Igor Chudov @ home wrote:
some of the best hacks that I heard was to install a trojan instead of, say, cat, that would randomly change one byte in a randomly chosen file.
Igor, I am currently monitoring a friend's system in order to analyze the source and methodologies of various attacks on it and I spend my spare time reading his email, databases, private diaries, etc. (I am blessed with breasts which allow me to set a man's car on fire and know he will just smile, and say, "That's OK, I'll get another one.") His comments regarding "Igor" imply that you have a diabolical mind and a good nose for nasty business. I can tell from your comments above that he judged you fairly well. Most hackers tend to be one-time Charlie's who pop into a low security system to mark their territory by pissing on a directory tree, so to speak, or adding their own personal form of graffiti and then returning home to pat themselves on the back for their great genius. In many cases the admin of a good system will have everything back to normal before the hacker has finished congratulating himself. The system intruder I am currently dealing with has a long history of success in his nefarious activities and one of the main reasons for this is his patience and his subtlety. Once he gains entry to a system he generally sets up an obscure back door for himself, pulls a directory tree, finds out the backup schedule, and then exits. He then lays out a plan of attack which is geared toward allowing him to roam the system at will without being observed. Usually, he will start by replacing such things as the system 'ps' command with one that keeps certain processes hidden from the prying eyes of sysadmins. He also substitutes his own programs for system files which are rarely installed and/or used. He is one of a rare breed of pure hackers whose main focus is system penetration and information access, with control issues being secondary. This requires a level of patience that allows him to observe the system for months, if necessary, before moving to secure his long-term ability to penetrate the system and roam at will. Once an intruder has his handiwork on the previous few months of system backups, then you might say that he has become a "tenured" member of your organization. I have had previous experience with the individual involved in the compromise of my friend's system (and ISP) and I am well aware of the fact that much of his power comes from the fact that he tends not to interfere with the functioning of one's system unless he is attacked. (In which case he generally fires a shot over the sysadmin's bow, indicating that the choices are "peaceful coexistence" or "explaining to management that their system is 'toast' because you chose to cop an attitude.") The only way, to my knowledge, that anyone has ever forced his exit from a system he has penetrated has been by ferreting out enough of the substructure of his intrusion that he fears his latest methodologies being discovered and exposed to scrutiny. {In which case he quietly packs up and leaves. {In my case, he sent me flowers, as well.}) On rare occasions he will intervene to fix system problems that are beyond the resident sysadmin, perhaps because the problems are affecting his own activities. When macro capabilities were added to spreadsheet programs, he had a trojan written for them before the shrink-wrap on the new release hit the floor. (He recognized macros as a close cousin to the Unix daemons, which he considers God's gift to pure hackers.) He was lurking on my friend's system in Austin, at the time, and he dropped my friend a polite note that advised him it would be unwise to mess with the files until the hacker had debugged them sufficiently that they would not cause inadvertant problems. His current work-in-progress is a Trojan which is frightening in its scope if it turns out to operate in the manner that I and others now suspect. It may represent a quantum leap in Trojan Horse technology (kind of an Equestrian Trojan Horse). {Its existence was "discovered" by a cypherpunk, by the way.} While I am not at liberty to reveal the as yet sketchy details of how the Trojan operates, I can give you a small glimpse into the the mind of its creator by providing an example of another Trojan that was previously discovered with his signature on it. The Trojan works through a word processor's spell checking and automatic correction system. Nonsensical character sequences are added to the spell checker, in the form of 'xytrz-->delete', 'xribpt-->format', etc. A .doc file is placed on the system which, when spell-corrected, will then become "format c:" or whatever its creator desires. A variety of triggers were discovered for the Trojan, and they encompassed a variety of approaches. (The triggers were indicative of a benign series of probing experiments designed to lead to a finished product versatile enough to bypass any attempt to guard against the Trojan's execution.) A simple trigger would run a .bat file which loaded the file into the word processor, auto-corrected the spelling, saved the file as a .exe file of the creator's choosing, then exited. More complicated triggers involved such things as (in Win 95) giving the file a unique extension (such as .xyz), using the "open with" option to point to a hidden copy of a word processor executable which has no macro-virus protection, etc., and which will run the macros in place in the file when it is opened. (A variation on this trigger takes advantage of the fact that many systems keep outdated versions of word processing software on the system in order to be able to work with older files {which often turn to crap when loaded into the latest-greatest version, despite manufacturer's claims of compatability}. Users and admins generally don't stop to realize that the "protection" they install is often applied only to the newest version of their software.) As you pointed out, Igor, the more subtle a program's operation and effects, the longer it can work undiscovered and the greater the range of the time/space continuim it can encompass. Virus/Trojan checkers generally guard only against system damage and/or loss of data. It is infinitely more difficult to guard against a system intruder who has other goals in mind and has the patience to remain unobtrusive. Even most security conscious system administrators don't take much note of minor glitches as long as they appear to be benign problems inherent in the implementation of the software. The Trojan that I and others are currently working with was only perceived as a potential problem after the person who discovered it had spent months cursing the software manufacturer for not including an obviously needed capability in the product. It was a very minor but frustrating problem, leading the user to make inquiries as to how to "work around" the product's lack of providing this function. Upon discovery that the product was supposed to provide the function, his research quickly indicated that there was a "fly in the ointment." Most users probably would have just shrugged and lived with the problem, since it was relatively minor. Instead, he brought the small anomalie he discovered to the attention of myself and others and it has opened up a Pandora's box that appears to have the potential for a new breed of Trojan Horses.
basically, install lots of backdoors and then play with their minds.
Actually, Igor, I'm beginning to wonder if perhaps you are the hacker I've been trying to ferret out? I think I'll keep an eye on you.
some ppl would steal CC# of their customers and publish them, but I would not do it.
The hacker I've been discussing has infiltrated a variety of Pac Bell sites, and the like, over the years. A regional administrator, upon being informed of the presence of an intruder on the system, immediately called in a team of Bay Area security consultants to deal with the problem. By the time they arrived the hacker had sent a small mountain of email to various management personnel which contained precious company secrets and had Pac Bell's competition listed as a cc: (in the body of the message, as a warning). When the group from Berkeley arrived they consulted with the admin about the potential seriousness of the veiled threat, did a quick check of the system, realized who the hacker was that they were dealing with, shrugged, and said, "He's on our system too. We'd advise just leaving him alone." When the administrator questioned the wisdom of their suggestion the consultants advised him that they would be more than happy to proceed as long as the overuling of their opinion was put in writing. The admin agreed, whereupon he was presented with the consultants' standard "reality check" authorization form, whose letterhead reads: AUTHORIZATION TO PROCEED CONTRARY TO ADVISED COURSE OF PROCEDURE "Last One Seen Fixing It Gets The Blame" The administrator decided in favor of job-security, and the security consultants were paid generously to provide a generic report for his superiors which indicated that the admin's prompt action resulted in the problem coming to a quick resolution. Personally, I've seen more than a few sysadmins who declare war on a minor hacker instead of just fixing the problem so that it won't occur again and moving on. (Much like some of the hilarious posts in the cypherpunks archives in which a list member responds to a Vulis post by saying, "Just ignore him and he'll go away." and then proceed to take two or three pot-shots at him.) (.)(.)Monger