Have you ever chatted with a hacker within a virus? (opens in new tab)

When I was a teenager I found it fun to intentionally infect myself with malware and try to study it. I know realize this wasn't the most responsible thing to do, as I wasn't in a sandboxed environment, but it was a great learning experience and taught me a lot about networking and security.

One of the biggest malwares I ever managed to infect myself with was a bot, which caused my computer to become a zombie on a ~10K botnet. I spent hours running a packet sniffer and seeing how the client interacted with the IRC network it called home to. Upon connecting to the privately run IRC network, the bot would authenticate with a user and pass. I assume it created one upon connecting the first time to the network. My best guess as to why this is is so that the bot master could track the total number of zombies and compare it to how many were actively connected to the botnet. Kind of a cleaver way to get metrics, now that I think about it.

When I temporarily stopped the bot from connecting to IRC, I decided it might be fun to login as the bot and join the channel I saw it connecting to. Upon joining the channel, I saw thousands of other users on the channel. I spent a couple of days sitting there, masquerading myself as a bot, and watching the botmaster interact with the bots. The botmaster would issue commands that I can't really recall anymore, but I do remember seeing a lot of commands that I assumed told the bots to download extra malware from a remote host. I remember seeing URLs for zip and exe files.

Eventually I got a little bored of this, so I decided to message the botmaster. It was easy to spot him; out of the three ops on the channel, he was the only full op. I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network.

The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests. I had pissed off the botmaster by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a small number of the bots to do this. It wouldn't take many... I imagine back then, given my bandwidth, 10-15 would have done it.

Fun times. I remember posting about my botnet adventures to Security Focus way back when. Some people got really interested and followed my posts, while other professionals asked me to stop because I wasn't running a sandbox.

IMO, those were different times. I'm not sure I'd recommend something like this these days. After hearing about certain botnets being tied to various mafias and gangs around the world (which is probably more common than you think. See http://www.ibtimes.co.uk/articles/321149/20120329/mafia-cont...), I'm not sure I'd really want to risk interfering with their activities.

Well, back in my pre-teen script kiddie days of using BO2K/Netbus and early Sub7 builds I was on the other side of the screen. Sub7 I recall distinctly had all the listed features and a lot more - keylogging, chat client, webcam viewing, screen capture, open/closing CD tray, etc. There was a GUI interface that would let you select any of the above features that would create a payload that could be injected into any .exe file. You could also provide an ICQ account number that would get a message any time the client comes online, with the relevant IP:port to connect to. These were in the days before anti-virus or firewalls were prevalent, so it was pretty easy to trick people into opening an infected .exe.

I think I ended up having around 80 people infected, so there was always someone online. I never did anything malicious with it, just chatting and opening/closing CD-ROM drives mostly (and juvenile things like sending my friend's browser to bigboobs.com ... unfortunately his dad was standing behind him at the time). I had dial-up so the webcam viewing wasn't feasible. If someone was freaked out and wanted me to go away I could remotely destroy the trojan. Come to think of it, most people were just curious about what was going on and didn't seem to mind the chat very much (but obviously they usually wanted me to remove it / delete it afterward). Then again, I infected people by random selection on ICQ, so maybe they were just chatty people.

Sorry for the tangent, but did the author really have to assert his or her endorsement of Chinese nationalist politics and write "Taiwan, China" instead of the neutral "Taiwan"? Taiwan is not currently controlled by the PRC, regardless of whether or not one believes it "should" be. Taiwan's acting government, the ROC, believes it shouldn't be, and China's government, the PRC, believes it should be. Most Taiwanese people seem to agree with the ROC, but I've met some who identify as Chinese and would be fine being governed by the PRC. To refer to a disputed land as objectively part of a specific country, one that doesn't even currently govern it no less, really bothers me.

Steve Gibson (grc.com) famously used chatroom credentials in a trojan he reverse-engineered to get in and chat with the bot maker.

And, infamously, got DDOSed for it.

Can't find the transcript now, which is a shame; I think he took it offline to let the intertubes cool down.

