Malware author taunts security researchers with built-in chat

Security researchers from AVG were decompiling a trojan -- it had been originally posted to a Diablo III forum, masquerading as a how-to video -- when the malware's author popped up in a window on their screen. It turned out that the trojan had a built-in chat, as well as a screen-capture facility. The hacker who wrote the malware saw them working on defeating her or his virus and decided to tell them off for their audacity. Franklin Zhao and Jason Zhou, the AVG researchers, wrote up their experience:

The dialog is not from any software installed in our virtual machine. On the contrary, it’s an integrated function of the backdoor and the message is sent from the hacker who wrote the Trojan. Amazing, isn’t it? It seems that the hacker was online and he realized that we were debugging his baby...
We felt interested and continued to chat with him. He was really arrogant.
Chicken: I didn’t know you can see my screen.
Hacker: I would like to see your face, but what a pity you don’t have a camera.
He is telling the truth. This backdoor has powerful functions like monitoring victim’s screen, mouse controlling, viewing process and modules, and even camera controlling.
We then chatted with hacker for some time, pretending that we were green hands and would like to buy some Trojan from him. But this hacker was not so foolish to tell us all the truth. He then shut down our system remotely.

Have you ever chatted with a Hacker within a virus? (via JWZ)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: malware • security

More at Boing Boing

Ants and Stars: Bruce Sterling and Jasmina Tesanovic visit the Sardinia Radio Telescope in Italy

The Snowden Principle

corydodt

Did they ask him how many proxies he was behind?

We’d all like to know the correct number.
Palomino

I purchased Diablo 2. When I was having video problems I requested information via a chat forum link. I instantly received bizarre emails, rude and very dismissive, explaining that my ticket was closed because they were spending all their time with Diablo 3 customers. I reopened the ticket multiple times and received the same nastily surreal responses. I deleted the game last night, I’ll take the $9.99 loss, the download affect the viewability of my screen, whether the game was active or not.
- Tyler Pieper
  
  I know for at least the original Starcraft to display right in Windows Vista/7, you need to open up the Screen Resolution control panel window. You don’t actually need to change any settings, the window just needs to be open when you start the game.
  
  This is assuming you’re getting weird colors and funky resolution. Outside of that, I can’t help you. :/
  - Jason Baker
    
    Similarly, I’ve been playing a lot of Diablo (I) lately… and discovered in Windows 7, you need to kill explorer.exe for it to not have a completely wacky palette. Something with color cycling, I guess. I just run a batch file to kill it for me when I launch the game, and relaunch explorer when Diablo exits. YMMV. Not sure what this has much to do with chatting with virus makers, but I’m happy to do what I can to enable to continued play of old Blizzard games, because I’d like to think that when I’m old and gray there might still be someone (and some machine) alive to play them with me still.
    - http://robcypher.blogspot.com/ Rob Cypher
      
      There’s some sort of patch out there for 32-bit and 64-bit computers with Win7 to play Diablo properly without having to kill explorer.exe.
      
      Also, sometimes if you alt-tab onto the desktop after the game boots, then alt-tab back to the game, the colors correct themselves. I’ve been running Diablo on my 64-bit Win7 computer and that’s how I’ve gotten it to work without screwing around with explorer.exe.
      
      YMMV, of course.
Bodhipaksa

That’s like something from a Vernor Vinge novel. Amazing!
- niktemadur
  
  Yeah, one side of my brain is going “Bad Ass!”, but the other half is appalled.
http://www.coolgizmotoys.com/ Jack Kieffer

1. This is awesome. 2. It sounds like the people trying to decompile the virus got destroyed and humiliated. Remotely shut down and insulted via chat? Embarrassing.
- http://twitter.com/text_quest DildOverlord.exe
  
  AVG aren’t amateurs, duder. I’m sure they were working under conditions that left them pretty well protected.
  - ocker3
    
    Yeah, if they left a machine connected to the open ‘net, they were probably looking at the command/control interface and/or communications, be somewhat surprised if they didn’t have a sandboxed network with a dedicated outside line they were using, to avoid any cross-contamination with their actual systems (or something even cooler, since they’re the ones who do this for a living)
    - Peter Yard
      
      Next time they try something like that they might even have the virus in some kind of honeypot environment to lure the hacker to stay longer. In that industry it pays to be devious and deceptive, and I’m not talking about the bad guys.
    - http://www.nathanhornby.com/ Nathan Hornby
      
      I always imagine antivirus companies spending most of their time creating and distributing viruses, rather than thwarting them.
      
