Análisis de genes – metodología Ion Torrent

In far away Australia there lives another of those upright gentlemen who are respected security professionals by day and become a black-hat hacker by night, honing the skills that pay their mortgage by hacking into the most resilient software companies on the planet.

But this particular man, Robert, can’t be easily pegged into a category. He seems too complex for that — one month hacking for some software for his own amusement and to satisfy his need for a challenge and the next month taking on a project for money that will mark him for some people as what he himself terms “a dirty spammer.” Not dirty, you will discover, just because he has occasionally worked as a spammer; dirty because of the kind of spamming he has done.

“Making money by hacking,” he says, “is quite a concept.” Which may be self-justification, but he had no qualms about sharing the story with us. In fact, he brought it up unprompted. And made light of it by coining a term: “I guess you could say I’m a spacker — a hacker that works for spammers.”

I was contacted by a friend of mine who said, “I want to sell some hard-core bondage porn to thousands of people. I need to have millions upon millions of email addresses of people who want hard-core bondage porn.”

You or I might have run from the suggestion. Robert “thought about it for a while” and then decided to take a look at what might be involved. “I searched all these hard-core bondage sites,” he says, admitting that he did this despite its being “much to my girlfriend’s disgust.” He conducted the search in a perfectly straightforward way: with Google, as well as another search portal, www.copernic.com, that uses multiple search engines.

The results provided a working list. “The only thing I want from these [sites] is who likes their bondage porn, who wants to receive updates from them, who has the interest in this shit.” If Robert was going to help create spam, he had no intention of going about it “like the usual cast of idiots,” sending hundreds of emails to everyone and his brother whether they had ever shown any interest in the subject or not.

Getting the Mailing Lists

Many of the bondage Web sites, Robert discovered, were using a major application for managing subscription mailing lists that I’ll call SubscribeList. Just by using Google I had found someone who had ordered a copy of [SubscribeList], and had it on the Web server. I think it was a Web site in Taiwan or in China.

The next step was even easier than he could have anticipated:

Their Web server was configured incorrectly. Any user could view the source [code] of the software. It wasn’t the latest version of the software, but a reasonably recent version.

The mistake was that someone had carelessly or accidentally left a compressed archive of the source code on the document root of the Web server. Robert downloaded the source.

With this program and names he would capture from existing sites, Robert figured:

I’d be able to send out emails saying, “Come back to my site, we’re having a special on whipping and it’s half price.” A lot of people subscribe to these things.

So far, though, he had mailing-list software but still no mailing lists.

He sat down to study the source code of SubscribeList, and at length discovered an opportunity. The technical explanation is complicated (see “Insight” at the end of the chapter).

Similar to the way the cracker in the previous story used the “&” symbol to trick a program into executing his commands, Robert used a flaw in “setup.pl.” This shortcoming, called the “backticked variable injection flaw,” is based on the lightweight installer program, the setup.pl script, not adequately validating the data passed to it. (The difference is in operating system. Erik’s method works with Windows; Robert’s with Linux.) A malicious attacker can send a string of data that would corrupt a value stored in a variable in such a way that the script could be tricked into creating another Perl script used to execute arbitrary commands. Thanks to this programmer oversight, an attacker could inject shell commands.

The method fools setup.pl into thinking that the attacker has just installed SubscribeList and wants to do the initial setup. Robert would be able to use this trick with any company running the vulnerable version of the software. How did he find a bondage company that fit the description?

His code, Robert says, is “a bit of a mind bender, really a bitch to write.” When his script had finished, it would clean up after itself and then set all the configuration variables back so no one could tell anything happened. “And as far as I’m aware, no one has caught on to it.”

No thoughtful hacker would have these files sent directly to his or her own address in a way that could be traced.

I’m a really big fan of the Web. I love the Web. The Web is anonymous. You can go on from an Internet café and no one knows who the f___k you are. My stuff is bounced around the world a few times and it’s not direct connections. It’s harder to trace, and there will only be maybe one or two lines in the [company’s] log file.

Porn Payoff

Robert had discovered that many of the bondage sites use the same mailing-list software. With his modified program, he targeted their sites and grabbed their mailing lists, which he then turned over to his friend, the spammer. Robert wanted it understood that “I wasn’t spamming people directly.”

The campaign was incredibly effective. When you’re spamming directly to people who you already know “really like this shit” (to use Robert’s colorful phrase), the rate of response was record-breaking.

You’re usually looking at [a response rate of] 0.1, 0.2 percent. [We were] getting 30 percent at least by targeting. Like 30 to 40 percent of people would buy. For a spamming rate, that is absolutely phenomenal.

All up, I must have brought in probably like about $45, $50,000 U.S., and I got back a third of that.

Behind the success of this sordid story lies the success of Robert’s effort in gathering the mailing lists of people willing to shell out money for this kind of material. If the numbers he reported to us are accurate, it’s a sorry measure of the world we live in.