Members
Article Info
/hack #6
Viruses
2008-10-23

by Clay Dowling

Computer viruses: what they do and how they do it
Recent Articles
#15: Internet Traffic Cops
#14: Outsmarted by Breakfast
#13: Taking Advantage of Big Brother
#12: The Daemon in the Machine
#11: Hacking the Car
( all articles )

Downloadable RPGs:
DTRPG

Visit our Sponsors!
/hack #6: Viruses

/hack

Goals of Viruses

The single most common usage we see for viruses in the wild today is to take control of computers for the purpose of distributing advertising. Certainly the bulk of reputable advertisers don't do this, but a lot of people peddling products that you used to buy from some greasy guy in a back alley are now selling by these underground advertising networks. The bulk of the junk mail in your inbox, promising to put money in your wallet, hair on your head and lead in your pencil is shipped via vast networks of zombie computers.

Sometimes viruses are used just to gather information. Ideal for espionage, these viruses dig around on your hard drive looking for valuable information. Typically they want passwords, banking information, or other financial data that you have stored in common programs. Viruses need to be targeted at specific data stores, such as your accounting data or your web browser's password cache.

Some viruses want to install a command and control program on your computer, to turn it into a zombie. Your computer continues to function normally, if a little slowly, but the zombie program uses some of your network bandwidth and processing power to do tasks for somebody else. This somebody else is selling the services of your computer to the pill pushers and authentic replica watch dealers who are flooding your inbox. Zombies can be put to other nefarious purposes as well.

Targets

Traditionally we think of viruses as something that attacks our computer, probably via email or by going to a skeezy website. Attacking somebody's desktop computer is certainly a fine mode of attack, but hardly the only approach.

Consider that a lot of personal data is now stored in cellular phones and portable computers like the Palm. Viruses exist in the wild which will extract your personal data from these devices and send it off to the highest bidder.

Sometimes these devices are also attacked as a means to other, bigger systems. For instance, if you have a blue-tooth enabled blackberry, the odds are very good that you synchronize it with your work computer, so that you always have your appointment calendar and contacts list. People will use your bluetooth connection to install their own software on your device, which then goes through your desktop computer when you synchronize data, and from there heads off to extract the secrets from the corporate mainframe.

Common Structures

The simplest viruses are the little nasty-grams that show up in email, and through a major design blunder on the part of some mail software vendors, is automatically executed. They tend to gather up your personal data, then send themselves off to everybody in your address book to repeat the same. The simplistic ones have a tendency to drag computer networks to their knees. Sophisticated viruses go through your network so fast you never even know they're there. These viruses can be stopped by a moderately paranoid anti-virus program.

More sophisticated viruses attack less visible components of your computer system. A very popular attack is to look for databases exposed to the internet. A lot of people who set up databases don't really understand the security ramifications of what they are doing. They leave databases unprotected from the wild internet, often the security left wide open, or with necessary software updates not done. Viruses which have been crafted to attack these systems exploit the holes left by inexperienced system administrators. Sometimes they steal corporate data. A lot of times they modify or insert new data.

Many viruses operate in multiple parts. One part, for instance, might run in your email or web browser. It uses the information it can gain about your computer to download the appropriate evil payload onto your computer and then causes that program to run.

One of my favorite tricks, which I saw recently on a client system, was to insert a small bit of web markup into fields in a database. If that markup was fed to a web browser, it would silently download and run a virus program from a web server. That virus would do its thing, then go out and look for other database servers to attack. Most commercial virus scanners aren't even capable of detecting the presence of this virus. I never did learn what the original perpetrator of this virus was trying to accomplish, but I do know that it cost the target company several thousand dollars in lost economic opportunity, as well as paying me to clean up the mess.

Crafting Your Attack

When you make your attack in game, you want to make it seem as realistic as possible. In the real world, there are a couple of approaches you can take, but a lot is shared in common between them.

First, we'll assume that your players aren't looking for the general run of viruses just to cause trouble. They will want to write a virus with a very specific goal in mind, such as extracting data or destroying works in progress or altering it data in subtle ways. These sorts of bespoke viruses aren't caught by most virus scanners, and if they are written carefully very few are capable of catching them.

The first step is to determine the operating environment, or environments, where your virus will be running. It is entirely possible that your virus will be composed of several parts, each of which will run in a different operating environment. A bit of javascript in a web page might lead off the virus attack, and then something running on their local system would seal the deal.

Leaning about the operating environment will lead you to the method you need to deliver your virus. Email and web viruses are good reliable standbys. There are lots of other approaches though that are worth investigating. A free software package called metasploit will scan a target system or network for know vulnerabilities and report them to you. With a lot of the vulnerabilities you can choose your own particular bit of nastiness to run on the target system. It makes hacking a system trivially easy, if the system administrators have been even a little lax in their attentions. You may need other means to deliver your attack though, if the administrators have been on their game, or precautions have been taken such as keeping the system separate from the rest of the network. This is where you get to put that social engineering from my earlier column to use.

Finally, you need to determine how you are going to accomplish your goals once you are on the system. While there are virus kits out there, chances are really good that you're interested in custom nastiness. This is where that computer programming skill comes into play. Although a lot of viruses are very simplistic in their approach, getting a virus to successfully accomplish its goals one a target system is a very hard task. If it doesn't work you don't generally get reliable debugging information that lets you make corrections and try again. Usually you need to run a lot of tests on systems you control before you get it right, and that generally takes both time and patience. In game terms, you should make this a hard or very hard computer programming task.

Conclusion

I don't usually find viruses that exciting of their own accord. They serve more as plot devices than actual in-story excitement. With the bits that I've given you here though, you can work them into your game in a believable way.

For a cinematic, caper-style adventure suitable for GURPS: Action, you can have the research on the target system be a nice little bit of social engineering by your face man. Delivery of the virus can be done by your infiltrator, dropping own the ventilation shaft on something complex with cables and an uncomfortable harness.

For a less cinematic game, if can give you the corporate secrets you need, or plant a false identify for you. Researching and creating the virus might be the backdrop to the romance that is central to your character (in my fantasy world, the hacker gets the chicks, preferably with a lot of piercings and a love of heavy metal music).

A virus and its aftermath can also make a good starting point for an adventure. Your client has been compromised by a virus that captured important military or industrial designs. The team needs to find out who did it and get the plans back before their sold to the Chinese.

Recent Discussions
Thread Title Last Poster Last Post Replies
sell fresh dumps g026r 01-27-2011 10:50 AM 1
#10: Improvised Spy Gear freddy 07-27-2010 06:28 PM 3
#15: Internet Traffic Cops RPGnet Columns 02-18-2010 12:00 AM 0
'm Seller for: CC, CVV US,UK,CA, EURO,AU, Italian,Japan,Fran... fresh_hack 01-21-2010 04:12 PM 0
#14: Outsmarted by Breakfast Motorskills 11-08-2009 09:05 PM 2
#13: Taking Advantage of Big Brother RPGnet Columns 08-20-2009 12:00 AM 0
#12: The Daemon in the Machine Clay 06-02-2009 12:56 PM 4
#11: Hacking the Car RPGnet Columns 03-19-2009 12:00 AM 0
#9: The Liberation of Jorge Ramirez RPGnet Columns 01-22-2009 12:00 AM 0
Column Suggestions Clay 12-18-2008 11:15 AM 0
( goto forum | post new thread )

Copyright © 1996-2013 Skotos Tech, Inc. & individual authors, All Rights Reserved
Compilation copyright © 1996-2013 Skotos Tech, Inc.
RPGnet® is a registered trademark of Skotos Tech, Inc., all rights reserved.