Author |
Message |
Rocketman
| Posted on Wednesday, March 03, 2004 - 05:57 pm: |
|
The enemy within He's 21, he's got dreadlocks, likes punk bands... and his hobby could wreck your computer in seconds. Clive Thompson infiltrates the secret world of the virus writers who see their work as art - while others fear that it is cyber-terrorism Clive Thompson Saturday February 21 2004 The Guardian Mario stubs out his cigarette and sits down at the desk in his bedroom. He pops into his laptop the CD of Iron Maiden's Number of the Beast, his latest favourite album. 'I really like it,' he says. 'My girlfriend bought it for me.' He gestures to the 15-year-old girl with straight dark hair lounging on his bed and she throws back a shy smile. Mario, 16, is a secondary-school student in a small town in the foothills of southern Austria. (He didn't want me to use his last name.) His shiny shoulder-length hair covers half his face and his sleepy green eyes, making him look like a very young, languid Mick Jagger. On his wall, he has an enormous poster of Anna Kournikova which, he admits sheepishly, his girlfriend is not thrilled about. Downstairs, his mother is cleaning up after dinner. She isn't thrilled these days, either. But what bothers her isn't Mario's poster. It's his hobby. When Mario is bored, he likes to sit at his laptop and create computer viruses and worms. Online, he goes by the name Second Part to Hell, and he has written more than 150 examples of what computer experts call 'malware': tiny programs that exist solely to self-replicate, infecting computers hooked up to the internet. Sometimes, these programs cause damage and sometimes they don't. Mario says he prefers to create viruses that don't intentionally wreck data, because simple destruction is too easy. 'Anyone can rewrite a hard drive with one or two lines of code,' he says. 'It makes no sense. It's really lame.' Besides which, it's mean, he says, and he likes to be friendly. But still - just to see if he could do it - a year ago he created a rather dangerous tool: a program that autogenerates viruses. It's called a Batch Trojan Generator and anyone can download it freely from Mario's website. With a few simple mouse clicks, you can use the tool to create your own malicious 'Trojan horse'. Like its ancient namesake, a Trojan virus arrives in someone's e-mail looking like a gift, a jpeg picture or a video, for example, but actually bearing dangerous cargo. Mario starts up the tool to show me how it works. A little box appears on his laptop screen, politely asking me to name my Trojan. I call it the 'Clive' virus. Then it asks me what I'd like the virus to do. Shall the Trojan horse format drive C Yes, I click. Shall the Trojan horse overwrite every file? Yes. It asks me if I'd like to have the virus activate the next time the computer is restarted and I say yes again. Then it's done. The generator spits out the virus on to Mario's hard drive, a tiny 3k file. Mario's generator also displays a stern notice warning that spreading your creation is illegal. The generator, he says, is just for educational purposes, a way to help curious programmers learn how Trojans work. But, I could ignore that advice. I could give this virus an enticing name, like 'britney-spears-wedding-clip. mpeg' to fool people into thinking it's a video. If I were to email it to a victim and if he clicked on it and didn't have up-to-date anti-virus software, then disaster would strike his computer. The virus would activate. It would quietly reach into the victim's Microsoft Windows operating system and insert new commands telling the computer to erase its own hard drive. The next time the victim started up his computer, the machine would find those new commands, assume they were part of the normal Windows operating system and guilelessly follow them. Everything on his hard drive would vanish - emails, pictures, documents, games. Mario drags the virus over to the trash bin on his computer's desktop and discards it. 'I don't think we should touch that,' he says hastily. Computer experts called 2003 'the Year of the Worm'. For 12 months, digital infections swarmed across the internet with the intensity of a biblical plague. It began in January, when the Slammer worm infected nearly 75,000 servers in 10 minutes, clogging cashpoint networks and causing sporadic flight delays. In the summer, the Blaster worm struck, spreading by exploiting a flaw in Windows; it carried taunting messages directed at Bill Gates, infected hundreds of thousands of computers and tried to use them to bombard a Microsoft website with data. Then in August, a worm called Sobig.F exploded with even more force, spreading via email that it generated by stealing addresses from victims' computers. It propagated so rapidly that at one point, one out of every 17 email messages travelling through the internet was a copy of Sobig.F. The computer security firm mi2g estimated that the worldwide cost of these attacks in 2003, including clean-up and lost productivity, was at least $82 billion (though such estimates have been criticised for being inflated). The pace of contagion seems to be escalating. When the