what's up?".
The guy was so stupid he chatted with us like it was a normal thing.
Then we all grew up and we fell a bit bad for finding stuff we shouldn't have found, so we stopped.
Normal service will be resumed shortly, in the meantime go to AVG.com for more information about AVG products or go to our Facebook page to join our thriving online community.
We apologise for any disruption this may have caused."
No screen shots or links in this, obviously.
I also saw the progression of hiding IP's in MSN connections. At first they would make a direct connection, later they only made a direct connection while transferring files bigger than a certain size. They completely removed it after some point, don't remember very well.
After I got to know more about networking how things are connected, I realized that my ISP allowed to initiate NULL sessions to other customers. I remember how excited I was to find this. I would place the RATs everywhere with curious names in hopes for them to click or just test exploits on them.
Another interesting thing I found was I was able to invite anyone, even random emails (Hotmail) while having a group chat. I had so much fun doing that back then.
After infection it was basically just chatting, messing with the LED's, CD-ROM's.. people were more interested in finding out how I did it and just chat rather than being mad. I remember one time when I did this to a friend he got scared and ripped of the cable breaking the wall socket.
It was really easy to evade anti-virus programs at the time. I usually just split the file into half, run the scanner on it, split again until I narrowed down to the signature and would just change a value or two.
It was interesting to see how many times people change the text before hitting send while chatting. Obviously I was too naive to know and respect privacy back then.
Was this a virus, a hacker, something else? I completely forgot about it until this thread.
Of course, I wanted to be a "hacker". You know, make ATM's spit out cash so my brother could buy a more powerful engine for his mustang. That kind of thing. Never really meant or even did harm, because my limited knowledge back then kept me out of trouble.
I did however get to do something very important while looking for people to "hack" (not really) on ICQ. I met my wife. Wonderful things happen by serendipity.
Back then I needed a key for Warcraft III, which just came out, so I tried some keygen I found on the net, without any antivirus. When the keygen did not work I knew something was wrong, so I checked for suspicious network traffic and saw some IRC connection, quickly found the process responsible for causing the traffic and fired up a disassembler. After UPX unpacking I had the assembler code to the program and was able to determine the IRC server, the bot password (they didn't use password hashes or hostmasks back then) and I got a command reference for the specific bot (SDBOT). I joined the channel disguised as one of the bots, logged in and sent the remove command. This kills the botnet. The bot herder was pissed, but I started talking to him and I got interested in malware to get CD keys, which I couldn't afford at the time.
I started modifying SDBOT for my usage, writing scanners and fixing bugs in the IRC connection code. After I while I felt limited by the codebase and started my own called Agobot. Agobot quickly grew into one of the most capable trojans at the time, with thousands of variants. I also quickly got a team of at peak ~15 people together who helped with testing and coding. Coding was mostly done by me and at most 3 other coders. We were having really cool stuff, like wormride which was a tool to make other malware/worms spread Agobot instead of itself. It also contained an exploit that I wrote for the LSASS hole that Sasser used only a few days after the advisory. My LSASS exploit did not crash the target, which let it spread a few days without being noticed. ISC noticed it after a while and raised the threat level to orange.
There was also a variant of the bot that used the waste network to communicate and the gnutella network to find themselves. It made the DHS shit their pants and release an advisory :)
First I hosted the bots on public IRC, but after being detected very quickly I got to talk with some IRC opers that offered me a private server to run the botnet in exchange for usage rights. These were powerful servers, holding around 50k bots at peak. Basically this all got busted by the FBI, which caused the Foonet/CIT shutdown. For more infos, check these URLs:
Anyway, they caught me because I accidentally let a bot start a short scan from the linux host where we hosted the SVN repository and IRC. The company running the datacenter detected the scan and decided to investigate the server (illegaly) and found all the stuff (I didn't even think about encrypting all that). I got 2 years probation for this as well as hacking Valve Software.
Hers some more info:
Disclaimer: I'm not a professional virus analyst.
"With growing wish for self responsibility comes growing need for power."