Gallery

Hack the hackers

Posted on 27 Jan 2005 at 14:43

Attack a hacker

Rather than wait to find out, concerned, knowledgeable individuals are forming disciplined groups that claim to patrol cyberspace on our behalf. Those with the money can now even buy advanced tools designed specifically to identify and frustrate the ambitions of hackers.

In 2002, three Illinois-based academics, Vikas Jayaswal, David Doss and William Yurcik co-wrote a paper describing the newly discovered phenomenon of hacking the hackers. The authors concluded that victims had three choices. First, they could simply clear up the mess and strengthen their defences. Second, victims could track the source of an attack and report the offender's details to the relevant authorities. Third, and a legal grey area, victims might indulge in a little hacking of their own.

Several groups of programmers have been writing code to target the machines carrying out DDoS attacks. In 2002, Tim Mullen of AnchorIS (www.anchoris.com), frustrated by the response he received from owners of unpatched machines infected with the Nimda worm, decided that if they wouldn't disinfect their machines then he would. Nimda runs by inserting a piece of software called a Mutex into Windows' startup queue. Once rebooted, the worm begins searching for other machines to infect. Mullen's software fought back by using the same vulnerability as Nimda to insert its own Mutex ahead of the worm, but with the same name, in the infected machine's startup queue. Windows cannot run two Mutexes with the same name, so it prevented the real Nimda from running. Mullen's utility also generated a pop-up box on the infected machine explaining what had been done and why.

Around the same time, Jonathan Morton of UK-based Chromatix, wrote a program called Fizzer Killer that scanned Internet Relay Chat networks for instances of the Fizzer virus. Fizzer has an Achilles heel in that it contains a back door allowing its writer to take control at will, and Morton managed to exploit this by issuing uninstall commands.

But others have decided to attack Fizzer's supporting infrastructure instead. In 2003, an online group calling itself the Fizzer Task Force noticed that the virus contacted a particular Geocities server for updates on a regular basis. They hacked into the server in question and overwrote the expected update with a program that would uninstall the virus instead, in the hope it would slowly kill off infections as systems around the world gradually called home. The experiment failed, but in trying, the team not only gained illegal access to a system but made unauthorised changes to it without the knowledge of its owners. These were actions that, while performed out of concern for the common good, are still as illegal as writing the virus in the first place. Should they have instead simply reported the location of the update server and hoped the law would find and prosecute the original virus writer? By the letter of the law, yes, but the Internet has become akin to the lawless Wild West. Some have even started to develop tools to interfere with DDoS software.

DDoS zombies are useless other than for a specific attack if targeting and attack commands are stripped from them, and security firm BindView of Houston, Texas (www.bindview.com), has written software to do just that. The aim is to discover zombies, then instruct them to halt an attack and even to uninstall the DDoS system where possible.

Another group waging its own war on hackers is CyberArmy (www.cyberarmy.net), which first found fame hacking and destroying child-porn sites in the late-1990s. Its mission statement argues that the best people to police the Internet are its law-abiding users, and the group claims to train individuals to do this responsibly within a structure of discipline and accountability. Members have organised themselves into brigades and even given themselves ranks denoting seniority.