Mydoom.A email virus struck in late January, it spread even faster than Sobig.F; at its peak, experts estimated, one out of every five email messages was a copy of Mydoom.A. It also carried a nasty payload: it reprogrammed victim computers to attack the website of SCO, a software firm vilified by geeks in the 'open source' software community. You might assume that the blame - and the legal repercussions - for the destruction would land directly at the feet of people like Mario. But as the police around the globe have cracked down on cybercrime in the past few years, virus writers have become more cautious, or at least more crafty. These days, many elite writers do not spread their works at all. Instead, they 'publish' them, posting their code on web sites, often with detailed descriptions of how the program works. Essentially, they leave their viruses lying around for anyone to use. Invariably, someone does. The people who release the viruses are often anonymous mischief-makers, or 'script kiddies'. That's a derisive term for aspiring young hackers, usually teenagers or students, who don't yet have the skill to program computers but like to pretend they do. They download the viruses, claim to have written them themselves and then set them free in an attempt to assume the role of a fearsome digital menace. Script kiddies often have only a dim idea of how the code works and little concern for how a digital plague can rage out of control. Our modern virus epidemic is thus born of a symbiotic relationship between the people smart enough to write a virus and the people dumb enough - or malicious enough - to spread it. This development worries security experts, because it means that virus writing is no longer exclusively a high-skill profession. By so freely sharing their work, the elite virus writers have made it easy for almost anyone to wreak havoc online. When the damage occurs, as it inevitably does, the original authors just shrug. We may have created the monster, they'll say, but we didn't set it loose. This dodge infuriates security professionals and the police, who say it is legally precise but morally corrupt. Like a collection of young Dr. Frankensteins, the virus writers are increasingly creating forces they cannot control and for which they explicitly refuse to take responsibility. 'Where's the beer?' Philet0ast3r wondered. An hour earlier, he had dispatched three friends to pick up another case, but they were nowhere in sight. He looked out over the controlled chaos of his one-bedroom apartment in small-town Bavaria. (Most of the virus writers I visited live in Europe; there have been very few active in the United States since 9/11, because of fears of prosecution.) Philet0ast3r's party was crammed with 20 friends who were blasting out punk band Deftones, playing cards, smoking furiously and arguing about politics. It was a Saturday night. Philet0ast3r, a 21-year-old with a small silver hoop piercing his lower lip, wears his brown hair in thick dreads. (Philet0ast3r is an online handle; he didn't want me to use his name.) His friends finally arrived with a fresh case of beer and his blue eyes lit up. He flicked open a bottle using the edge of his cigarette lighter and toasted the others. A tall blond friend in a jacket festooned with anti-Nike logos put his arm around Philet0ast3r and beamed. 'This guy,' he proclaimed, 'is the best at Visual Basic.' In the virus underground, that's love. Visual Basic is a computer language popular among malware authors for its simplicity; Philet0ast3r has used it to create several of the two dozen viruses he's written. From this tiny tourist town, he works as an assistant in a home for the mentally disabled and in his spare time runs an international virus-writers' group called the 'Ready Rangers Liberation Front'. I met him, like everyone profiled in this article, online, first emailing him, then chatting in an internet relay chat channel where virus writers meet and trade tips and war stories. Philet0ast3r got interested in malware the same way most virus authors do: his own computer was hit by a virus. He wanted to know how it worked and began hunting down virus-writers' websites. He discovered years' worth of viruses online, all easily downloadable, as well as primers full of coding tricks. He spent long evenings hanging out in online chat rooms, asking questions, and soon began writing his own worms. One might assume Philet0ast3r would favour destructive viruses, given the fact that his apartment is decorated top to bottom with anti-corporate stickers. But his viruses, like those of many malware writers, are often surprisingly mild things carrying goofy payloads. One he is developing will install two artificial intelligence chat-agents on your computer; they appear in a pop-up window, talking to each other nervously about whether your antivirus software is going to catch and delete them. Philet0ast3r said he was also working on something sneakier - a 'keylogger'. It's a Trojan virus that monitors every keystroke its victim types, including passwords and confidential email messages, then secretly mails out copies to whoever planted the virus. Anyone