Alternative title: Amateur virus analyst does not take necessary precautions, gets pwned by virus author.

Back in 2000, when I was in high school, I developed a trojan similar to netbus and sub7, but just to use it in the school comp labs. The objective was only to have fun. Telling my friends their login passwords, controling their pcs, (screen streaming, key logging, file management, mouse and kb control, some nice screen effects like making the screen move like ocean waves, launch programs, it was fun, lol). There were like 200 machines connected. The infection was simple (auto-installed in services/run) and later it was even network-automated (when I got the admin pass). Then, I handed the commanding program to some friends who used it a little bit too uch. We even had the net admins credentials, so we started to get some extra benefits (like internet outside the internet lab, etc). The admins realized what was happening, and started to use Norton ghost in every pc, first once a week (before it was once every 2 weeks), then, as the infections didnt stop and they started to get very paranoid, they run Norton ghost every single day. It all ended when they discovered a copy of the the source code I had given to a friend of mine. They confronted him, but luckly he took the blame (as he later told me, it was very dumb of him to have saved a copy in his own account. But he managed to convince them that it was just a learning project that went little bit too far. They reprimanded but nothing serious happened to him. So, he is still one of my closest friends,=)

Recently a friend of mine sent me a piece of obfuscated JS that was in a phishing page that was being posted around his large gaming related website. Threw the JS into closure compiler with advanced optimisations and pretty print and out comes relatively unobfuscated code- it cleared up the series of horrible regexes anyway. The code injected a Java applet that downloaded a botnet virus. Decompiling the Java applet revealed the steamid of the guy orchestrating this. Added him on steam and had a great conversation in which he accidentally indirectly admitted the botnet was under his control. A fun use of a Sunday. The evidence was never sent to anyone, thinking nothing would come of it.

To answer the title: yes.

It was my freshman year of college and my first introduction to broadband in 1998. I discovered irc via mIrc and somehow somebody put something on my computer where they could control the mouse/keyboard.

I watched the guy move the cursor around for a while then begin to type to him. He was cool, and told me how to prevent it from happening again.

"I am sorry but AVG blogs are currently undergoing essential maintenance.

Normal service will be resumed shortly, in the meantime go to AVG.com for more information about AVG products or go to our Facebook page to join our thriving online community.

We apologise for any disruption this may have caused."

This article REALLY makes me wish I could turn on my Mac laptops built in camera and microphone.

A long time ago (windows 98 I believe) my screen went blank and green text appeared saying "Hello, how are you?" I was about 12 at the time so I had no idea what was going on. I don't recall my response, but I remember the "person" on the other side saying "You left a back door open. Would you like me to close it?" I restarted my computer and I still have no idea what it was.

Was this a virus, a hacker, something else? I completely forgot about it until this thread.

Not the same, but similar story... 6-8 years ago, I chatted directly with the person responsible for breaking into a web server on the server itself. It's a strange feeling to ssh in and watch someone browsing through files. I did a 'echo "hello?" | wall', showed the guy how to answer me back, and we eventually moved the conversation to IRC. I was using some website to convert English to Portuguese.

Turns out it was a (young) teenager from Brazil. His compromise was that he wouldn't touch our files or deface our websites so long as he could remain in control of the server. I carelessly tried to kick him off, uninstall the rootkit and restart the server only to find out that he could continue to use the same exploit to get access. Then we just called our host and asked them to take down the box. Lost a whole day to it, but I walked away understanding a little bit more about motivation, and learned about an exploit that I hadn't known about previously.

Back a bit (yes, I am dating myself here), I worked for a floppy disk duplicating company that was hired by a certain software company to attempt to duplicate the disks with built-in copy protection. The customer provided a routine where they would have the end-users' disk controllers read a hidden half sector at the end of a half-sized normal ninth sector, I think was the gist of that particular scheme.

