By Ryan Singel
April 11, 2008
SAN FRANCISCO -- Malicious hackers beware: Computer security expert Joel
Eriksson might already own your box.
Eriksson, a researcher at the Swedish security firm Bitsec, uses
reverse-engineering tools to find remotely exploitable security holes in
hacking software. In particular, he targets the client-side applications
intruders use to control Trojan horses from afar, finding
vulnerabilities that would let him upload his own rogue software to
He demoed the technique publicly for the first time at the RSA
"Most malware authors are not the most careful programmers," Eriksson
said. "They may be good, but they are not the most careful about
Eriksson's research on cyber counterattack comes as the government and
security firms are raising alarms about targeted intrusions by hackers
in China, who are evidently using Trojan horse software to spy on
political groups, defense contractors and government agencies around the
The researcher suggests that the best defense might be a good offense,
more effective than installing a better intrusion-detection system.
Hacking the hacker may be legally dubious, but it is hard to imagine any
intruder-turned-victim picking up the phone to report that he had been
Eriksson first attempted the technique in 2006 with Bifrost 1.1, a piece
of free hackware released publicly in 2005. Like many so-called remote
administration tools, or RATs, the package includes a server component
that turns a compromised machine into a marionette, and a convenient GUI
client that the hacker runs on his own computer to pull the hacked PC's
Using traditional software attack tools, Eriksson first figured out how
to make the GUI software crash by sending it random commands, and then
found a heap overflow bug that allowed him to install his own software
on the hacker's machine.
The Bifrost hack was particularly simple since the client software
trusted that any communication to it from a host was a response to a
request the client had made. When version 1.2 came out in 2007, the hole
seemed to be patched, but Eriksson soon discovered it was just slightly
Eriksson later turned the same techniques on a Chinese RAT known as
PCShare (or PCClient), which hackers can buy for about 200 yuan (about
PCClient is slightly better engineered than Bifrost, since it won't
accept a file uploaded to it, unless the hacker is using the file
But, Eriksson found, the software's authors left a bug in the file
explorer tool in the module that checks how long a download will take.
That hole allowed him to upload an attack file the hacker hadn't asked
for, and even write it into the server's autostart directory.
The software's design also inadvertently included a way for the reverse
attacker to find the hacker's real IP address, Eriksson said. He said
its unlikely that the malware authors know of these vulnerabilities,
though its unlikely that PCClient is still in use.
But he says his techniques should also work for botnets as well, even as
malware authors start using better encryption, and learn to obfuscate
their communication paths using peer to peer software.
"If there is a vulnerability, it is still game over for the hacker,"
Subscribe to InfoSec News