Slashdot Mirror

← Back to Stories (view on slashdot.org)

Students Learn To Write Viruses

Posted by samzenpus on from the mischief-101 dept.

snocrossgjd writes "In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers. Thomas Fynan floods a bulletin board with huge messages from fake users. Yet Joy and Fynan aren't hackers — they're students in a computer-security class at Sonoma State University. Their professor, George Ledin, has showed them how to penetrate even the best antivirus software."

28 of 276 comments (clear)

  1. Penetrate even the best antivirus software? by ohcrapitssteve · · Score: 5, Interesting

    Why bother trying to "penetrate antivirus software?" Just tell the user to kindly disable it else they'll be denied their dopey smiley emoticon pack or the privilege of having the Taco Bell dog read them their email or some shit.

    Why bother working to evade potentially sophisticated technological security when you can go after the very very weakest link... the user?

    1. Re:Penetrate even the best antivirus software? by SoapBox17 · · Score: 5, Insightful

      In case that wasn't a rhetorical question, the answer is:
      Because it is a computer class (probably part of a CompSci degree), not sociology/psychology. While targeting the user is a perfectly good way to go about breaking in to something, that topic area isn't very practical for computer science. I think the point of TFA is that the class teaches a lot more than "this is how to kill McAfee, now go run amok!" It is a good opportunity to think outside the box, and targeting the user is very much inside the box, and very low tech.

      I'd be kind of pissed if I took a computer security class and it was all about social engineering.

    2. Re:Penetrate even the best antivirus software? by Beryllium+Sphere(tm) · · Score: 5, Insightful

      In the old days, the author of a high-speed worm would have wanted to avoid user interaction, because human beings slow things down. Slammer doubled the number of infections every 8.5 seconds when it took off: hard to do that when you have to wait for a user to figure out how to turn off their antivirus software.

      Someone who is targeting corporate systems today, for espionage or to recruit well-connected botnet hosts, is attacking an environment where the users may not be able to turn off their antivirus software.

      A pure social engineering attack, with no code obfuscation, would have to work in two stages. The actual payload would have to be delivered after the antivirus got turned off, not before, so there would have to be a first stage containing the UI to persuade the user to disable anti-virus. Hardly impossible, but a nuisance.

      Those are a few of the reasons, though your point stands unchallenged: humans are the weakest link, and security people who develop tunnel vision about technical protections and countermeasures are crippling themselves.

  2. Oh Joy more spam by WiiVault · · Score: 4, Funny

    Sweet, another person spamming my boards! And no education isn't an excuse.

  3. Re:zomg zomg first prost! by Anonymous Coward · · Score: 5, Funny

    I love the smell of burning karma in the morning.

    Smells like... victory.

  4. Not Hackers? by mordors9 · · Score: 4, Insightful

    Not sure why the author phrased it that way. It should have read they are not criminals. They very well may be hackers. There is a difference.

    1. Re:Not Hackers? by fm6 · · Score: 5, Informative

      In ordinary English, a hacker is somebody who hacks into a computer system. That's not the way you and I use the word, but we're not most people. "Hacker" is one many words that means different things depending on who uses it and in one context. Language is not a map.

      Hackers (in the senses of "improvisational programmer" or "ethical student of security technology") often don't grasp this, and insist that the common usage of "hacker" is "incorrect" — even though the people who use it that way are in the majority. They've tried to get people to say "cracker" instead, ignoring the very small role Nabisco plays in computer security issues.

  5. Good by Safiire+Arrowny · · Score: 5, Insightful

    Sounds like these students might actually learn something about computer security from this class.

  6. No great accomplishment by John+Hasler · · Score: 4, Funny

    > Their professor, George Ledin, has showed them how to penetrate even the best antivirus
    > software.

    That and $.10 will get you a year's supply of fake Viagra.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  7. So what? by x_MeRLiN_x · · Score: 5, Insightful

    I was under the impression that all security courses worth their salt taught skills that could potentially be used maliciously. How does one learn how to be a penetration tester? What makes this case different?

    Polymorphism is at least an option in most Computer Science courses. Does one really need to sit down and be taught "how to write viruses" specifically? Or can a huge amount of people who write code use their initiative and learn how to write any kind of application?

    Managers at some computer-security companies have even vowed not to hire Ledin's students.

    What companies? Would they want to work there anyway?

    1. Re:So what? by Opportunist · · Score: 5, Insightful

      Uh... ethics?

      I know a few people, amongst them me, who could come up with malware that no AV kit can easily defeat, mostly because we know how AV kits work. We write them.