who spreads this Trojan would be able to quickly harvest huge amounts of sensitive personal information. Technically, 'viruses' and 'worms' are slightly different things. When a virus arrives on your computer, it disguises itself. It might look like an OutKast song ('hey_ya.mp3'), but if you look more closely, you'll see it has an unusual suffix, like 'hey_ya.mp3.exe'. That's because it isn't an MP3 file at all. It's a tiny program and when you click on it, it will reprogram parts of your computer to do something new, like display a message. A virus cannot kick-start itself; a human needs to be fooled into clicking on it. This turns virus writers into armchair psychologists, hunting for new tricks to dupe someone into activating a virus. ('All virus-spreading,' one virus writer said caustically, 'is based on the idiotic behaviour of the users.') Worms, in contrast, usually do not require any human intervention to spread. That means they can travel at the breakneck pace of computers themselves. A worm's danger lies in its speed: when it multiplies, it often generates enough traffic to crash internet servers. The most popular worms today are 'mass mailers' which attack a victim's computer, swipe the addresses out of Microsoft Outlook (the world's most common email program) and send a copy of the worm to everyone in the victim's address book. These days, the distinction between worm and virus is breaking down. A worm will carry a virus with it, dropping it on to the victim's hard drive to do its work, then emailing itself off to a new target. The most ferocious threats today are 'network worms', which exploit a particular flaw in a software product (often one by Microsoft). The author of Slammer, for example, noticed a flaw in Microsoft's SQL Server, an online database commonly used by businesses and governments. The Slammer worm would find an unprotected SQL server, then would fire bursts of information at it, flooding the server's data 'buffer', like a cup filled to the brim with water. Once its buffer was full, the server could be tricked into sending out thousands of new copies of the worm to other servers. Normally, a server should not allow an outside agent to control it that way, but Microsoft had neglected to defend against such an attack. Using that flaw, Slammer flooded the net with 55 million blasts of data per second and in only 10 minutes colonised almost all vulnerable machines. Computer-science experts have a phrase for this type of fast-spreading epidemic, 'a Warhol worm' in honour of Andy Warhol's prediction that everyone would be famous for 15 minutes. 'In computer terms, 15 minutes is a really long time,' says Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, who coined the Warhol term. 'The worm moves faster than humans can respond.' He suspects that even more damaging worms are on the way. All a worm writer needs to do is find a significant new flaw in a Microsoft product, then write some code that exploits it. Even Microsoft admits that there are flaws the company doesn't yet know about. Virus writers are especially hostile toward Microsoft, the perennial whipping boy of the geek world. From their (somewhat self-serving) point of view, Microsoft is to blame for the worm epidemic, because the company frequently leaves flaws in its products that allow malware to spread. Microsoft markets its products to less expert computer users, cultivating the sort of gullible victims who click on disguised virus attachments. But it is Microsoft's success that really makes it such an attractive target: since more than 90 per cent of desktop computers run Windows, worm writers target Microsoft in order to hit the largest possible number of victims. (By relying so exclusively on Microsoft products, virus authors say, we have created a digital monoculture, a dangerous thinning of the internet's gene pool.) Microsoft is now so angry that it has launched a counterattack. Last autumn, it set up a $5 million fund to pay for information leading to the capture of writers who target Windows machines. So far, it has announced $250,000 bounties for the creators of Blaster, Sobig.F and Mydoom.B. The motivations of the top virus writers can often seem paradoxical. They spend hours dreaming up new strategies to infect computers, then hours more bringing them to reality. Yet when they're done, most of them say they have little interest in turning their creations free. Though Philet0ast3r is proud of his keylogger, he said he does not intend to release it into the wild. His reason is partly one of self-protection; he wouldn't want the police to trace it back to him. But he also said he does not ethically believe in damaging someone else's computer. So why write a worm, if you're not going to spread it? For the sheer challenge, Philet0ast3r replied, the fun of producing something 'really cool'. For the top worm writers, the goal is to make something that's brand new. A truly innovative worm, Philet0ast3r said, 'is like art'. To allow his malware to travel swiftly online, the virus writer must keep its code short and efficient. 'One condition of art,' he noted, 'is doing good things with less.'
