Security Guru Gives Hackers a Taste of Their Own Medicine

Security Guru Gives Hackers a Taste of Their Own Medicine
Security Guru Gives Hackers a Taste of Their Own Medicine 

By Ryan Singel 
Threat Level
April 11, 2008

SAN FRANCISCO -- Malicious hackers beware: Computer security expert Joel 
Eriksson might already own your box.

Eriksson, a researcher at the Swedish security firm Bitsec, uses 
reverse-engineering tools to find remotely exploitable security holes in 
hacking software. In particular, he targets the client-side applications 
intruders use to control Trojan horses from afar, finding 
vulnerabilities that would let him upload his own rogue software to 
intruders' machines.

He demoed the technique publicly for the first time at the RSA 
conference Friday.

"Most malware authors are not the most careful programmers," Eriksson 
said. "They may be good, but they are not the most careful about 

Eriksson's research on cyber counterattack comes as the government and 
security firms are raising alarms about targeted intrusions by hackers 
in China, who are evidently using Trojan horse software to spy on 
political groups, defense contractors and government agencies around the 

The researcher suggests that the best defense might be a good offense, 
more effective than installing a better intrusion-detection system. 
Hacking the hacker may be legally dubious, but it is hard to imagine any 
intruder-turned-victim picking up the phone to report that he had been 

Eriksson first attempted the technique in 2006 with Bifrost 1.1, a piece 
of free hackware released publicly in 2005. Like many so-called remote 
administration tools, or RATs, the package includes a server component 
that turns a compromised machine into a marionette, and a convenient GUI 
client that the hacker runs on his own computer to pull the hacked PC's 

Using traditional software attack tools, Eriksson first figured out how 
to make the GUI software crash by sending it random commands, and then 
found a heap overflow bug that allowed him to install his own software 
on the hacker's machine.

The Bifrost hack was particularly simple since the client software 
trusted that any communication to it from a host was a response to a 
request the client had made. When version 1.2 came out in 2007, the hole 
seemed to be patched, but Eriksson soon discovered it was just slightly 

Eriksson later turned the same techniques on a Chinese RAT known as 
PCShare (or PCClient), which hackers can buy for about 200 yuan (about 

PCClient is slightly better engineered than Bifrost, since it won't 
accept a file uploaded to it, unless the hacker is using the file 
explorer tool.

But, Eriksson found, the software's authors left a bug in the file 
explorer tool in the module that checks how long a download will take. 
That hole allowed him to upload an attack file the hacker hadn't asked 
for, and even write it into the server's autostart directory.

The software's design also inadvertently included a way for the reverse 
attacker to find the hacker's real IP address, Eriksson said. He said 
its unlikely that the malware authors know of these vulnerabilities, 
though its unlikely that PCClient is still in use.

But he says his techniques should also work for botnets as well, even as 
malware authors start using better encryption, and learn to obfuscate 
their communication paths using peer to peer software.

"If there is a vulnerability, it is still game over for the hacker," 
Eriksson said.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods