Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (5 page)

Max had found his niche. It turned out his single-mindedness made him a natural at penetration testing: He was immune to frustration, hammering at a client’s network for hours, moving from one attack vector to another until he found a way in.

With Max making real money at MCR, Kimi quit her job as a barista and found more rewarding work teaching autistic students. The couple moved from the cramped apartment in Mountain View to a duplex in San Jose. In March, they got married in a church on a college campus in Lakewood, Washington, where Kimi’s family lived.

Tim Spencer and most of the Hungry Programmers went up to Washington
to see their problem child married off. Max’s parents, his sister, Kimi’s family, and scores of friends and extended family showed up for the ceremony. Max wore a tuxedo and a broad grin, and Kimi glowed in her white wedding dress and veil. Surrounded by family and beloved friends, they were a picture-perfect young couple beginning a life together.

They posed outside: Kimi’s father, a military man, stood proudly in his dress uniform, her mother in a traditional Korean
hanbok
. Flanked by his own parents, Max beamed at the camera, while storm clouds gathered overhead in the Pacific Northwest sky.

It was three years almost to the day since Max walked out of prison, and he had everything now—a devoted wife, a promising career as a white-hat hacker, a nice home. In just a few weeks, he’d throw it all away.

ack home in San Francisco, a temptation was waiting for Max, written in computer code.

It was one line of nine thousand comprising the Berkeley Internet Name Domain, an ancient girder in the Internet’s infrastructure, as important as any router or fiber-optic cable. Developed in the early 1980s with a grant from the Pentagon’s Defense Advanced Research Projects Agency (DARPA), BIND implemented the scalable Domain Name System, a kind of distributed telephone directory that translates strings like Yahoo.com, which humans understand, into the numeric addresses the network comprehends. Without BIND, or one of the competing programs that followed, we’d be getting our online news from 157.166.226.25 instead of CNN.com and visiting 74.125.67.100 to perform a Google search.

BIND was one of the innovations that made the explosive growth of the Internet possible—it replaced a crude mechanism that couldn’t have expanded with the Net. But in the 1990s, it was also one of the legacy programs that were shaping up as the modern Internet’s biggest security problem. The code was a product of a simpler time, when the network was cloistered and threats were few. Now hackers were plumbing its depths and coming back with a seemingly endless supply of security holes.

A high priesthood of network experts called the Internet Software Consortium appointed themselves keepers of the code and had begun furiously rewriting it. But in the meantime, the most modern, sophisticated networks in the world, with sparkling new servers and workstations, were running a buggy computer program from another age.

In 1998, security experts discovered the latest flaw in the code. It boiled down to that single line. It accepted an inquiry from the Internet, as it should, and copied it byte for byte into the temporary buffer “anbuf” in the server’s memory. But it didn’t properly check the size of the incoming data. Consequently, a hacker could transmit a deliberately overlong query to a BIND server, overflow the buffer, and spill data into the rest of the computer’s memory like oil from the
Exxon Valdez
.

Performed haphazardly, such an attack would cause the program to crash. But a careful hacker could do much worse. He could load the buffer with his own small snippet of executable computer code, then he could keep going, tripping cautiously all the way to the top of the program’s memory space, where a special short-term storage area called the “stack” resides.

The stack is where the computer’s processor keeps track of what it’s doing—every time a program diverts the computer off to a subroutine, the processor pushes its current memory address onto the stack, like a bookmark, so it knows where to return to when it’s done.

Once a hacker is in the stack, he can overwrite the last return address with the location of his own malicious payload. When the computer is done with the current subroutine, it returns not to where it began, but to the hacker’s instruction—and because BIND runs under the all-powerful administrative “root” account, the attacker’s code does as well. The computer is now under the hacker’s control.

Two weeks after Max and Kimi’s wedding, the government-funded Computer Emergency Response Team at Carnegie Mellon University—which runs a kind of Emergency Broadcast System for security holes—
issued an alert about the BIND flaw, along with a link to the simple fix: two additional lines of computer code that rejected overlong queries. But CERT packaged its alert with two other BIND vulnerabilities that were of little consequence and understated the importance of the hole. Consequently, not everyone appreciated the gravity of the situation.

Max understood perfectly.

He read the CERT advisory with amazement. BIND came installed standard with Linux, and it ran on servers on corporate, ISP, nonprofit, educational, and military networks. It was everywhere. And so was the defective line of code. The only thing holding back a feeding frenzy of attacks was that nobody had written a program to exploit the security hole. But that was just a matter of time.

Sure enough, on May 18, an exploit program showed up on Rootshell.com, a computer security news site run by hobbyists. Max picked up the phone and called his FBI contact, Chris Beeson, at home. The situation was serious, he explained. Anybody who hadn’t installed the BIND patch could now be hacked by any script kiddy capable of downloading a program and typing a command.

