Well, back in my pre-teen script kiddie days of using BO2K/Netbus and early Sub7 builds I was on the other side of the screen. Sub7 I recall distinctly had all the listed features and a lot more - keylogging, chat client, webcam viewing, screen capture, open/closing CD tray, etc. There was a GUI interface that would let you select any of the above features that would create a payload that could be injected into any .exe file. You could also provide an ICQ account number that would get a message any time the client comes online, with the relevant IP:port to connect to. These were in the days before anti-virus or firewalls were prevalent, so it was pretty easy to trick people into opening an infected .exe.
I think I ended up having around 80 people infected, so there was always someone online. I never did anything malicious with it, just chatting and opening/closing CD-ROM drives mostly (and juvenile things like sending my friend's browser to bigboobs.com ... unfortunately his dad was standing behind him at the time). I had dial-up so the webcam viewing wasn't feasible. If someone was freaked out and wanted me to go away I could remotely destroy the trojan. Come to think of it, most people were just curious about what was going on and didn't seem to mind the chat very much (but obviously they usually wanted me to remove it / delete it afterward). Then again, I infected people by random selection on ICQ, so maybe they were just chatty people.
I used to do the same stuff, we didn't even see it as malicious back then, just a "prank" really. Most the people we "infected" were via IRC and ICQ, embedding the exe client into a JPG (or just changing the exe icon to a JPG one) and DCC'ing it to them.
Once infected, we'd screw around, make errors pop up on their screen like "Computer Is Low On Coffee, Please Insert Coffee Cup" then make CD tray eject, etc. Then we'd chat to them, and they usually had a good laugh, and we'd tell them how to not get infected in the future, then self-destruct the client.
We didn't really investigate it much or ponder the deeper implications behind it, so it took us a fair while to realise the level of maliciousness that was possible, which scared us off, so we stopped messing with it (we'd already been in trouble for other stuff so didn't want to push it!)
The fake resume idea is brilliant. How could I have overlooked that back in the days. All I did as a script kiddie was scanning IP ranges and playing with infected accounts. Good times.
You can add the contents of the .exe to the JPG but when the computer opens it then it isn't going to try and execute the code (it will try and render it as a graphic and probably fail) unless there is some unpatched exploit in the image viewer.
It would create a .exe file that was a simple image viewer and give it the standard .jpg icon. You would name it something like picture003.jpg.exe and most people's computer would conveniently hide the true file extension.
> so it was pretty easy to trick people into opening an infected .exe.
I remember telling this guy it was a fake virus (the jokes you could download on internet before) and that he had to turn off his anti virus to launch it. It worked.
Does anyone know if all webcams have the activity light hardwired in-line with the webcam itself. I have always wondered if the light is a definitive indicator whether the cam is on, or if the light can be deactivated. Sorry, I guess this only applies to non-Mac, mostly Win, machines as something so plebeian as an indicator light would never make it into a Mac.
The idea is for the light to be definitive, but I am not sure how secure they are. Also, as far as I can tell/remember all Macs have indicator lights on their cameras.
Not the same, but similar story... 6-8 years ago, I chatted directly with the person responsible for breaking into a web server on the server itself. It's a strange feeling to ssh in and watch someone browsing through files. I did a 'echo "hello?" | wall', showed the guy how to answer me back, and we eventually moved the conversation to IRC. I was using some website to convert English to Portuguese.
Turns out it was a (young) teenager from Brazil. His compromise was that he wouldn't touch our files or deface our websites so long as he could remain in control of the server. I carelessly tried to kick him off, uninstall the rootkit and restart the server only to find out that he could continue to use the same exploit to get access. Then we just called our host and asked them to take down the box. Lost a whole day to it, but I walked away understanding a little bit more about motivation, and learned about an exploit that I hadn't known about previously.
>When those insecure and maliciously potent Windows XP
machines are mated to high-bandwidth Internet connections,
we are going to experience an escalation of Internet
terrorism the likes of which has never been seen before.
He was right, too.
EDIT: That was an absolutely fascinating read. Thank you.
