Wednesday, January 4, 2012

Max Ray Vision and the BIND Exploit of 1998

Max Ray Vision, aka "Iceman," pleaded guilty on June 29, 2009 to two counts of wire fraud stemming from the theft of nearly 2 million credit card numbers and $80 million in fraudulent purchases.  He was brought down using traditional law enforcement techniques, namely informants and intercepted communications.  However, in 1998, he successfully installed a backdoor into a number of United States Government computers, using an exploit in the BIND server daemon, the backbone of the internet.  The purpose of this post is to examine the method he used to accomplish this mammoth task, as well as the techniques used to bring him to justice.
                Max Vision began life as Max Butler, a young man obsessed with hidden knowledge and its pursuit.  He was driven, but also somewhat unstable, and during his first year of college was arrested for assaulting his ex-girlfriend.  (Poulsen, 25)  Now with a criminal record and unable to finish college, Max was left with few options.  He took up residence with some friends in San Francisco, and turned to Internet Relay Chat for stimulation.  (Poulsen, 43)  He drifted into the “warez” scene, where he began to pirate popular computer programs of the day, and stored them on an unprotected FTP (File Transfer Protocol) server in Littleton, Colorado owned by an internet service provider.  This would turn out poorly for Max, as once he did find employment (at Compuserve), the ISP in Littleton noticed the drain on its bandwidth, and traced the problem to its source via a simple IP trap, namely the Compuserve computer terminal Max used for his job.  He was quickly fired. (Poulsen, 44)
                Max’s next brush with the law was when he came across an intriguing piece of code:
Bcopy (fname, anbuf, alen = (char *)*cpp – fname);
It was a single line of code within the Berkeley Internet Name Domain, “an implementation of the Domain Name System protocols.” (Internet Systems Consortium, 2011)  It was developed at the University of California at Berkeley in the early 1980s, and is essentially used to give an easily remembered domain name to a web site address.  For example, the real address for might be something as unmarketable as  The BIND system allows you to type instead, and the software knows what “real” address to ask for.  The problem with the BIND system was a simple one; the software was dangerously out of date, and ill prepared for the mammoth explosion of internet users.  It needed to be updated. 
                A group of network experts calling themselves the Internet Software Consortium stepped up and decided they should overhaul the old code to bring it in line with the modern systems that were using it.  In 1998, they discovered the flaw illustrated above, a single line of code that could be catastrophic if used incorrectly.  The code accepted an inquiry from the internet, and copied it byte for byte into the temporary buffer “anbuff” in the server’s memory.  The problem was that it didn’t check the size of the incoming data.  What that means is that a hacker could transmit a deliberately overlong query to a BIND server, overflow the buffer, and spill data into the rest of the computer’s memory.  (Poulsen 59)  If a hacker used this attack correctly, he could include a piece of executable code in his overflow data, and bring that executable code to life within the server’s short-term storage area, or “stack.” 
                The stack is what’s called a restricted data structure, and is where the computer’s processor keeps track of its operations.  It acts like a running list of processes carried out by a computer, so the computer knows what it has just done and can return to it when necessary. (Poulsen 60)  Using the BIND exploit, a hacker can overwrite the last action the computer was told to take, and tell the computer to repeat its past action, essentially giving the program license to do whatever function you have designed.  The computer doesn’t act as if there has been an intrusion, since it is not, as far as the computer knows, performing a new action, it is repeating an old action.  This, coupled with the fact that the BIND system runs on an admin or “root” account, means that any hacker using this exploit could take control of virtually any system he wanted.
                The exploit was broadcast by the government-funded Computer Emergency Response Team at Carnegie Mellon University, along with a link to the fix.  Unfortunately, this alarming news was presented alongside some very pedestrian bugs, and the group’s language understated the problem immensely.  Because of this, few IT professionals understood the true depth of the situation. (Poulsen 62)
                Max understood instantly the seriousness of the situation, and knew that it was only a matter of time before someone used this exploit to their own ends.  At this time, Max was working for the FBI as a general information gathering sort of informant, and was loosely plugged into hacker networks.  A hacker group called ADM released a weaponized version of the BIND exploit designed to scan the internet at random, looking for servers that had not implemented CERT’s security fix. (Poulsen 64)  Even more seriously, the ADM code would scan, infect, and then command the infected computer to scan as well, creating a virtual army of machines.  Max, tired of simply gathering information, decided that if someone was going to attack, that it might as well be him, since he felt he was acting in the government’s best interests.  Never mind that his FBI handlers had authorized no such thing, Max began his own BIND attack. (Poulsen 64)
