The end of hacking’s age of innocence

By Byron V. Acohido

Book Excerpt
Chapter 3
Pages 38- 45
Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity. 2008 by Byron Acohido and Jon Swartz, Union Square Press, Sterling Publishing Co.

ISBN- 13: 978-1-4027-5695-5

“billy gates . . . fix your software!!”

Precocious teenagers, disaffected computer geeks, egotistical virus researchers, determined spammers, all sharing varying degrees of disdain for Microsoft, most coveting each others’ respect and admiration-these were the enemies Bill Gates rallied his troops to repel in early 2002.

Gates had no way of knowing it at the time, but a cataclysmic shift in the attacker community was under way. A dozen years had slipped by since the Berlin Wall came tumbling down. Eastern Europe was crawling with educated, tech-savvy young men who were left to scratch for menial work in a perennially depressed economy. In North America, the dot-com bubble had burst, wiping out thousands of cushy tech jobs. With all this technical skill running around, the purist hacker’s mind-set was ripe for corruption. Hacking for profit was on the verge of becoming the new imperative.

The earliest manifestation of this change would surface on the Internet, in the private chat channels, where spammers began to communicate with virus writers, and on security bulletin boards, where researchers and virus hunters dissected obscure malware. This is where Joe Stewart, senior security researcher at SecureWorks, hung out.

Stewart never planned on becoming a virus hunter. Born in Athens, Ohio, he split time growing up between his mom’s home in Florida and his dad’s place in Arizona. An inveterate tinkerer, he and a sixth-grade buddy fiddled endlessly with a Radio Shack TRS-80 color desktop computer, staying after school every day to figure it out and teaching themselves how to program in BASIC. This was in the mid-1980s. Shortly thereafter, Stewart convinced his dad to buy a then-state-of-the-art Commodore VIC-20 desktop computer and progressed even further, sometimes running up $300 in long-distance phone charges to log on to the early techie bulletin boards.

joe_stewart_orange_cropBy the time Stewart turned sixteen in the late 1980s, he considered himself fairly computer savvy. But he dropped out of computing for several years to dabble in becoming a rock musician, until one day in 1996 when his mom gave him her worn-out desktop computer. It had an outdated 386 microprocessor; Mom had purchased an upgraded 486 for herself.
“The motivation of being broke and having a wife and baby to support really kicked my learning back into high gear,” says Stewart. Four years later, Stewart found himself part of a select group of perhaps 200 virus hunters, the vast majority young males. These Internet sleuths worked at tech-security companies such as Symantec, McAfee, Trend Micro, Computer Associates, Sophos, F-Secure, MessageLabs, Postini, and several dozen smaller niche players. They had in common with mainstream software programmers a high aptitude for math and problem solving, but they also brought something extra to the table-a healthy sense of injustice.

“I’ve always admired a good hack-but modern viruses are not displays of skill; they are simple brutes that are polluting and pillaging the Internet landscape,” says Stewart. “It’s the powerful taking advantage of the weak. I’m disgusted at how they [criminal hackers] are so ready and willing to destroy what I view as one of mankind’s greatest developments, all for their own selfish greed.”

Stewart rose rapidly in his chosen field and landed the position of lead network intrusion analyst at LURHQ, a Myrtle Beach, South Carolina, tech-security firm that would later merge with SecureWorks. In August 2002, Stewart caught wind of a mysterious new type of proxy server that could be installed on compromised PCs in stages. This allowed the virus writer to send parts of the malware from different Web sites, the better to elude the virus hunters.

“The complete installation would happen in stages, sometimes over several days,” says Stewart. “The subsequent stages completely replace the first stage. Once the second stage takes over, the virus is removed and no longer spreads from that host.”

Once fully installed, this new type of proxy server could be used to relay spam or participate in DDoS attacks. It was ominous for another reason: Because standard proxy servers relayed data over “well-known ports,” they were easy to blacklist. But this new type could use any port.

Internet port numbers are categorized in three ranges: ports 0 through 1,023 are the so-called well-known ports, assigned to very specific purposes; ports 1,024 through 49,151 are available for general use; and ports 49,152 through 65,535 are for private communications. With this new proxy server, the entire range of ports was now in play for hackers.
On January 9, 2003, virus hunters took note of an obscure little e-mail virus, which they came to refer to as SoBig.A, launched from the spoofed e-mail address SoBig.A used a variety of enticing subject descriptions to get victims to click on a tainted attachment.