|
M1combat
| Posted on Wednesday, March 03, 2004 - 06:14 pm: |
|
Nice. Anyone here familiar with the Hacker's Manifesto? |
Seanp
| Posted on Wednesday, March 03, 2004 - 10:28 pm: |
|
I am a signal officer in the Army, and I tell you what, I would like to get my hands on some of these people... They've caused me more stress than the freaking mortars and RPG's have around here. If I were Bill Gates I'd hire hitmen to start taking these guys out - not permanently, but just enough to send them a message. If they get on their internet chat boards and start talking about how hacker#1 just got the crap beat out of him, and so did hacker#2, 3, and 4... Then they might start thinking. But hey, I'm not Bill Gates. And I only have about 120 computers to worry about. So hey, no big deal. But sometime... |
M1combat
| Posted on Wednesday, March 03, 2004 - 10:49 pm: |
|
Any idea what region targets you? |
Blake
| Posted on Thursday, March 04, 2004 - 12:17 am: |
|
A virus cannot kick-start itself; a human needs to be fooled into clicking on it.... If I were to email (a virus) to a victim and if he clicked on it and didn't have up-to-date anti-virus software... Run current anti-virus software, don't open executable attachments; in short, don't be a fool. |
Seanp
| Posted on Thursday, March 04, 2004 - 12:43 am: |
|
No, we get hit by the same general stuff as everyone that's connected to the internet. We haven't had any problems with targeted attacks, which is good. But even the random worms, like SoBig and the latest NetSky, force us to do wonderful things to peoples' computers like reformat their hard drives. It's hard telling the old man that I have to erase everything on his computer. Lucky I'm wicked anal about having backups... I'd love to get into information security stuff a lot more than I get into it now. I can definitely picture a time in the future when much of a "war" is done virtually, months before the actual ground combat starts. But then again, as I mentioned, I'm a signal officer. So maybe I'm just hoping that sometime in the future I'll have good job security... I'd love to attack the bank accounts, electronic infrastructure, and military networks of an enemy. That would be fun. And maybe attack a hacker or two along the way, for good measure. Targets of opportunity. And Blake, that's all well and good, and I tell my folks that all the time, but it's kind of tough for me, a CPT, to chew a LTC's ass for opening an attachment that he shouldn't have... edited by seanp on March 04, 2004 |
Paulinoz
| Posted on Thursday, March 04, 2004 - 12:46 am: |
|
Run Netscape on a Mac best insurance money can buy |
Darthane
| Posted on Thursday, March 04, 2004 - 01:39 am: |
|
-=eagerly awaiting his new iBook since Microsoft's latest "Oh, we f#@%ed uup and left a massive hole in our software" announcement=- My computer here now will not rercognize my internet connection without me opening the properties, changing nothing, closing it, and logging off/in. WTF? I agree with SeanP, though. I'd love to get my hands on these asses, even the ones that 'don't propagate their work', and wring their pale, scrawny little necks. That whole 'just to see if I can' line is such a load. Yeah, and the Manhatten Project was 'just because' as well. Bryan |
Seanp
| Posted on Thursday, March 04, 2004 - 03:23 am: |
|
Yeah, I'm waiting for a new 12" Powerbook. I'm hoping it will run Opera, which is my current browser of choice on Windows. I haven't used Internet Exploder in a while. And I don't miss it one bit... Now all I need to do is become a multi-billionaire so I can find those hackers. Yeah... |
Reepicheep
| Posted on Thursday, March 04, 2004 - 08:57 am: |
|
People always ask me about running unsecured wireless access points in their home. Hee Hee Hee... after the time and energy these bozo's have cost me, I would LOVE to have one of them line of sight.... |
M1combat
| Posted on Thursday, March 04, 2004 - 11:38 am: |
|
"Run Netscape on a Mac best insurance money can buy" Run Mozilla on a Linux box... Best insurance money doesn't need to buy and yes, it IS better than MACOS and Windoze. You can upgrade the Kernel w/o rebooting... how cool is that? That's akin to upgrading from WinNT to WinXP w/o a reboot. Nothing is prefectly secure, but if one were to run a cheap Linux firewall box (my county govt. organization is auctioning about 150 such PC's in a little more than a month) it does indeed make it pretty difficult to get in. The other bonus is that because these hacker/cracker types are almost always anti-coorporate they don't generally target Linux... They love Linux. Linux is mostly secure as opposed to Windoze which is almost somewhat partiall kind-of secure (relatively) on a good day after two hours (on a FAST connection) of Windows updates. The learning curve on a Linux box is a LOT flatter than most expect and it comes with all sorts of neat software (most of it you don't need) including a COMPLETE and FULLY FUNCTIONAL replacement for Microsoft's Office that's FULLY FILE COMPATIBLE with Office. Go figure. Oh, did I mention it's free? Anyway, I digress. |