The Steve Gibson story was really interesting. He's a really cool guy, too. My botnet adventures happened around the same time as his, and I too was DDoS'd. We even exchanged a few e-mails about botnets and the script kiddie culture. Those were fun times.
Except when he went on record opposing the addition of raw-sockets to Windows XP saying it would help hackers and spell the end of the world. I remember clutching my Redhat CD, just in case raw sockets were banned ;-)
Back in 2000, when I was in high school, I developed a trojan similar to netbus and sub7, but just to use it in the school comp labs. The objective was only to have fun. Telling my friends their login passwords, controling their pcs, (screen streaming, key logging, file management, mouse and kb control, some nice screen effects like making the screen move like ocean waves, launch programs, it was fun, lol). There were like 200 machines connected. The infection was simple (auto-installed in services/run) and later it was even network-automated (when I got the admin pass). Then, I handed the commanding program to some friends who used it a little bit too uch. We even had the net admins credentials, so we started to get some extra benefits (like internet outside the internet lab, etc). The admins realized what was happening, and started to use Norton ghost in every pc, first once a week (before it was once every 2 weeks), then, as the infections didnt stop and they started to get very paranoid, they run Norton ghost every single day. It all ended when they discovered a copy of the the source code I had given to a friend of mine. They confronted him, but luckly he took the blame (as he later told me, it was very dumb of him to have saved a copy in his own account. But he managed to convince them that it was just a learning project that went little bit too far. They reprimanded but nothing serious happened to him. So, he is still one of my closest friends,=)
Most of the time those moments of getting caught turn into great opportunities to get out of trouble by going white hat for them. I figure if they threatened him with any real punishment, just offer some free security consulting.
In a perfect world that might happen. Sadly people are not happy, if you point their mistakes at them and they can get very agressive against you, especially when their job or their public reputation might be at stake. Add some age difference of over 20 years and an IT education that started with punching holes into cards and you are fd. Then going to offer them your assistence wouldn't be the smart thing to do, don't u think?
It really would make great sense to create an 'report exploits' link on your site/software so that people know they can freely contact you about this kind of thing without repercussions. I actually got one about 2 days ago for a forum I coded because of such a link I put there.
It might be interesting to even make a whole website dedicated to exploit hunting and allow companies to register themselves.
Well, we were kids back then, and I think they took it as one of the risks involved in teaching programming. They surely threatened him, but they just wanted us to stop. So, as we knew that if we kept on infecting the pcs, they would punish my friend, we had to stop. But at least we kept some of our benefits (internet access, etc)
Back a bit (yes, I am dating myself here), I worked for a floppy disk duplicating company that was hired by a certain software company to attempt to duplicate the disks with built-in copy protection. The customer provided a routine where they would have the end-users' disk controllers read a hidden half sector at the end of a half-sized normal ninth sector, I think was the gist of that particular scheme.
If I remember correctly, they had typed some example code in plain ascii, so we obliged with the typical "help, I'm being held captive in a Chinese disk duplication company." Which was almost true, as the owners of our company were of Chinese decent. And in my defense, we did have a number of all-nighters (with Pizza) when another software company would call us with a sudden "we've changed the masters - erase and re-dupe whatever you have)." I was younger, then...
Anyway, a few messages were passed back and forth this way, before we got back to serious business and implemented the copy protection scheme. Not really a virus, but still geeky fun.
Did you know that 8" floppy disks had excellent aerobatic qualities when flung from the top of a building? The trick was holding them by the corner during the wind-up...
Sorry for the tangent, but did the author really have to assert his or her endorsement of Chinese nationalist politics and write "Taiwan, China" instead of the neutral "Taiwan"? Taiwan is not currently controlled by the PRC, regardless of whether or not one believes it "should" be. Taiwan's acting government, the ROC, believes it shouldn't be, and China's government, the PRC, believes it should be. Most Taiwanese people seem to agree with the ROC, but I've met some who identify as Chinese and would be fine being governed by the PRC. To refer to a disputed land as objectively part of a specific country, one that doesn't even currently govern it no less, really bothers me.