Once activated, it launched into two tasks: spreading itself to every e-mail address it could find, and visiting a designated Web site, hosted at, for further instructions. When Stewart visited the Geocities Web site, he found a Web-page link that led nowhere: Stewart had a hunch. He repeatedly checked the Web site over a period of several hours, and, sure enough, caught the virus writer periodically dropping in the real link.
“He was trying to protect the progression from analysis,” Stewart says.

The real link directed the infected PC to another Web page to download stage two of the malicious program, and then to yet another Web page to download stage three. “It was quite successful at this,” says Stewart. “Thousands of proxy servers were surreptitiously installed on computers worldwide.”

SoBig.A got choked off when Internet service providers-AOL, MSN, EarthLink, and others-began to block all e-mail from, and Web site host Geocities cut off the designated Web site.

But SoBig.A’s author wouldn’t be discouraged so easily. On May 19, SoBig.B began spreading. It purported to come from and contained several improvements. For instance, it ran every time the user turned on his or her computer, and it sought to spread itself to any corporate servers that happened to be sharing a data-exchange link with the infected PC. By far, SoBig.B’s most distinctive new feature was this: the virus turned itself off after two weeks.

The day SoBig.B expired, SoBig.C appeared with more improvements. It, too, turned off after two weeks. SoBig.D followed, then SoBig.E. Like infectious bacteria mutating in response to antibiotics, each variant tried different ways to counter Geocities, which moved quickly to shut down the Web sites the infected PCs were instructed to report to.
“All the versions were very similar; they just kept improving, version after version, like a software development project,” says Mikko Hyppönen, chief research officer at F-Secure. “It was done professionally. Someone was investing money.”

After SoBig.E went mute in mid-July, no more variants followed, leaving Stewart, Hyppönen, and their fellow virus detectives to believe the SoBig virus family had run its course. They were wrong. But before anyone could contemplate the deeper significance of a virus strain that steadily improved with each iteration, MSBlast stormed the Internet.

MSBlast took absolutely no one in the close-knit community of vulnerability researchers and virus sleuths by surprise-quite the opposite. Something like MSBlast had been widely predicted early in the summer of 2003 after a Polish group of white hats, calling themselves the Last Stage of Delirium, notified Microsoft about a gaping hole in a Windows component called remote procedure call, or RPC, which allowed PCs to share files and use the same printer.

The Polish researchers had discovered that it was possible to overwhelm RPC by sending it too much data. Once overwhelmed, RPC would let the attacker have full access to the computer. This flaw existed on PCs running Windows XP, Windows 2000, Windows NT, and Windows Server 2003-hundreds of millions of machines worldwide. Any Windows computer connected to the Internet with RPC enabled was a ripe target.

On July 16, Microsoft issued a patch for the RPC hole and gave the Last Stage of Delirium credit for flushing it out. Nine days later, a group of Chinese researchers calling themselves Chinese X Focus posted a “proof of concept” RPC exploit on several security bulletin boards. The exploit showed how to overwhelm RPC and take control of the machine. It was only a matter of time before a black hat stepped forward to copy or improve upon the Chinese exploit-and release it on the Internet. The glory was there for the taking.

The inevitable occurred on August 11, just twenty-six days after Microsoft issued the RPC patch. Hardly anyone had installed the patch. A self-propagating worm, christened MSBlast, began searching out unpatched PCs and infecting them at an incredible rate. In contrast to the SoBig e-mail viruses, which had been handled like a series of carefully controlled pilot tests, MSBlast raced out of the starting blocks and cried out for attention.

Stewart was among the first virus hunters to reverse engineer MSBlast. He found this cryptic message buried inside the code:
billy gates why do you make this possible? Stop making money and fix your software!!

That brash admonishment told the virus hunters that MSBlast’s author almost certainly came from the subculture of braggarts who get a charge out of wreaking havoc on the Internet to make a name for themselves. By contrast, SoBig’s creator was a model of discreetness, clearly cut from different cloth.

“When it came to the motive behind a particular piece of malware, we were starting to see it separate into two groups: profit versus nonprofit,” says Stewart. “The nonprofit virus author wants to raise public awareness of viruses, but the for-profit virus author does not. Ideally, the for-profit author wants to use your computer for as long as possible without being discovered.”

MSBlast was anything but quiet. Within twenty-four hours, MSBlast breached 120,000 computers around the world; each infected computer, in turn, scoured the Internet for more vulnerable targets to infect. At its peak, MSBlast infected 4,000 PCs an hour. Corporate systems crashed under the surge of traffic.

