Hacking Back #IRL

Eradicating an Intruder from a Network

Dave Dittrich

--

Photo by Jakob Owens on Unsplash

“Hacking back” doesn’t always mean going outside your own network. In fact, it is best done quietly, inside your own network where you have home field advantage, and both slowly and deliberately so as to deliver a definitive enough blow to someone’s activities that they leave your network and don’t come back. This is a story of how I did it, and how you can, too.

This story (excerpted from a book in progress) centers on a hacker who I will refer to by the nick “G0by” (spelled with a Zero, and not his real nick.) G0by was part of a criminal hacker gang actively compromising systems around the globe for the purpose of installing back doors, sniffers, Internet Relay Chat (IRC) proxies and bots, which were sold and traded in the computer underground. While fictionalized, this story is based on a series of in-real-life abuse complaints and resulting intrusion response activities at a major university in the United States that occurred in the late 1990s. The victims of this crew included universities, small businesses (including several small local ISPs), and corporations (including an online trading company, a brokerage group, a truck scale manufacturer, and an electronic media publishing company) around the globe.

Facts that underlie this story were learned through detailed analysis of keystrokes and communications of G0by during the period of time he was observed. This included the crew’s own correspondence — captured in chat logs on the systems they compromised due to their own sloppy operational security practices in many cases, no less! — as well as analysis of the malicious software he methodically installed on victimized sites. Interactions with other incident response security operators (one in particular who knew G0by) provided additional new insights.

G0by and His Crew

G0by lived in a tropical island nation near the equator. On any given day, the sun rises around 6:00 AM and sets about 6:00 PM, give or take a half-hour or so, depending on the time of the year. Things move very slowly in the tropics. This is commonly known as “rubber time.”

--

--

Dave Dittrich

Information Security Researcher, Consultant, Writer. Support my writing by joining Medium https://git.io/JKLPq (affiliate link — I get a portion of your fee)