                Max was able to justify this attack to himself by updating all the systems he cracked, thus closing the security hole behind it.  However, he left himself a backdoor into all the systems he touched, meaning formerly secure systems were anything but.  His code worked in three stages, he would gain entry though the BIND hole, and would command the computer to download a 230 byte piece of code.  Once the computer had Max’s code in its stack, it would run the script, which called for the computer to download a “rootkit.” (Poulsen 63)
                Wikipedia defines a rootkit as such: “A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.”  In Max’s specific case, his rootkit added a new login program that secretly recorded a user’s password, and stored them in a place Max could access any time he wanted.  It also affected the system’s file directory, as it would carefully omit any files created by the rootkit, as well as obscure any traces that regularly used files had been altered.  (Poulsen 64)
                Max’s rootkit would do what the government had failed to do, namely upgrade the government’s security by patching the BIND hole, making the government systems secure against any other hackers besides Max.  The FBI had failed to respond to Max quickly enough, and he felt that his code would speak for him better than any written report could.  (Poulsen 65)
                On May 21, 1998, Max connected to the internet through a stolen Verio internet account, and launched his attack.  He arranged for the Verio account to contact his home machine when he had a successful infiltration, and he sat comfortably as machines all around the country contacted him.  He hacked such systems as Brooks Air Force Base, Army computers, even a machine in the office of a cabinet secretary.  He had such luck hacking the Navy that the constant stream of “successful infiltration” messages crashed his system.  (Poulsen 66)  Of course his claim that all he wanted to do was help the government was damaged a bit when he used the BIND exploit to hack Id Software and steal a copy of Quake III.
                Meanwhile, at Lawrence Berkeley National Laboratory, a researcher named Vern Paxson noticed Max’s hack.  Paxson had developed a new system called BRO, short for Big Brother.  BRO was designed as one of the world’s first “intrusion detection systems,” which meant it would sit on a network and scan for unusual activity, and trigger an alarm when appropriate.  BRO turned up evidence that campus routers were being probed in an unusual way and Paxson stepped up tracing of related traffic.  "The attacker left some interesting footprints and a lot of pointers to where he was coming from," Paxson recalls. Because of the strangeness of the attack, Paxson reported it to the Computer Emergency Response Team and to the Department of Energy's Computer Incident Advisory Capability.  (Bashor, 2000)
                Of course, having access to hundreds of systems by now, Max intercepted Paxson’s report to CERT and wrote the researcher a slightly rambling and self-justifying e-mail, saying that he felt he had been working in the best interests of the country.  (Poulsen 68)  After CERT was notified, Max called off his attack, feeling he had made the internet a safer place. 
                The data gathered by BRO was turned over to federal investigators, who told Paxson the information was helpful in building their case. "BRO enabled a very thorough tracing and produced much more information about the attacks than would have been otherwise available," Paxson said. "Usually these guys are very hard to catch." (Bashor, 2000)
                BRO is a layered system that looks for certain kinds of network traffic.  The first layer is a general packet filter, which decides which data packets should be analyzed. The second layer is an "event engine," which takes the first-level packets and pieces them together into "events," such as the beginning or end of a connection; or, for some applications such as FTP, high-level events such as identifying user names. Above that is the policy layer, which interprets scripts, written in a specialized language, which defines how to react to different events. Should the policy layer detect information amounting to an attempted security breach, the system notifies computer security people in real time. (Bashor, 2000)
                Within the month, Max’s FBI handler and an investigator from the Air Force were knocking on Max’s door, having unraveled the caper.  Max’s biggest flaw was in his message system that alerted him to a successful infiltration.  The infected computer would notify Max’s stolen account at Verio, which would in turn contact Max’s home machine.  All it took was a subpoena to Verio for the phone number the system there was programmed to call, and they had the author of the BIND attack.  (Poulsen 72)
                Initially, Max faced little repercussion for his attack, the government wanted to continue to use Max’s skills and connections in the hacker community.  However, Max failed to get anything in writing from the FBI, and would later face serious legal problems because of it. 
                Max’s story is one you often see in fiction, that of the hacker who can hack government systems and make them his playthings.  The reality of course had little in common with the fictional portrayal of such people.  He made no money, used his army of government machines for the smallest of personal gain, and was caught practically immediately.  Although Max would later go on to be a full-fledged criminal, at this time he was still a curious young man who wanted to see if it was possible, and his curiosity got the better of him.

Works Cited

Bashor, J. (2000, March 29). Software that Detects Hackers Help Catch Big League Intruder. Retrieved 10 14, 2011, from Science Beat Newspaper, Berkeley Lab:
Internet Systems Consortium. (2011). What is BIND and what does it do? Retrieved 10 10, 2011, from Internet System Consortium:
Poulsen, K. (2011). Kingpin: How One Hacker Took Over the Billion Dollar Cybercrime Underground. New York: Crown Publishing.

No comments:

Post a Comment