The ISO list shows Occupied Palestine in its preferred UN nomenclature, PALESTINIAN TERRITORY, OCCUPIED. This is a politically controversial area as well. How you should choose to identify the area depends in part on to which region you're targeting your site/app.
Both the PRC and ROC lay claim to the whole of China, with Taiwan as a part of it. It's absurd, but they both agree that Taiwan is part of China, they simply disagree on who should be ruling that greater part.
That's partly true. The PRC and the Guomindang (the Nationalist Party) of the ROC both officially claim that they should be ruling all of China, but the Minzhujinbudang (the Democratic Progressive Party) of the ROC views Taiwan as having developed its own culture and identity that's distinct from Chinese, and they don't try to claim ownership of or any relation to the mainland. And in English the phrase "Taiwan, China" really means 中国台湾 and not 中华台湾, i.e. "China" there refers to the PRC rather than the land of the Chinese people. So both parties in the ROC reject the phrase "Taiwan, China."
I've told this story once or twice on HN before so apologies for anyone re-reading it, but it seems relevant: I was doing some IPTV stuff in China a couple of years ago and we were warned that, among the things the government would be watching our streams for, was use of the word "Taiwan". We absolutely weren't allowed to use it, instead using "Chinese Taipei".
I spent half a year in China, and I didn't find the word Taiwan as a location offensive to anyone. Could it have been the case that you weren't allowed to say Taiwan specifically when referring to it as a political entity? I was under the impression that Chinese Taipei is the compromise name the two governments agreed on using when referring to Taiwan as an independent entity in sporting events, since having an independent team called Taiwan would not be compatible with China's position that Taiwan belongs to China. However, when referring to Taiwan geographically as the author of this article did, I never once heard Chinese people say Chinese Taipei (neither 中华台北 nor 中国台北). I think in general when people refer to a country by its capital (e.g. Washington or Beijing) they're specifically referring to the country's government. So it makes sense that people wouldn't use Chinese Taipei to mean the whole island of Taiwan if they're not talking about the ROC but rather just the region. I found that people just referred to the island of Taiwan as 台湾 (Taiwan), but certain Chinese government propaganda did the Taiwan, China thing like the author of this article. A video they showed us on an Air China flight showed a photograph of Taipei and labeled it as 中国台湾省台北市 (Taipei, Taiwan Province, China).
Sounds like you know a lot more about it than me, and certainly makes sense - I was at an esports tournament (so would likely follow the rules of sports events), the 2002 World Cyber Games Grand Final. We weren't given any background, just a list of words not to use on air.
You probably used English as a lingua franca, what happens is that whoever watches you doesn't understand 99% of what you're saying except for a few keywords. This has caused a lot of diplomatic grief even between allied countries, because without context the worst is always assumed (cognitive bias, I guess). It seems to me a similar situation applies here so a list of words to avoid or replace would be a sensible thing to use.
Sounds reasonable, but we weren't given it as "the Chinese might make a mistake, be careful" it was "here's a list from the people who will be watching, they say you can't use these words".
Recently a friend of mine sent me a piece of obfuscated JS that was in a phishing page that was being posted around his large gaming related website. Threw the JS into closure compiler with advanced optimisations and pretty print and out comes relatively unobfuscated code- it cleared up the series of horrible regexes anyway.
The code injected a Java applet that downloaded a botnet virus. Decompiling the Java applet revealed the steamid of the guy orchestrating this. Added him on steam and had a great conversation in which he accidentally indirectly admitted the botnet was under his control.
A fun use of a Sunday.
The evidence was never sent to anyone, thinking nothing would come of it.
It was my freshman year of college and my first introduction to broadband in 1998. I discovered irc via mIrc and somehow somebody put something on my computer where they could control the mouse/keyboard.
I watched the guy move the cursor around for a while then begin to type to him. He was cool, and told me how to prevent it from happening again.
This happened to a lot of people when they started out using IRC. I remember chatting with someone using mIRC and the started opening and closing my CD-ROM. I got duped into running a Sub7 client script or something.