      But there is a reason why you don't hear about AV writers making malware (despite the rumors. Let me put something straight: WE DO NOT NEED TO WRITE IT! Why bother doing something for your job security if it's done for you?). The AV biz is a very geeky one. I don't know a single person who's in it because of the money (well, we of course don't hate the money, but you could make a shitload more by switching sides...). We're here because we like what we do. We like the 'net. And despite not really liking the idiots who click on every crap they get sent, we want to protect. No, not them. The net FROM them.

      More and more malware is actually an attack on the 'net in general rather than a specific person. And as stated above, we like our net clean. If you, as a researcher, become known as someone who actually writes the crap, you're done for. Nobody will talk with you anymore. Worse, the whole industry will want your head. You piss in our pool, you better get out before we give you the wedgy of doom.

      This is mostly why nobody with the skills writes malware. That it's illegal to distribute a malicious program in most countries is just a minor annoyance compared with that.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Old News by dcollins · · Score: 4, Interesting

    Virus writing was part of my assembly & architecture class circa 1990.

    --
    We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
    1. Re:Old News by devonbowen · · Score: 5, Interesting

      Back when the Morris worm hit in '88, I was teaching assembly language. We'd spent the whole day on the worm (making sure it hadn't planted or destroyed any files on our machines) and I didn't have a lecture prepared by class time. So I told them I'd explain the worm instead but that they could leave if they wanted since it wouldn't be on the exam. Our topic the week before was how the stack was changed during function calls so they already had the background. No one left and I got the pleasure of watching faces light up around the room as it dawned on people where my explanation was going. Ah, those were the days...

      Devon

  9. "We've Changed this Game" by KnowledgeEngine · · Score: 4, Insightful

    In response to AV vendors reply "We've changed the game, and viruses have changed in recent years because of the protection we're putting into place,"
    Normally if something is going to succeed, it evolves to overcome natural or manmade barriers to its existence.
    In a way, the fact that the malware and viruses evolve within days of AV updates says that the AV companies are nothing but an annoyance to the writers of the malware.

    1. Re:"We've Changed this Game" by Anonymous Coward · · Score: 5, Interesting

      I used to write viruses. Evading anti-virus software was sort of like the testing//tweaking phase of software development -- "oops, mcafee flagged it as suspicious, let me modify this line of code here, this one here... ahah, fixed".

      The truth is, anti-virus technology hasn't significantly changed since the DOS days. It's all about heuristics, pattern-matching, and behavior-preventing. It's trivial to evade these technologies.

    2. Re:"We've Changed this Game" by Opportunist · · Score: 5, Insightful

      You become better, we become better. It's a race, nothing more, nothing less. And I think both sides know that neither side will eventually win.

      The question today isn't whether AV kits can catch every virus out there. The question today is, can we make development of malware so expensive that it doesn't pay anymore? Malware development isn't the pastime of some pimple-faced teen with too much time and no girlfriend on his hands. Malware is, simply and plainly, a business. And like every business, it aims at profit.

      The goal of AV kits today is just to minimize that profit the malware distributors can gain. We know that we can't find every virus some teen hacks out to prove that we can't find his trojan. Ok, we can't. Mission accomplished. But your trojan doesn't bother us or anyone, unless it becomes the next Sasser. You are no threat. What does your trojan do? Hijack your friend's WoW password? Get offa my lawn and come back when you've become more than an annoyance.

      Today, malware has to be "important" to be hunted by AV companies. I.e. it has to cost more than a handful of people money. It has to spread wide, has to hijack EBay and PayPal accounts (and bank accounts if possible), be a spambot or something else that actually has some impact. And those packages are invariably developed and employed by organisations who aim at making money.

      So the goal today has changed, from protecting you to stifling their income (which also serves to protect you, in a way). Yes, we're trying to keep back the ocean that comes with a tsunami with a broom. Our back is against the wall. The best we can do today is to limit their income in an attempt to show them it's more profitable to go back to good ol' burglary.

      When you, as a private person, write some malware and release it into the world, you'll eventually be detected, too. But you're not important. The damage you do, the footprint you leave on the international detection grid, is so insignificant that, sorry if I'm so blunt, you don't count.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. Social Engineering VS Computer Sci by PC+and+Sony+Fanboy · · Score: 4, Insightful
    I agree with soapbox, with

    I'd be kind of pissed if I took a computer security class and it was all about social engineering.

    but if it was a course on penetration and end user abuse, then it would be completely relevant.

    I think teaching the tools of the black arts are useful - you never know when you need to hack into a satellite system and broadcast the evil that it does around the world.

    1. Re:Social Engineering VS Computer Sci by MindlessAutomata · · Score: 5, Funny

      I'd like to take a course on penetration. I might actually learn something.

    2. Re:Social Engineering VS Computer Sci by TubeSteak · · Score: 5, Funny

      I'd like to take a course on penetration. I might actually learn something.

