So, Who Wants To Be A Hacker?
But like many technology journalists, I had no idea how to actually hack into a system -- not that I'd ever want to. But, always interested in learning new skills, I jumped at the chance to participate in the McAfee Malware Experience on Thursday, a three-hour, hands-on instructional opportunity for members of the press to learn the art of basic malware creation and then put those skills to use by hacking into a virtual client.
It seemed that the purpose of the project was so that journalists, those specifically covering security issues, could have their own firsthand, albeit abbreviated, glimpse into the mysterious and seemingly unattainable world of cybercrime.
And that world keeps getting bigger. Researchers at McAfee Avert Labs said that the company's Global Threat Intelligence Network identifies about 4,000 pieces of unique malware per day, 1.5 million unique pieces of malware in 2008 and 400,000 new zombies per day. Meanwhile researchers expect that spam will soon go to pre-McColo levels.
So, after a relatively bearable PowerPoint -- if there is such a thing -- we each got to work on our own "infected" computers. Following the meticulous directions included in the instructional packet, we learned how to create a remote access Trojan, a botnet and a Web-based remote-control Trojan. (Did I mention we had a lot of help from the Avert Labs researchers hovering over us, as well as the step-by-step instructional packet?)
The findings? Remote access can be fun. We got to deface the client's screen by turning it upside down, changing the color and reversing the right and left mouse click functions. We wrote messages on Notepad on the client side, only to see the keystrokes recorded on the "hacker" side. We got to control our own botnet, and send the client "Matrix"-like messages, such as "Ha Ha Ha, I stole all your passwords."
We even created our own personal Trojan, and then sent it as an e-mail attachment to infect the client and access their data. Endless hours of entertainment.
Of course, the virtual clients weren't real, and the "hacked" PCs weren't even connected to the Internet. Plus, we were forbidden to keep any portable devices -- USB sticks, mobile phones, laptops -- anywhere near the infected computers.
And while I can articulately write about components of organized cybercrime rings and buffer overflow vulnerabilities, my hacking skills leave a lot to be desired. So needless to say, I don't pose a huge threat in the cybercrime community.
In all honesty, my hacking skills weren't much sharper after I left the event than when I arrived. And McAfee wouldn't let us take the instructional packets outside of the room, so it's not like I could spend my free time honing this craft.
But I came away with some new insights and some new appreciation for the cyber-underground. I also wondered how anyone with these skills could possibly resist the temptation to hack into systems like college databases, or the PC of that annoying neighbor who is always telling them to mow their lawn -- you know, just to see if they could.