When I was a teenager I found it fun to intentionally infect myself with malware and try to study it. I know realize this wasn't the most responsible thing to do, as I wasn't in a sandboxed environment, but it was a great learning experience and taught me a lot about networking and security.
One of the biggest malwares I ever managed to infect myself with was a bot, which caused my computer to become a zombie on a ~10K botnet. I spent hours running a packet sniffer and seeing how the client interacted with the IRC network it called home to. Upon connecting to the privately run IRC network, the bot would authenticate with a user and pass. I assume it created one upon connecting the first time to the network. My best guess as to why this is is so that the bot master could track the total number of zombies and compare it to how many were actively connected to the botnet. Kind of a cleaver way to get metrics, now that I think about it.
When I temporarily stopped the bot from connecting to IRC, I decided it might be fun to login as the bot and join the channel I saw it connecting to. Upon joining the channel, I saw thousands of other users on the channel. I spent a couple of days sitting there, masquerading myself as a bot, and watching the botmaster interact with the bots. The botmaster would issue commands that I can't really recall anymore, but I do remember seeing a lot of commands that I assumed told the bots to download extra malware from a remote host. I remember seeing URLs for zip and exe files.
Eventually I got a little bored of this, so I decided to message the botmaster. It was easy to spot him; out of the three ops on the channel, he was the only full op. I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network.
The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests. I had pissed off the botmaster by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a small number of the bots to do this. It wouldn't take many... I imagine back then, given my bandwidth, 10-15 would have done it.
Fun times. I remember posting about my botnet adventures to Security Focus way back when. Some people got really interested and followed my posts, while other professionals asked me to stop because I wasn't running a sandbox.
IMO, those were different times. I'm not sure I'd recommend something like this these days. After hearing about certain botnets being tied to various mafias and gangs around the world (which is probably more common than you think. See http://www.ibtimes.co.uk/articles/321149/20120329/mafia-cont...), I'm not sure I'd really want to risk interfering with their activities.
It's funny you should say this. I practically did the same thing, from a different perspective.
I ran my own little IRC server when I was a teenager, and one day I noticed a lot of my friends were being disconnected from the server. After some more investigation, it seemed like they were actually being disconnected completely from the Internet. Bit odd.
Upon more investigation, I found an acquaintance had something like 10,000 bots (spybot/rxbot) going through my server (yes, a simple /list could have sufficed...) and when I looked at the topic of his channels, and noticed they consisted primarily of commands to control to the botnet. "startkeylogger" sort of thing.
A few more pokes, I realised it was Norton Antivirus that was listening to port 6667 for any "bad" commands, and then disconnecting the user from the internet. I thought this was hilarious, and went to Efnet, tried it in a large channel and watched 400 people disconnect. Then I felt quite bad, so I emailed Norton, and received no reply.
Something like two years later, I notice the same exploit on the main page of Slashdot, and chaos ensured. It did make me feel pretty cool, "ha! I knew something before all you big uber leet haxxors!" :]
Sadly, my acquaintance didn't mature like the rest of us and decided to use his knowledge and skills to do naughty things, and the FBI got him. Good riddance.
> I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network. The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests.
I'd probably do the same, upon discovering that one of my bots had become sentient.
This is fantastic. I did the same with a very similar botnet way back when, except my "hello" in IRC wasn't as friendly. Left to eat for an hour, then came back to my hard drive erased. Live and learn...
Thanks! I agree that things like this are pretty fantastic. Part of me misses those days of being so experimental and new to tech. Sorry to hear about your hard drive, though :)
Interesting but when I ran into a similar backdoor on a clients server, it had been infected through a phpbb upload script, I found the password to the IRC server in clear text by using either hexdump or string. Not sure which of the tools but I also tried connecting and found a channel with just around 20-30 bots at the most. Fun experience just like yours.
Reminds me of those good times when we discovered Trojan me and my friends. We kept infecting people, until they found out about it and started doing it as well. It became a war between us. Almost everyone got infected in our class.