M1combat
| Posted on Thursday, March 04, 2004 - 12:57 pm: |
|
LOL, Just got this from my GF and thought it was pertinent... BUENOS DIAS!! JOU HAVE YUST RECEIVE A MEHICAN BIRUS!!!!! SINCE WE NOT SO TECHNOLOGICALLY ADBANCED IN MEHICO, DIS IS A MANUAL BIRUS. PLEASE DELETE ALL DE FILES ON JOUR HARD DRIVE JOURSELF AND SEND DIS E-MAIL TO EBERYONE JOU KNOW. TAN JOU POR YELPING ME. JULIO MANUEL JOSE RODIRGUEZ GARCIA MEXICAN HACKER |
Blake
| Posted on Thursday, March 04, 2004 - 01:16 pm: |
|
Yeah, good one. I bet all the BadWebers with Mexican heritage are loving that. I've have some problem denigrating those who can speak more languages than I. And besides, now all the Aggies reading it will be complaining about having to reload all their lost files. |
Bluzm2
| Posted on Thursday, March 04, 2004 - 06:18 pm: |
|
Sean, Be careful what you wish for. You just might get it! I'm up to my eyeballs all day long doing the internet security thing. It makes your head hurt after a while. Staying current or slightly ahead of the bad guys is quite a challenge. We have network sensors inside and out side out network, you would not believe the stuff I see. Not only probes, attacks and the like but IM traffic with content that is unbelieveable. You can't make some of this stuff up! Reality TV and the like have nothing on real life folks that don't know they are being monitored. We don't do anything with that stuff, just watch for malicious attacks and probes. In order to do that you have to analyze ALL traffic. Bill, You want long range 802.11? Try building a Pringles can antenna. I can pick up stuff from over 2 blocks away with NO problems. It's amazing how many folks install a home wireless network without encryption. Do a war drive with your laptop and Stumbler sometime. The first time I did it I didn't even use an external antenna. In a 5 block radius I found 10 networks, 6 were wide open. Sounds like a good sideline job for parts money! Brad
|
M1combat
| Posted on Thursday, March 04, 2004 - 06:46 pm: |
|
"Yeah, good one. I bet all the BadWebers with Mexican heritage are loving that. I've have some problem denigrating those who can speak more languages than I. " Hey now... I didn't mean to denigrate anyone... My GF is Indonesian and her son is half Mexican. I just thought it was funny... |
Seanp
| Posted on Thursday, March 04, 2004 - 10:53 pm: |
|
Brad - I'd love to do something like that. I'm not allowed to do anything like that because we have a Department of Information Technology (DOIM) that is supposed to do things like that. They don't, (at least not that I know of). So instead, everything goes unmonitored, which I vehemently disagree with. I am in a business which requires extreme operational security. And with instant messengers and the like, and no ability to see what sort of traffic is being passed, it just burns my ass. I know there's people passing dates, times, summaries of missions we've been on, and all sorts of other stuff over email, IM, and whatever else they can get their hands on... And now with all these viruses out, and my users stupidly opening whatever damn attachment comes in their email, I don't know if the contents of their computers are going to be sent to some hacker somewhere, or erased, or posted on the internet. Hell, we even get the same viruses on the secret internet within hours of the virus appearing on the non-secure network. That means that some dumbass is moving information back and forth from the unclass to the classified side, and maybe vice versa. Joy... Oh well, it's just national security. |
Phillyblast
| Posted on Thursday, March 04, 2004 - 11:24 pm: |
|
Looks like we might all be in luck - the authors of the latest 3 big worms might take each other out for us. Of course, slavish dependence on MS products and an unwillingness to consider alternatives is one reason I'm leaving my current job. Personal desktop, sure. Internet connected server? Fuggedaboutit. (see no inappropriate content in that one) |
Rocketman
| Posted on Thursday, March 04, 2004 - 11:51 pm: |
|
Philly, Blake doesn't like cinnamon rings Rocket |
|