      From a business perspective it makes a lot more sense.
      - HahTse
        
        http://www.reddit.com/r/IAmA/comments/sq7cy/iama_a_malware_coder_and_botnet_operator_ama/
        
        They just don’t try to hard. Much easier.
- http://www.facebook.com/profile.php?id=536832843 Bob Bryla
  
  Really, Jack, I’m sure the AVG guys know how to go off the grid and continue to reverse engineer the trojan, and have long since been able to detect and quarantine it with the latest AVG engine.
- Jonathan Lydall
  
  The article stated they were using a VM (Virtual Machine), which I gather is pretty standard practice and would have meant all activity on it would have been completely isolated from the machine hosting the VM. Other advantages about VMs is that you can analyse all changes to the virtual hard disk in a very straight forward manner, making it easier to spot any changes caused by the malware.
Cowicide

http://i.imgur.com/MN0r8.jpg
Ty_MY

for those curious, translation of the two lines of chat:

Hacker:
Why are you researching/analyzing my trojan?

Hacker:
What are you hoping to find?
nox

Has happened to me. After refusing their strange declaration of love, they started to threaten me with all the damage they could cause my PC, (e.g. “I AM GOD!!!”) so I told them off and pulled the Ethernet cord. Idiot.
- bcsizemo
  
  Totally agree. Not that I’ve had any experience quite like that, but I have caught something that toasted the OS once. Unless they are going to start writing malicious firmware updaters I’m not really worried about what they are going to do to my software.
Vengefultacos

Uhm… how does a malware writer magically know you’re decompiling his code and open a chat window with you, unless you were stupid enough to run the thing in the first place? That’s sorta like someone on the bomb squad saying “hey! a booby-trap! Let’s set it off to see how it works!”

If they did run it, it should have been in a virtual machine. Preferably on a fake network so any attempts to call home or take part in a DDOS spam spewing wouldn’t impact htird parties. So the best MR. Malware could haev done was shut down a virtual machine, not an actual system.
- wrybread
  
  From the first line of the quoted article:
  
  “The dialog is not from any software installed in our virtual machine.”
  
  AVG is an antivirus software company, so they’d need to install these beasties all the time so they can recognize them.
  
  On another note, what an awesome encounter, I wish they’d posted the entire discussion. But this line makes me a bit suspicious:
  
  “What it [the virus] really wants to steal is dial up connection’s username and password.”
  
  Was this in 1995?
- Shashwath T.R.
  
  Reading the linked articles is sooo last week!
  
  From the article you didn’t read:
  
  The dialog is not from any software installed in our virtual machine.
  
  They ran it on a throwaway VM to see what it does, the dialog popped up, they chatted with the guy, played dumb for a while…
Pedantic Douchebag

“He then shut down our system remotely” is the “and then we noticed he had a hook for a hand” of any spooky IT campfire story.
- malindrome
  
  … and they never found the body.
  - http://www.disoriented.net/ angusm
    
    And the shutdown command came from … inside the LAN!
gregarious

It would be interesting to simply use this chat function + built in camera to screw with some security researchers, Real Genius style:

http://www.youtube.com/watch?v=sf-5RaFnh2U

The author blew a chance at an epic prank.
http://twitter.com/metal_max Max Allan

OK, I call shenanigans on this one.
They RUN the malware on the same box they’re decompiling it on? So all their clever tools have now been downloaded by the malware author. I think not. Noone is that stupid.
They might run it in a VM with some monitor on the VM but the guest shouldn’t be able to spot that, so how would the malware author know what was going on?

You don’t run a threat and push it through a disassembler on the same box. How can you believe anything the disassembler tells you. It’s been poisoned already. If this is AVG standard practice, I now believe that there are probably viruses inside AVG code.

The malware was designed to steal dialup usernames. WTF? As @wrybread:twitter
said, were they in 1995? I mean really, these days who even needs dialup accounts, let alone has a modem. Just walk to your nearest internet cafe and get a bajillion times more bandwidth and almost complete anonymity, unlike a dial up phone call with caller ID etc…

I think BB has just been trolled. (and a whole load of other news outlets that picked up on the story.)
- http://twitter.com/tadasyoyolt Tadas Jelinek
  
  While VM should not break regular software, it doesn’t mean that it’s impossible to detect that that it’s being executed in VM.
- dragonfrog
  
  Max, decompilers and debuggers are not some powerful secret weapons. You buy them with money, online or in shops, no questions asked. The hacker could go fork over a few hundred bucks for the exact same tools AVG’s engineers would have been using, to the extent they weren’t using free open source tools.
  
  And as to why you would run the tool on the same box – if the software uses a complex packer / encrypter to hide what it does, you could either spend days picking it apart, or you could hook it to a debugger and run it.
  
  Finally, RasDefaultCredentials is used for dialup as well as VPN credentials. Who would want that? Someone who doesn’t live near an internet cafe, or who wants to look at things he might be embarrassed to watch in public…
- http://www.xradiograph.com/ OtherMichael
  
  While the percentage of internet users on dial-up is low, those low percentages still represent millions of users in America alone, many of whom are potentially less tech-savvy than non-dial-up users.
  
  As such, that is millions of potential targets, with a possibly higher rate of return than other targets.
  
  I had dial-up internet until 2007; my parents had it up until 2010.
- Adela Doiron
  
  My inlaws still have dial up because no one is going to spend the money building a tower to get wireless to the other side of the ridge for only a dozen customers. No way are they spending the time or gas to drive into town for the library wireless.