I remember the pranks we used to pull, like printing "Help me I'm trapped inside the printer!", changing the wallpaper for a porn one, typing messages instead of the person on MSN.
Once we infected some random guy we didn't know, and popped up a black chat screen (like the one in matrix) and before we could write "Hi Neo" the guy was already writing to us "hey what's up?".
The guy was so stupid he chatted with us like it was a normal thing.
Then we all grew up and we fell a bit bad for finding stuff we shouldn't have found, so we stopped.
"I am sorry but AVG blogs are currently undergoing essential maintenance.
Normal service will be resumed shortly, in the meantime go to AVG.com for more information about AVG products or go to our Facebook page to join our thriving online community.
We apologise for any disruption this may have caused."
Back in the days I used to do this. I would stay up better part of the night adding random people to MSN or ICQ and sending the Trojan saying it was my picture. So before sending it I would describe myself as someone they'd want to see, to drive up their curiosity, basically I'll be what they'd want me to be. This was very successful. I never maintained a big list of zombied boxes, I'd infect remove on a per night basis depending on how bored I was.
I also saw the progression of hiding IP's in MSN connections. At first they would make a direct connection, later they only made a direct connection while transferring files bigger than a certain size. They completely removed it after some point, don't remember very well.
After I got to know more about networking how things are connected, I realized that my ISP allowed to initiate NULL sessions to other customers. I remember how excited I was to find this. I would place the RATs everywhere with curious names in hopes for them to click or just test exploits on them.
Another interesting thing I found was I was able to invite anyone, even random emails (Hotmail) while having a group chat. I had so much fun doing that back then.
After infection it was basically just chatting, messing with the LED's, CD-ROM's.. people were more interested in finding out how I did it and just chat rather than being mad. I remember one time when I did this to a friend he got scared and ripped of the cable breaking the wall socket.
It was really easy to evade anti-virus programs at the time. I usually just split the file into half, run the scanner on it, split again until I narrowed down to the signature and would just change a value or two.
It was interesting to see how many times people change the text before hitting send while chatting. Obviously I was too naive to know and respect privacy back then.
Yeah, when I was at boarding school (high school), we had a LAN in the dorms full of everybody's shiny new Windows 95 desktops. So everybody just had SMB shares, and nobody was careful about what they clicked on.
I put a trojan exe with the icon made to look like a text file in mine. Someone clicked on it, and then I popped up a dialog box that said "Hello! You've got a trojan. Open notepad and let's talk about it"
and he typed into notepad and I watched with the keyboard sniffer and answered back by injecting keypresses. (I couldn't see video of the screen - I think I could take screenshots, though)
I learned a lot about networking that year.
A long time ago (windows 98 I believe) my screen went blank and green text appeared saying "Hello, how are you?" I was about 12 at the time so I had no idea what was going on. I don't recall my response, but I remember the "person" on the other side saying "You left a back door open. Would you like me to close it?" I restarted my computer and I still have no idea what it was.
Was this a virus, a hacker, something else? I completely forgot about it until this thread.
I am the creator of the PTN FUN TROJAN from 2003. I was just starting to learn coding and created this simple server/client program using visual basic and numerous code VB snippets I found online. I was able to open/close CD trays, turn off monitors, disable CRTL+ALT+DEL, send screenshots, hide the mouse pointer and other stuff. I created an autostart CD with the title "CS MAPS" and handed it around on private LANs infecting all my friends computers. I had quite a few computers depending on my mercy.
On one occasion, one of my friends realized, he wasn't in full control of his computer. He opened notepad and tried to communicate with me, the hacker, by typing messages. I could read his messages from the screenshots and found it pretty hilarious at that time. I responded by turning his screen up-side-down.
Reminds me of all the fun I had playing with malware on my own computer during the mid-to-late 90's. Being quite ignorant about the whole thing allowed me to look and find things that would not be considered safe. Hacker websites (like the old cult of the dead cow folks), exploits, etc. I remember downloading the LOIC and wondering what the hell it was.
