

SAN FRANCISCO – Malicious hackers beware: Computer security expert Joel Eriksson might already own your box.

Eriksson, a researcher at the Swedish security firm Bitsec, uses reverse-engineering tools to find remotely exploitable security holes in hacking software. In particular, he targets the client-side applications intruders use to control Trojan horses from afar, finding vulnerabilities that would let him upload his own rogue software to intruders' machines.

He demoed the technique publicly for the first time at the RSA conference Friday.

"Most malware authors are not the most careful programmers," Eriksson said. "They may be good, but they are not the most careful about security."

Eriksson's research on cyber counterattack comes as the government and security firms are raising alarms about targeted intrusions by hackers in China, who are evidently using Trojan horse software to spy on political groups, defense contractors and government agencies around the globe.

The researcher suggests that the best defense might be a good offense, more effective than installing a better intrusion-detection system. Hacking the hacker may be legally dubious, but it is hard to imagine any intruder-turned-victim picking up the phone to report that he had been hacked.

Eriksson first attempted the technique in 2006 with Bifrost 1.1, a piece of free hackware released publicly in 2005. Like many so-called remote administration tools, or RATs, the package includes a server component that turns a compromised machine into a marionette, and a convenient GUI client that the hacker runs on his own computer to pull the hacked PC's strings.

Using traditional software attack tools, Eriksson first figured out how to make the GUI software crash by sending it random commands, and then found a heap overflow bug that allowed him to install his own software on the hacker's machine.

The Bifrost hack was particularly simple since the client software trusted that any communication to it from a host was a response to a request the client had made. When version 1.2 came out in 2007, the hole seemed to be patched, but Eriksson soon discovered it was just slightly hidden.

Eriksson later turned the same techniques on a Chinese RAT known as PCShare (or PCClient), which hackers can buy for about 200 yuan (about $27).

PCClient is slightly better engineered than Bifrost, since it won't accept a file uploaded to it, unless the hacker is using the file explorer tool.

But, Eriksson found, the software's authors left a bug in the file explorer tool in the module that checks how long a download will take. That hole allowed him to upload an attack file the hacker hadn't asked for, and even write it into the server's autostart directory.

The software's design also inadvertently included a way for the reverse attacker to find the hacker's real IP address, Eriksson said. He said its unlikely that the malware authors know of these vulnerabilities, though its unlikely that PCClient is still in use.

But he says his techniques should also work for botnets as well, even as malware authors start using better encryption, and learn to obfuscate their communication paths using peer to peer software.

"If there is a vulnerability, it is still game over for the hacker," Eriksson said.

See Also:

Photo: Joel Erickson speaking at RSA 2008, Ryan Singel/Wired.com; screenshot of PCShare courtesy Joel Eriksson