      Unlike college courses, those 'teachers' charge by the hour.

      Though if you are in college, you could take it as an... extracurricular.

      --
      [Fuck Beta]
      o0t!
  11. Re:Sounds pretty cool by Pictish+Prince · · Score: 5, Funny

    Well, they said it was a windowless class, so I guess it's higher than entry level.

    --
    Only his tendency toward a dazed stupor prevented him from screaming aloud.
  12. Re:Hostile Authorities by Darkness404 · · Score: 5, Interesting

    Yes, but why are they even caring? I mean, today I picked up a copy of 2600 from a local bookstore, in there I learned how to Arp poisoning, obtain malware via a honeypot, and all kinds of info that is similar to this. Yet I don't see the FBI raiding 2600's publisher burning all copies of the magazine.

    You can get cracking techniques from loads of places, this guy's teachings is old news.

    --
    Taxation is legalized theft, no more, no less.
  13. They need BOTH! by khasim · · Score: 4, Insightful

    If you are learning SECURITY then the first lesson is that the PEOPLE are the weakest link.

    You need to design systems that minimize the human error portion. That means designing systems where it is possible to tell the "good" code from the "bad" code. Where the average user can run an app to identify the "good" code from the "bad" code.

    Where the warnings are sufficiently rare that the average user is NOT trained to just click "accept" when one pops up.

  14. Re:Weak sauce. by bluefoxlucid · · Score: 5, Insightful

    Because breaking into things and creating stealthy shit is the greatest problem solving skill you will ever find.

    By nature, to break into a computer, you have to force it to do something it (software, sometimes hardware i.e. Intel errata) was specifically not designed to do. Usually this amounts to something not obvious to 100% of the rest of the world for some strange reason being obvious to you. The more experience you have warping completely tame and working interfaces in perverse ways due to minor quirks, the easier this becomes.

    Load modules and shared objects aren't designed to be altered like that; and in this case you have a system designed specifically to catch and prevent you from doing what you're doing. This is, again, forcing something into a position it's not designed to operate in to achieve a predictable result.

    Carmack's Reverse, Duff's Device, and even Edison's light bulb worked from these same principles; remember, by its very nature you cannot have light without fire.

    --
    Support my political activism on Patreon.
  15. Viruses in a WINDOWsless environment ? by destinationPattern44 · · Score: 5, Funny

    "In a windowless underground computer lab in California, young men are busy cooking up viruses" it's IMPOSSIBLE! Viruses need Windows and they won't run in a Windowsless environment.

  16. Re:speaking of penetration... by azuredrake · · Score: 5, Funny

    Thomas Fynan floods a bulletin board with huge messages from fake users.

    Ah-hah! Got ya!

    --
    Quis custodiet ipsos custodes?
  17. we have that in vienna for years... by Meshugga · · Score: 5, Informative

    as a two-semester course.

    It is held at the technical university in vienna and is called "InetSec"

    http://www.iseclab.org/InetSec/

    The course has a very high quality and includes practical exercises like sql exploits, writing buffer overflows, trojans and the like.

    You even get your own automatically generated "1337 handle" upon subscription to the course, and you can advance from "script kiddy" (not homework assignments aka challenges turned in) to "master guru" (turned in everything + extra work + participated in a CTF) - so actually participating in the course is more fun and play than work ;)

    I wonder why that article is news, since there is a CTF (http://www.cs.ucsb.edu/~vigna/CTF/) held every year, where a lot of universities and colleges from everywhere participate - i doubt they don't have similar courses.

    Then again, since the viennese guys kick ass at these contests... ;)

  18. What about martial arts.. by Safiire+Arrowny · · Score: 4, Interesting

    If a person learned Jujitsu, he would effectively be learning ways to kill people among other things. This doesn't equate to actually killing people, or actually beating people up, etc. Maybe you use your martial art to save your girlfriend or do other some good thing someday.

    Just because you can possibly use some skill to be evil doesn't mean you shouldn't learn it.

    It's like a saying police shouldn't know any martial arts or learn to shoot a gun because they could use the skills to kill someone.

  19. Re:And that seems extremely stupid by Phrogman · · Score: 4, Insightful

    If I am an anti-virus company looking for developers, why would I possibly turn away programmers who took a course on virus development? It was a sanctioned computer course at a college or university, it would seem to me that these would be *exactly* the people you want. They should have a better understanding of how a virus developer thinks and thus have a head start on combating future viruses. Yes, it may be that some took that course because they were interested in writing malware, but many will have taken it because they want to know how to fight it. I think only a moronic close-minded company would turn these people away just because they took a course.

    Its like the Dept of Justice not hiring people who took a course on criminology because they might cause a crime.

    --
    "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid