Interview with an anonymous hacker
Discuss the article at Agnitum blog
Many of you have heard about Russian hackers and their “accomplishments.” We could provide any number of examples of these, from the huge cyber-heist from Citibank in 1994 masterminded by Russian programmer Vladimir Levin to the recent hijacking of Sweden’s Nordea Bank PIN codes. The cost of these cybercrimes can run into the millions of dollars.
As a Russian publisher of security software, we are certainly not bragging about our compatriots; however intellectual and talented the perpetrator, a crime is still a crime. Nor are we making excuses for these activities - Russia is hardly the only country in the world with a technically educated population and domestic financial instability. Instead, we decided to take a look at the motivations that are common to all international cyber fraudsters – including the Russians.
We live next door to hackers and we know their habits well. So we did some research amongst the local hackers’ community and managed to set up an interview with a former cyber gangster, who claims to have now joined the “white hats” and was prepared to share his experience anonymously.
His first name is Victor, but his last name will be kept secret. He is 30 years old and a resident of St. Petersburg, Russia. Since he gave up hacking, he’s found a legitimate job in a domestic software development company and seems to be enjoying it. He wouldn’t tell us a lot about his transformation into a “good” guy, but he did want to talk about his skills. When he heard that Agnitum was looking to get some first-hand information about cybersecurity issues, Victor came forward to talk with us about the so called “custom-built malware and the tools of its compilation.
Q. How long have you been hacking and writing malware?
A. Hacking, huh, well, I’m not sure. It’s like ten years or so. It all started back when I was a college student. I remember one day needing access to the server, so I booted my PC from a Linux floppy and reset all the Windows passwords with it. I can still recall the admin’s frustration. That’s how it was, funny, I guess.
In the early days, I did other bad stuff too, like writing custom viruses and sending phishing emails to test how easily I could get people to give up information and money.
Q. If it was so profitable, why did you decide to quit?
A. Well, maybe because I grew up a bit and decided that the long-term career prospects in looking for bugs in software for legitimate pay were a little better than hacking. Maybe because I finally figured out that just writing exploits simply was no fun any more. I do find I am enjoying making legitimate contributions to the open source movement.
Q. How hard is it to create your own malware?
A. There are tools available online on the underground (if you know where to look) that can easily generate a new version of, say, a Trojan from the original binary. Although it’s a primitive deviation, chances are it will still get past some security products that aren’t updated as often as they should be. All you need is a little C++ programming expertise - I used to do it in a matter of minutes.
Q. Can you name any examples of such malware-generating tools?
A. Sure, although I don’t want to encourage people to go look for them. Most of them are in the public domain anyway.
Pinch Builder is a “popular” Assembler-based Trojan. Anyone can download the sample (about 20 Kb in size) and customize it to his/her own taste. The original binary purports to access an area known as Windows Protected Storage – the repository of “safe” user passwords - and extract the information. The outcome is straightforward – compromise of user data. It can even be extended to make it function as a keylogger or spam robot, even act as host to additional malware. The original Pinch is designed to replicate while the computer initiates shutdown, bypassing security systems because they’re generally shut down by that point.
Q. Sounds like a big help for the bad guys. Does it cost anything?
A. Well, I haven’t checked it out for some time and don’t know the exact information, but I think it’s around $30 - quite affordable for an experiment like this. It’s probably quite easy to find a couple of similar tools on the Net for free, as well.
Q. Can the average security product effectively challenge Pinch and the like?
A. If you mean signature-based products, the answer is: it’s tricky to find a consistent, bulletproof solution. These chameleon-like threats are hard to detect - sometimes they are visible, other times and with different Pinch variations (never mind other types of malware) they’ll be completely hidden. Pinch can be very evasive. It’s possible that some proactive defense tools that monitor the system and program interactions may provide better detection, but nothing is 100 percent guaranteed.
Q. So there’s no magic bullet?
A. Well, System Safety Monitor – the program that tracks Windows activity in real-time – is as good a place to start as any for combating Pinch-like malware. And, yes, you’ll be pleased to hear that Outpost is likely to do a decent job too.
Q. So, next question. What do you think about custom-built malware that targets specific activity or types of user?
A. There is already a well-defined market for custom viruses, exploits and unreported vulnerabilities. But given the pace and sophistication of today’s malware developers, who knows whether the vendors or the hackers will win the game. Having worked both sides of the fence, I’d say hackers are enjoying a healthy head start. The emergence of technologies like rootkits and Internet-based services represent a huge potential for exploitation.
Q. Who’s going to win in the end?
A. No-one really knows for sure. But there’s one thing I can say: security solution providers will always fall behind as long as they operate reactively – either in their strategic decisions or product methodology. And ordinary users will always get their PCs infected while they continue to ignore basic security measures. The winner will be the guy who works smartest - whether that be on the attack or the defense. I guess you could say I came over to the side of the white hats because, on the whole, I’d like to see the good guys win.