If I remember correctly, they had typed some example code in plain ascii, so we obliged with the typical "help, I'm being held captive in a Chinese disk duplication company." Which was almost true, as the owners of our company were of Chinese decent. And in my defense, we did have a number of all-nighters (with Pizza) when another software company would call us with a sudden "we've changed the masters - erase and re-dupe whatever you have)." I was younger, then...

Anyway, a few messages were passed back and forth this way, before we got back to serious business and implemented the copy protection scheme. Not really a virus, but still geeky fun.

Did you know that 8" floppy disks had excellent aerobatic qualities when flung from the top of a building? The trick was holding them by the corner during the wind-up...

Reminds me of those good times when we discovered Trojan me and my friends. We kept infecting people, until they found out about it and started doing it as well. It became a war between us. Almost everyone got infected in our class.

I remember the pranks we used to pull, like printing "Help me I'm trapped inside the printer!", changing the wallpaper for a porn one, typing messages instead of the person on MSN.

Once we infected some random guy we didn't know, and popped up a black chat screen (like the one in matrix) and before we could write "Hi Neo" the guy was already writing to us "hey what's up?". The guy was so stupid he chatted with us like it was a normal thing.

Then we all grew up and we fell a bit bad for finding stuff we shouldn't have found, so we stopped.

Is it just me or do the "features" of this trojan resemble a late 90's Netbus

Back in the days I used to do this. I would stay up better part of the night adding random people to MSN or ICQ and sending the Trojan saying it was my picture. So before sending it I would describe myself as someone they'd want to see, to drive up their curiosity, basically I'll be what they'd want me to be. This was very successful. I never maintained a big list of zombied boxes, I'd infect remove on a per night basis depending on how bored I was.

I also saw the progression of hiding IP's in MSN connections. At first they would make a direct connection, later they only made a direct connection while transferring files bigger than a certain size. They completely removed it after some point, don't remember very well.

After I got to know more about networking how things are connected, I realized that my ISP allowed to initiate NULL sessions to other customers. I remember how excited I was to find this. I would place the RATs everywhere with curious names in hopes for them to click or just test exploits on them.

Another interesting thing I found was I was able to invite anyone, even random emails (Hotmail) while having a group chat. I had so much fun doing that back then.

After infection it was basically just chatting, messing with the LED's, CD-ROM's.. people were more interested in finding out how I did it and just chat rather than being mad. I remember one time when I did this to a friend he got scared and ripped of the cable breaking the wall socket.

It was really easy to evade anti-virus programs at the time. I usually just split the file into half, run the scanner on it, split again until I narrowed down to the signature and would just change a value or two.

It was interesting to see how many times people change the text before hitting send while chatting. Obviously I was too naive to know and respect privacy back then.

Yeah, when I was at boarding school (high school), we had a LAN in the dorms full of everybody's shiny new Windows 95 desktops. So everybody just had SMB shares, and nobody was careful about what they clicked on. I put a trojan exe with the icon made to look like a text file in mine. Someone clicked on it, and then I popped up a dialog box that said "Hello! You've got a trojan. Open notepad and let's talk about it" and he typed into notepad and I watched with the keyboard sniffer and answered back by injecting keypresses. (I couldn't see video of the screen - I think I could take screenshots, though) I learned a lot about networking that year.

I am the creator of the PTN FUN TROJAN from 2003. I was just starting to learn coding and created this simple server/client program using visual basic and numerous code VB snippets I found online. I was able to open/close CD trays, turn off monitors, disable CRTL+ALT+DEL, send screenshots, hide the mouse pointer and other stuff. I created an autostart CD with the title "CS MAPS" and handed it around on private LANs infecting all my friends computers. I had quite a few computers depending on my mercy. On one occasion, one of my friends realized, he wasn't in full control of his computer. He opened notepad and tried to communicate with me, the hacker, by typing messages. I could read his messages from the screenshots and found it pretty hilarious at that time. I responded by turning his screen up-side-down.