A number of tech-security experts remain convinced to this day that the intense spreading of MSBlast contributed to a major power blackout that darkened New York, Toronto, and Detroit on August 14; while the fast-spreading worm may not have directly caused the outage, it very well could have crippled computer systems that could have kept the outage from spreading.
MSBlast did more than spread like wildfire. To add insult to injury, it implanted a bot instructed to stand by for an August 15 DDoS attack on, the Web site where Microsoft distributed security patches. Microsoft went into crisis mode to blunt the impending assault, and managed to do so at the eleventh hour. The software giant narrowly escaped infamy. Imagine the irony of a Windows virus spread via an unpatched security hole knocking out the Web site that distributed Windows patches.

The full scope of how invasive MSBlast turned out to be wouldn’t be known until Microsoft assigned an anti-malware program manager named Matthew Braverman to analyze the effectiveness of the MSBlast cleanup tool. Braverman found that within six months of making the removal tool publicly available, “Microsoft recorded approximately 25 million downloads and 12 million executions. In other words, over 25 million unique computers were identified as being infected by MSBlast,” Braverman wrote in his report.

MSBlast also left behind an easy-to-find back door. During the time those 25 million PCs were infected with MSBlast, any novice hacker could have skipped along and slipped in bots of his or her own-or any spamming group could have implanted proxy servers.

MSBlast’s creator was never caught. However, on August 29 FBI and Secret Service agents stormed an apartment in Hopkins, Minnesota, and arrested Jeffrey Lee Parson, eighteen, a senior at Hopkins High School. They were led to the apartment Parson shared with his parents by a clue buried in the coding of a variant of MSBlast. The clue was the address for a Web site belonging to Parson where he stored a stash of viruses alongside lyrics to songs from Judas Priest, “Weird Al” Yankovic, and Megadeth.

It turned out that the six-foot-four, 320-pound Parson was responsible only for a copycat variant of MSBlast that infected 48,000 PCs and caused an estimated $1.2 million in damage, prosecutors said. U.S. District Court judge Marsha Pechman described Parson as a lonely teenager who created his “own reality,” rarely leaving his bedroom. He served an eighteen-month jail sentence.

“Jeffrey Lee Parson foolishly considered himself an untouchable,” says Ken Dunham, director of the rapid response team at iDefense, a VeriSign company. “His arrest proved how overconfident some adolescents can become in the security of their own online worlds.”

The tumult over MSBlast must have struck SoBig’s profit-minded author as a golden opportunity. What better time to release the ultimate SoBig e-mail virus than when MSBlast’s braggart author commanded the full attention of virus hunters, law enforcement, and the media?

On August 18, an e-mail luring recipients to open an attachment containing pornographic images began circulating all across the Internet. SoBig.F was now on the loose. It fired off copies of itself to every e-mail address it could find on the hard drive, using a technique called “multithreading” for faster spreading.

Borrowing a refinement from SoBig.E, the attachment came in the form of a zip file so as to pass through e-mail systems that had begun to deny executable (.exe) attachments. Borrowing from SoBig.D, it implanted a bot tasked to report to not one, but twenty different Web servers around the world-PCs compromised by earlier SoBig variants, now standing at the ready to release the second and third stages of the attack.

“The worm writer learned two lessons from the endless cycle of Geocities closing the sites-stealth and redundancy,” says Stewart.

But the SoBig.F bots never downloaded stages two and three. The virus hunters and law enforcement agencies collaborated to get Internet service providers to take nineteen of the twenty Web servers off line. Seeing the good guys closing in, SoBig’s backers held off sending further commands through the one Web server left standing on August 22.

Chalk one up for the good guys. Yet an ominous unease lingered in the aftermath of MSBlast and SoBig. Defending the Internet had become magnitudes of order more complex. It was one thing to repel immature braggarts out to bedevil giant corporations and make political statements; it was quite another to also have to deter well-funded criminal elements methodically refining tried-and-true hacking techniques to make a profit.

The MSBlast worm appeared to be the work of a vigilante looking to chastise Microsoft, much like Onel de Guzman, the author of the ILOVEYOU virus, had done. By contrast, whoever was behind the SoBig family of viruses did not want attention of any kind. The incremental improvements in each version-from SoBig.A in January to SoBig.F in August-progressed exactly like a professional software development project. SoBig’s creators appeared to be dead serious about perfecting a virus that could infect a large number of computers for the express purpose of turning them into spamming machines and making a ton of money.

“The proof point is simply in the design of the virus,” says Stewart. “The typical moneymaking virus installs spam proxies or tries to steal passwords. We saw these activities with SoBig, but not with MSBlast.”

Hacking’s age of innocence was fast coming to a close.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone