by
unknownsender on
05/01/2008
Motivation
=================
For anyone who was in Hackers' Lounge:1 during the run up to Christmas 2007 you may remember the following sequence of events. A user by the name of YahElite_is_worthless appeared and decided he would boot people from chat simply because they were using the YahElite chat client. I happen to be a happy user of YahElite for several years and was caught up in this mess through no fault of my own, as were many others.
Upon returning and confronting this user I was greeted with a barrage of abuse that could only be spewed from the mouth of your typical egomaniac, remarks such as "you're all nobodies", "you can't do anything" (perhaps not exact quotes but they encapsulate the nature of the remarks). I've seen characters like this before, they often harbour serious delusions of grandeur and consider themselves superior to others.
With some inquiries I found out that this person was actually the well known author of the 3rd party chat client YmLite as well as several booters. His name is Craig, a name I'd often heard mentioned. It seems his motivation for these attacks was to attack his competitors in order to encourage people to switch to his "unbootable" client, pretty underhanded tactics even by Microsoft standards.
Conception
=================
As it happened I met with a few people (who I assume like myself wish to remain nameless) that felt something should be done about this person as it is clearly unacceptable to bully people into using your software. A small gathering took place on IRC and a plan hatched to decide what might be effective to hurt Craig's interests and end his behaviour.
Objective
=================
The idea eventually evolved into hijacking the automatic update mechanism of YmLite in order to deploy a payload. This payload once executed would remove Craig's client from the system cause a fuss and offer up YahElite as an ideal alternative.
The reason for this design is simple, it accomplishes the exact opposite of what Craig wants. The popularity of YmLite and his booters fuel his ego which drives the aforementioned behaviour. Undermining faith in YmLite and in Craig is analogous to a firm dagger strike in the heart.
Is it possible?
=================
The idea sounded good in principle but in order to gauge whether it was indeed practical required some research. To check for an update YmLite must contact a server to check if a new version exists and if one does then it must download and execute it. Running a packet sniffer as YmLite starts you can see that it requests the following files from the YmLite folder on the main web server.
- build.txt (contains version info and governs whether an update is required)
- news.txt (displayed when YmLite loads)
- YmLite.exe (in the event of an update)
This answers the question of what would need to be changed but does not clarify if it would be possible to make YmLite run any program or what side-effects might occur.
In order to answer these questions I unpacked YmLite.exe (standard UPX) and modified it in ollydbg so that it would update from my local server where I had replicated the structure of the real server. In doing this it was possible to run a series of dummy runs and test what modifications needed to be made to build.txt to cause an update, it was also possible to determine if the payload would work as intended.
The Payload
=================
Confident that I could now simulate the real update mechanism accurately I began to develop the payload.
I'd like to take this chance to clarify EXACTLY what the payload did.
So for all the so called techies who were recommending reformats and using system restore, I would just like to say you have the collective deductive capacity of a turnip.
- Attempts to destroy the following 5 files in the current directory (assumed to be YmLite dir)
- ymcambc.exe
- YmLitecam.exe
- unins000.exe
- ymsg.dll
- YmLite.exe
- Created a thread that makes a constant siren noise through the internal speakers.
- Using the URLDownloadToFile() and WinExec() API's grabbed a copy of the YahElite installer and executed it. As you can imagine those 2 functions are pretty dangerous and that is the reason why any Antivirus programs with heuristics enabled flagged it as suspicious.
- Display a MessageBox warning that YmLite was infected, which was true ;)
Going Live
=================
I won't go into detail as to how access to the server was gained as it is not in my best interests to do so but it was definitely not from firing a script/program found on milw0rm or bugtraq (before the accusation is made).
Everything was tested and ready to go, the date was December 24th the perfect chance to return the Christmas spirit I had received just 2 days previous. The other advantage of this timing is that there was a high probability Craig would be too busy to deal with/notice it and that tech support for the host would be virtually nonexistent.
The changes were made swiftly as I'd rehearsed and soon an influx of traffic and gossip indicated the success of the project. During my remaining few hours on the system I took note how many requests for YmLite.exe were made and it averaged around 150 an hour (a very quick rate to lose your user base).
Justification?
=================
I know this will have pissed a lot of people off but the truth is Craig had it coming and in doing this no real damage was done to anyone's system, it's not like the payload deleted boot.ini and tried to trash the system.
If everyone REALLY wants to use YmLite then they are free to do so, as is anyone who wants to use other clients. All I ask is remember when you support YmLite you are also supporting the pompous little shit who sells booters and attacks his competitors in an unfair manner.
Finally for everyone who boots, you need to remember that when you go around antagonizing a lot of people you are taking a risk. Eventually you will piss someone off to such an extent that they come after you and bully you back in a way you didn't think was possible. It could be ANYONE in ANY room that comes back and gives you a bad day. Drop the booting crap, pick up a book and stop pissing away potential.
