Underground carders market. Translation of the book "Kingpin". Chapter 5. “Cyberwar!”

Kevin Poulsen, editor of the magazine WIRED, and in his childhood blackhat, the hacker Dark Dante, wrote a book about " one of his acquaintances ."

The book shows the path from a teenager-geek (but at the same time pitching), to a seasoned cyberpahan, as well as some methods of the work of special services to catch hackers and carders.

The beginning and the translation plan are here: “ Shkvoren: schoolchildren translate a book about hackers ”.
Prologue
Chapter 1. "The Key"
Chapter 3. “The Hungry Programmers”
Chapter 5. “Cyberwar!”
Chapter 6. "I miss crime"
Chapter 8. “Welcome to America”
Chapter 34. DarkMarket
(we publish as soon as the translations are ready)
')
The logic of choosing a book for working with schoolchildren is as follows:

• there are few books about hackers in Russian (one and a half)
• There are no books about carding in Russian at all (there was one UPD )
• Kevin Poulsen - WIRED Editor, No Stupid Comrade, Authoritative
• to introduce young people to the translation and creativity in Habré and get feedback from elders
• schoolchildren-students-specialists work very sparingly for learning and show the significance of the work
• The text is not very hardcore and is accessible to a wide range, but it touches on issues of information security, vulnerabilities of payment systems, the structure of the carding underground, basic concepts of the Internet infrastructure
• the book illustrates that "feeding" in underground forums - ends badly

Who wants to help with the translation of other chapters write in a personal magisterludi .

Chapter 5. Cyber ​​War!

(for the translation thanks to the Habrawser ShiawasenaHoshi )

Upon returning home to San Francisco, Max was tempted by the following line of code:
bcopy (fname, anbuf, alen = (char *) * cpp - fname);

It was one of 9 thousand lines in the Berkeley Internet Name Domain (BIND) source code - an old beam in the Internet infrastructure, just as important as any router or fiber-optic cable. Developed in the early 80s by a DARPA grant (Defense Advanced Research Projects Agency - an agency of advanced defense research projects), BIND implemented a scalable Domain Name System (DNS), which, like a distributed telephone directory, translates human-readable strings like Yahoo.com into numeric addresses that the network operates on. Without BIND or its analogs, we would read online news at 157.166.226.25 instead of CNN.com and go to 74.125.67.100 to use Google search. ( Habrapost about BIND )

BIND was one of the innovations that made the rapid growth of the Internet possible. He replaced the raw mechanism, which would not allow the Internet to expand. But in the 90s, BIND was one of the legacy programs that created the biggest problem of Internet security. His code was a product of times of honesty and simplicity, when the network was secluded and there were very few network threats. Now, hackers have comprehended all the nuances and depths and returned with a seemingly endless set of security holes.

The high priest of network experts named the Internet Software Consortium ( Internet Software Consortium - ISC) appointed itself as the guardian of the Internet code and frantically rewritten it. But at the same time, the majority of modern complex networks in the world with glittering new servers and workstations were launched with a leaky computer program from the past era.

In the 98th, security experts discovered the latest vulnerability in the code. It came down to that lonely line of code at the beginning of the chapter. She received a request from the Internet and, as expected, copied it byte-by-byte to a temporary “unbuf” buffer in the server's memory. But she did not correctly check the size of the incoming data. Consequently, a hacker could intentionally send a too long request to the BIND server by overflowing the buffer and throwing the data into the rest of the memory, like oil from Exxon Valdez (see “ Ejection of oil from the tanker Exxon Valdez ” from Wikipedia)

If you perform such an operation unsystematically, it will lead to the collapse of the program. However, a cautious hacker can do something more creepy. He can load his own piece of executable code into the buffer and then, avoiding a fall, rise to the top of the program's memory space, reaching a zone of short-term data storage called “stack”.

Stack is the place where the processor stores information about what it does - all the time the program takes the computer to the subroutine, the processor “pushes” the current address into the stack as a bookmark, and therefore the processor knows where to return the data when they are ready.