If history was a guide, government computers would be particularly vulnerable. Just a month earlier, a less serious bug in the Sun Solaris operating system had led to a hacker cracking computers at a dozen U.S. military bases, in what a deputy defense secretary called “the most organized and systematic attack to date” on American defense systems. Those attacks had set off a full-blown cyberwarfare false alarm: The Pentagon gave the intrusions the code name “Solar Sunrise” and considered Saddam Hussein the prime suspect until investigators traced the attacks to a young Israeli hacker who was just playing around.

Max called Beeson again the next day, when a hacker group named ADM released a weaponized version of the BIND exploit designed to scan the Internet at random looking for unpatched servers, then break in, install itself, and use the newly compromised computer as a platform for
still more scans and break-ins. It was a certainty now that someone was going to own the entire Internet. It was just a question of who.

He hung up and pondered.
Someone
was going to do it.…

He shared his plans with his new wife in boyish, excited tones. Max would author his own BIND attack. His version would close the hole everywhere it found it, like releasing sterile fruit flies to tamp down an infestation. He would limit his attack to the targets most in need of an emergency security upgrade: U.S. military and civilian government sites.

“Don’t get caught,” said Kimi, who’d learned not to argue with Max when he was like this, his mind hostage to an idea.

Max was struggling with the binary nature of his personality: the professional married man with a stake in the world around him, and the impulsive child tempted by every call to mischief. The child won. He sat at his keyboard and plunged into furious programming.

His code would operate in three rapid-fire stages. It would begin by flinging a virtual grappling hook through the BIND hole, executing commands that forced the machine to reach out over the Internet and import a 230-byte script. That script, in turn, would connect it to a different host infiltrated by Max, where it would download a hefty package of evil called a “rootkit.”

A rootkit is a bundle of standard system programs that have been corrupted to secretly serve the hacker: A new login program operates just like the real thing but now includes a back door through which the intruder can reenter the machine. The “passwd” program still lets users change their passwords but also quietly records and stores the new password where it can be retrieved later. The new list program lists the contents of a directory, as it should, but takes care to conceal any files that are part of the rootkit.

Once the rootkit was in place, Max’s code would accomplish what the government failed to do: It would upgrade the hacked computer to the
latest version of BIND, closing the security hole through which it had entered. The computer would now be safe from any future attacks, but Max, the benevolent meddler, would still be able to reenter the system at will. Max was at once fixing the problem and exploiting it; he was a black hat and a white hat at the same time.

The whole attack would take just a couple of minutes each time. One moment, the computer would be controlled by the system administrators; then, grappling hook, download script, rootkit, and it was in Max’s pocket.

Max was still programming when the FBI got back to him and asked for a full report on the BIND hole. But the feds had had their chance; Max’s code would speak for him now. He took a moment to crack a couple of college machines to use as a staging ground, then, on May 21, a Tuesday, he dialed the Internet through a stolen Verio account … and launched.

The results were instant and highly satisfying. Max’s grappling-hook code was designed to signal its success to his computer over the Verio dial-up, so he could watch the attack spread. Hacked machines around the country reported back to him, an Xterm window popping up on his screen for each one. Brooks Air Force Base—now property of Max Vision. Mc-Chord, Tinker, Offutt, Scott, Maxwell, Kirtland, Keesler, Robins. His code wormed into Air Force servers, Army computers, a machine in the office of a cabinet secretary. Each machine now had a back door that Max could use any time he wanted.

Max was notching up military conquests like points in a video game. When his code swept into the Navy’s Internet space, it found so many unpatched BIND servers that the stream of pop-ups turned into a torrent. His own computer struggled under the strain, then crashed.

After some fine-tuning, he relaunched. For five days he was absorbed in his growing dominion over cyberspace. He ignored e-mail from the
FBI, who still wanted that report. “Where’s the stuff?” Agent Beeson wrote. “Please call.”

There had to be more he could do with the power to crack almost any network he wanted. Max trained his BIND exploit on the servers of Id Software in Mesquite, Texas, a gaming company developing a third installment of the enormously popular first-person shooter Quake. Max loved first-person shooters. He was on the network in a flash, and after some exploring, he emerged with his trophy. He announced to Kimi that he’d just obtained the source code—the virtual blueprints—for Quake III, the most anticipated game of the year.

Kimi was unmoved. “Can you put it back?”

Max soon realized that his attacks were getting some attention. At Lawrence Berkeley National Laboratory, a researcher named Vern Paxson spotted Max’s scanning using a new system he’d developed called BRO, for Big Brother. BRO was an experiment in a relatively new kind of security countermeasure called an intrusion detection system—a cyber burglar alarm with the sole function of sitting quietly on a network and sifting through all the traffic for suspicious activity, alerting administrators when it spots something that doesn’t look right.

Paxson wrote a full report on the attack for CERT. Max intercepted it and was impressed. The researcher had not only detected his attack, he’d compiled a list of servers that Max’s code was attacking through Lawrence Berkeley’s network—Max was using the network as one of his secondary launch points.
He sent Paxson an anonymous note from the lab’s root account.