Reminds me of all the fun I had playing with malware on my own computer during the mid-to-late 90's. Being quite ignorant about the whole thing allowed me to look and find things that would not be considered safe. Hacker websites (like the old cult of the dead cow folks), exploits, etc. I remember downloading the LOIC and wondering what the hell it was.

Of course, I wanted to be a "hacker". You know, make ATM's spit out cash so my brother could buy a more powerful engine for his mustang. That kind of thing. Never really meant or even did harm, because my limited knowledge back then kept me out of trouble.

I did however get to do something very important while looking for people to "hack" (not really) on ICQ. I met my wife. Wonderful things happen by serendipity.

How about recommending movies to the person who hacked your Netflix account?

http://www.reddit.com/r/AskReddit/comments/v0z53/for_the_pas...

When I was about 11 or 12 years old, I was chatting with a friend on AOL Instant Messenger and suddenly was forced into a black screen with green text where I communicated briefly to someone who was forcing this new chat session onto me. The crack scared the absolute crap out of me. It ended once I told the person that I was irritated and that I was going to contact the police (I didn't and I doubt there was anything that really could have been done). Once the fear subsided I became more interested in how this person did what they did. It's one of those weird technology-related moments that sticks out in my mind to this day more than 10 years later.

Just as a side note, the post was made in Taiwan's D3 forum, but from the use of simplified Chinese, it seems the hacker was from China.

I am a convicted malware coder (Agobot/Gaobot/Phatbot/etc...) and it all started because of a chat I had with a botmaster.

Back then I needed a key for Warcraft III, which just came out, so I tried some keygen I found on the net, without any antivirus. When the keygen did not work I knew something was wrong, so I checked for suspicious network traffic and saw some IRC connection, quickly found the process responsible for causing the traffic and fired up a disassembler. After UPX unpacking I had the assembler code to the program and was able to determine the IRC server, the bot password (they didn't use password hashes or hostmasks back then) and I got a command reference for the specific bot (SDBOT). I joined the channel disguised as one of the bots, logged in and sent the remove command. This kills the botnet. The bot herder was pissed, but I started talking to him and I got interested in malware to get CD keys, which I couldn't afford at the time.

I started modifying SDBOT for my usage, writing scanners and fixing bugs in the IRC connection code. After I while I felt limited by the codebase and started my own called Agobot. Agobot quickly grew into one of the most capable trojans at the time, with thousands of variants. I also quickly got a team of at peak ~15 people together who helped with testing and coding. Coding was mostly done by me and at most 3 other coders. We were having really cool stuff, like wormride which was a tool to make other malware/worms spread Agobot instead of itself. It also contained an exploit that I wrote for the LSASS hole that Sasser used only a few days after the advisory. My LSASS exploit did not crash the target, which let it spread a few days without being noticed. ISC noticed it after a while and raised the threat level to orange.

There was also a variant of the bot that used the waste network to communicate and the gnutella network to find themselves. It made the DHS shit their pants and release an advisory :)

First I hosted the bots on public IRC, but after being detected very quickly I got to talk with some IRC opers that offered me a private server to run the botnet in exchange for usage rights. These were powerful servers, holding around 50k bots at peak. Basically this all got busted by the FBI, which caused the Foonet/CIT shutdown. For more infos, check these URLs:

http://www.theregister.co.uk/2004/08/27/ddos_mafia_busted/

http://regmedia.co.uk/2008/10/03/03116720232.pdf

http://www.securityfocus.com/news/9411

http://newssocket.com/foonet/

http://www.techimo.com/forum/imo-community/100728-your-isp-n...

Anyway, they caught me because I accidentally let a bot start a short scan from the linux host where we hosted the SVN repository and IRC. The company running the datacenter detected the scan and decided to investigate the server (illegaly) and found all the stuff (I didn't even think about encrypting all that). I got 2 years probation for this as well as hacking Valve Software.

Hers some more info:

http://en.wikipedia.org/wiki/Agobot

http://www.honeynet.org/node/55

http://www.infectionvectors.com/vectors/kitchensink.htm

http://web.archive.org/web/20070423182932/http://www.lurhq.c...