After the hacker is in the stack, he can rewrite the address to return the data to the address with a malicious code. When the computer finishes with the current subroutine, it will return not to where it started, but to the hacker's instructions, and since BIND started up with administrator privileges (root), the hacker code will also run as root. Now the computer is under the control of a hacker.

Two weeks after Max and Kimi got married, the government-funded computer emergency response team at Carnegie Mellon University ( Computer Emergency Response Team (CERT) at Carnegie Mellon University), which launched the Hole SSP, issued a warning about vulnerability BIND with a link to a simple way to fix it: two additional lines of code that sifted out too long queries. But the CERT fix also contained two other vulnerabilities, which were the result of the fix and reflected an underestimate of the importance of the hole. Thus, not everyone was aware of the seriousness of the situation.

Max knew her well.

He read the CERT recommendations with amazement. BIND was pre-installed on Linux and started on servers in corporate, non-commercial, educational, military networks and ISPs. He was everywhere. Was with so defective code line. The only thing that kept the fierce attacks from the fact that no one wrote an exploit (exploiting vulnerability program) for this hole. But it was a matter of time.

Of course, on May 18th, an exploit appeared on Rootshell.com, a site with news about computer security created by enthusiasts. Max picked up the phone and called Chris Bison, his contact at the FBI. The situation is serious, he explained. Anyone who did not install the patch on BIND could be hacked by any script kiddie capable of downloading an exploit and entering a command.

If you plunge into history, it turns out that government computers were particularly vulnerable. Just a month earlier, a less serious bug in Sun Solaris led to the cracking of computers at dozens of US military bases, which the deputy secretary of defense called "the most organized and systematic attack to date" on missile defense systems. These attacks raised the cyberwar's full-scale alarm: the Pentagon gave them the code name Sunrise and considered Saddam Hussein to be the main suspect until investigators hit a young Israeli hacker who was just playing.

The next day, Max called Beeson again when the hacker group ADM released a ready-to-use version of the BIND exploit, which scanned the Internet for unpatched servers, invaded them, installed itself and used the infected computer for subsequent scans and hacks. Definitely, now someone could take over the entire Internet. The question is “Who?”.
He hung up and thought. Someone was going to do it ...

In enthusiastic, boyish colors, Max shared his plans with his bride. Max could be the author of his own attack on BIND. His version could close the vulnerability wherever it can be found, how the fruit flies fill everything with their larvae. He would limit his attack to the targets most in need of security upgrades: the US Army and the government.

“Don't get caught,” Kimi said. She learned not to argue with Max when he was hostage to the idea.

Max struggled with the dual nature of his personality: a married professional faced with a world threat and an impulsive child who loves to fool around. The child won. He sat down at the keyboard and began to program frantically.

His code worked in three short steps. It began with the fact that the program was throwing a virtual hook, through a hole in BIND, executed a command that caused the machine to access the Internet and import 230 bytes of the script. In turn, this script was connected to already infected hosts, from where a large malicious package, called the rootkit, was downloaded.

A rootkit is a set of standard system programs modified to serve a hacker: a modified login program works just like the original, but now it includes a backdoor (backdoor = back door, loophole) through which a cracker can again enter on the car. The “passwd” program still allows users to change passwords, but now it also records and stores these passwords where they can be obtained later. The new “list” displays the contents of the directory as usual, with the exception of hiding files that are part of the rootkit.

After the rootkit was installed, the Max code could have done what the government could not do: it could update BIND on the hacked computer and close the security hole through which he entered. The computer would now be safe, but as a friendly invader, Max could still log in again if he wanted to. Max corrected the problem and used it. He was both black hat and white hat at the same time.

The attack itself will take just a couple of minutes. At first, the computer is controlled by system administrators. In the next instant, the hook is thrown, the script is downloaded, the rootkit is downloaded, and now the computer belongs to Max.

