[ad]<\/p>\n
It looks like someone is going after the bad guys in a new way, by hacking them back! It’s no news to us that many hacking tools and script kiddy trojan kits are badly programmed..a lot of them have back-doors and the client-side tools have easy exploits that enable you to take over the ‘hackers’ machine.<\/p>\n
It’s certainly an interesting approach.<\/p>\n
Eriksson, a researcher at the Swedish security firm Bitsec, uses reverse-engineering tools to find remotely exploitable security holes in hacking software. In particular, he targets the client-side applications intruders use to control Trojan horses from afar, finding vulnerabilities that would let him upload his own rogue software to intruders’ machines.<\/p>\n
He demoed the technique publicly for the first time at the RSA conference Friday.<\/p>\n
“Most malware authors are not the most careful programmers,” Eriksson said. “They may be good, but they are not the most careful about security.”<\/p><\/blockquote>\n
He’s turned his attention to quite a few of the more popular pieces of mass-distributed malware and found holes in all of them. Those labeled as Remote Administration Tools (RATs) were extremely popular back in the days when Back Orifice, Netbus and Deepthroat first hit the scene. They are still used nowadays but there are newer variants.<\/p>\n
Eriksson first attempted the technique in 2006 with Bifrost 1.1, a piece of free hackware released publicly in 2005. Like many so-called remote administration tools, or RATs, the package includes a server component that turns a compromised machine into a marionette, and a convenient GUI client that the hacker runs on his own computer to pull the hacked PC’s strings.<\/p>\n
Pcshare_2Using traditional software attack tools, Eriksson first figured out how to make the GUI software crash by sending it random commands, and then found a heap overflow bug that allowed him to install his own software on the hacker’s machine.<\/p>\n
The Bifrost hack was particularly simple since the client software trusted that any communication to it from a host was a response to a request the client had made. When version 1.2 came out in 2007, the hole seemed to be patched, but Eriksson soon discovered it was just slightly hidden.<\/p><\/blockquote>\n
It’ll be interesting to see what else he comes up with and if he can break into any of the big botnets like Storm<\/a> or Kraken<\/a> using this method.<\/p>\n
That would certainly herald some interesting news.<\/p>\n
<\/p>\n