Of course, I wanted to be a "hacker". You know, make ATM's spit out cash so my brother could buy a more powerful engine for his mustang. That kind of thing. Never really meant or even did harm, because my limited knowledge back then kept me out of trouble.
I did however get to do something very important while looking for people to "hack" (not really) on ICQ. I met my wife. Wonderful things happen by serendipity.
When I was about 11 or 12 years old, I was chatting with a friend on AOL Instant Messenger and suddenly was forced into a black screen with green text where I communicated briefly to someone who was forcing this new chat session onto me. The crack scared the absolute crap out of me. It ended once I told the person that I was irritated and that I was going to contact the police (I didn't and I doubt there was anything that really could have been done). Once the fear subsided I became more interested in how this person did what they did. It's one of those weird technology-related moments that sticks out in my mind to this day more than 10 years later.
I am a convicted malware coder (Agobot/Gaobot/Phatbot/etc...) and it all started because of a chat I had with a botmaster.
Back then I needed a key for Warcraft III, which just came out, so I tried some keygen I found on the net, without any antivirus. When the keygen did not work I knew something was wrong, so I checked for suspicious network traffic and saw some IRC connection, quickly found the process responsible for causing the traffic and fired up a disassembler. After UPX unpacking I had the assembler code to the program and was able to determine the IRC server, the bot password (they didn't use password hashes or hostmasks back then) and I got a command reference for the specific bot (SDBOT). I joined the channel disguised as one of the bots, logged in and sent the remove command. This kills the botnet. The bot herder was pissed, but I started talking to him and I got interested in malware to get CD keys, which I couldn't afford at the time.
I started modifying SDBOT for my usage, writing scanners and fixing bugs in the IRC connection code. After I while I felt limited by the codebase and started my own called Agobot. Agobot quickly grew into one of the most capable trojans at the time, with thousands of variants. I also quickly got a team of at peak ~15 people together who helped with testing and coding. Coding was mostly done by me and at most 3 other coders. We were having really cool stuff, like wormride which was a tool to make other malware/worms spread Agobot instead of itself. It also contained an exploit that I wrote for the LSASS hole that Sasser used only a few days after the advisory. My LSASS exploit did not crash the target, which let it spread a few days without being noticed. ISC noticed it after a while and raised the threat level to orange.
There was also a variant of the bot that used the waste network to communicate and the gnutella network to find themselves. It made the DHS shit their pants and release an advisory :)
First I hosted the bots on public IRC, but after being detected very quickly I got to talk with some IRC opers that offered me a private server to run the botnet in exchange for usage rights. These were powerful servers, holding around 50k bots at peak. Basically this all got busted by the FBI, which caused the Foonet/CIT shutdown. For more infos, check these URLs:
Anyway, they caught me because I accidentally let a bot start a short scan from the linux host where we hosted the SVN repository and IRC. The company running the datacenter detected the scan and decided to investigate the server (illegaly) and found all the stuff (I didn't even think about encrypting all that). I got 2 years probation for this as well as hacking Valve Software.
How did he get pwned or not take necessary precautions? He could have re-imaged it after running the virus to prevent something like this from happening (assuming that's how it did), but it was all in a virtual machine, so there wasn't much risk to not doing it.
Well, just learn ruby and read the source code of snappy, then write your own camera activation code -> no problem.
If you don't trust your link, go to the well known github website and search for the project yourself.
"With growing wish for self responsibility comes growing need for power."
I think I ended up having around 80 people infected, so there was always someone online. I never did anything malicious with it, just chatting and opening/closing CD-ROM drives mostly (and juvenile things like sending my friend's browser to bigboobs.com ... unfortunately his dad was standing behind him at the time). I had dial-up so the webcam viewing wasn't feasible. If someone was freaked out and wanted me to go away I could remotely destroy the trojan. Come to think of it, most people were just curious about what was going on and didn't seem to mind the chat very much (but obviously they usually wanted me to remove it / delete it afterward). Then again, I infected people by random selection on ICQ, so maybe they were just chatty people.