Max was still programming when the FBI called him to ask about a report about a hole in BIND. But the feds profuked their chance. Now only the Max code has spoken to him. It took him a little time to hack a couple of college cars, to use as a springboard, and then, on May 21, he went to the Internet through a stolen Verio account and ... launched the code.
Excellent results were obtained immediately. Max’s grappling-hook code reported success to his computer through Verio dial-up, so that he could watch the attack spread. The hacked machines reported to him on the Xterm pop-up window on his computer. Brooks Air Force Base is now owned by Max Vision ... Mc-Chord, Tinker, Offutt, Scott, Maxwell, Kirtland, Keesler, Robins ... His code penetrated Air Force servers, army computers, a car in the secretary’s office. Each machine now had a backdoor that Max could use when he wanted.

Max noted his conquests as control points in a computer game. When his code embraced the network space of the Navy, he discovered so many unpatched BIND servers that a steady stream of pop-up windows became a bubbling mountain river. When you try to cope with it, Max's computer went out.

After a little tuning, the code was restarted. For five days, Max was absorbed in his growing power over cyberspace. He ignored the e-mails of the FBI, which was still waiting for a report.
“Where is the report?” Agent Beeson wrote. "Call"

He could do anything with such power and hack almost any network he wants. Max ran his exploit on Id Software servers (Mesquite, Texas), a computer company that developed the third part of the world-famous first-person shooter Quake.
Max loved such shooters. He instantly found himself in the company's network and after a short search, he left it with a trophy. He told Kimi that he had received the source code (= virtual drawings) of Quake III, the most anticipated game of the year.

Kimi was adamant: "Can you get them back in place?"

Soon, Max realized that his attacks attracted some attention. Vern Pakson, a researcher at Lawrence Berkeley National Laboratory, noticed a network scan using the BRO system - Big Brother. BRO was an experimental anti-hacking system with a single function. He quietly worked on the network, sifted traffic in search of suspicious activity and, if found, informed the administrators that something was wrong.

Paxon wrote a full attack report in CERT. Max intercepted him and was amazed. The researcher not only discovered the attack, but also made a list of servers attacked through the network of the University. Lawrence - Max used it as a second starting point. He sent an anonymous message to Pakson via the lab's root account:

Verne, I apologize for the inconvenience, but I alone correct the HUGE DEPTH SAFETY of many of your systems. I admit that new holes have appeared, but they are all password-protected and would never have harmed anyone’s computer.
If I had not done this, someone else would have done it and could have fouled. For example, schoolchildren leaving warez, cutting down IRC BS and quietly erasing files through / bin / rm when they are in a bad mood. Poverty.
You may not appreciate what I did, but this is for great good. I dropped all the hosts from the list you compiled. I did not touch them, as I know that you transferred the list to CERT. CERT should hire people with my skill level. Of course, with a decent payment, I would never leave rootkits or something like that.
Very clever, right? Heh. This is a bomb. Owners of hundreds, even thousands of systems, and knowing that their systems have been fixed in between cases ... Hmm, I will not do this shit anymore. Now you have all my tools. It makes me mad ...
Hm Anyway, I do not want this to happen again. I'm going to leave it at that.
"Cracker"

So ended the five-day attack by Max on the government, with the number of hacked systems more than he could count. He was pleased that he had made the Internet safer than before: thousands of computers that were previously vulnerable to any hacker are now vulnerable to only one - Max Vision.

Max immediately dived into a new, more socially acceptable project: he wrote a Web application that would allow anyone on the Internet to scan their network for vulnerabilities to an attack on BIND. He also conceived a better version of the siege than he had just completed. As before, he scanned government and military networks. But instead of breaking into vulnerable computers, he automatically sent an e-mail with a warning to administrators. There was no need to hide on the hacked dial-up. Both services now lived on the new site WhiteHats.com.

After two days and nights of work, Max was knee-deep in his new legal hacking project, when Beeson wrote to him again. "What happened? I thought you would send me a letter. ”

Max could hardly explain to his friend at the FBI that he was busy studying one of the largest computer gaps in history. That is, he focused on his new project. “I’ve almost finished creating a public vulnerability scanner and a patch site, but there are still some points that need to be completed,” Max wrote in response.

“Ah, and here’s another ADM worm, ” he added, “I don’t think it will spread much”

---

For in-depth study:

A Brief Analysis of the ADM Internet Worm
Max Vision <vision@whitehats.com>

Net-Worm.Linux.Adm


Available for free on the publisher site