Man
Professional
- Messages
- 3,218
- Reaction score
- 783
- Points
- 113
Programmers also get bored sometimes. If you work for a serious software company, you can have a little fun by hiding an Easter egg somewhere in the depths of the program you are developing, and in such a way that it will not be accidentally discovered during a code review. Apparently, this is how the famous "walker" called The Hall of Tortured Souls in Microsoft Excel 95, the "flyer" in Excel 97, or the joke with the query "Do a barrel roll" in the Google search engine came into being. It turns out that virus writers are also not averse to such entertainment: history knows many malicious programs with hidden "Easter eggs". Here are the most famous of them.
Ever since the legendary Elk Cloner, which displayed a funny poem on the screen every fiftieth boot, malware creators have repeatedly “delighted” malware researchers with all sorts of surprises.
In June 2010, the world media reported the appearance of the Stuxnet worm, which information security experts immediately dubbed a “cyber weapon.” And for good reason: Stuxnet is believed to have been created specifically to attack industrial infrastructure facilities and computer systems that control equipment. The worm was capable of intercepting data transmitted between Simatic S7 programmable logic controllers (PLC) and Siemens SCADA systems. These were the devices used at enterprises working on Iran’s nuclear project. Technically, Stuxnet is considered one of the most complex malicious programs known to date: it used four zero-day vulnerabilities in Microsoft Windows and was capable of more than just spying. The worm sent incorrect commands to uranium enrichment centrifuges, causing them to operate in an unstable mode. As a result, the equipment failed without causing immediate failures, but reducing overall efficiency and reliability. Moreover, the entire process took place covertly.
Researchers who studied the Stuxnet code found a kind of "Easter egg" in it. Namely, in the disassembled source codes, they came across the word "Myrtus", which is a reference to the Old Testament Book of Esther. It tells the story of the Jews uncovering a Persian conspiracy, the purpose of which was to destroy the entire Jewish people. This discovery, along with other indirect signs, confirmed analysts in the opinion that Israeli intelligence services were involved in the creation of Stuxnet, seeking to slow down Iran's nuclear program. If this hypothesis is correct, then Stuxnet became the first known example of the use of cyber weapons at the state level to achieve political goals. But it was far from the first malicious program in the depths of which all sorts of "greetings" from the developers were found.
For example, the world-famous mail worm ILOVEYOU, which made a lot of noise in 2000 and caused a real computer epidemic. This malware, also known as the Love Bug or Love Letter, spread across the entire planet in a matter of days, infecting millions of computers and causing damage later estimated at billions of dollars.
Users received an email with the enticing subject line "I LOVE YOU" from a familiar sender. Inside the email was an attached file named "LOVE-LETTER-FOR-YOU.TXT.vbs". Most of the not very sophisticated victims believed that this was a text file containing a love letter and easily opened it, infecting their own system. The Visual Basic script that was triggered at that moment began to copy itself to system folders, ensuring its automatic execution every time the computer was started, and then began mass mailing of its copies to all contacts from the email client's address book. In addition, the worm corrupted files on the infected computer, as a result of which users lost access to their images, music recordings and documents.
In the malicious VBS code, virus analysts found the comment "I HATE GO TO SCHOOL" and the email address left by the worm's author - 24-year-old Filipino student Onel de Guzman. Later, thanks to these lines, investigators were able to prove that de Guzman was the creator of the notorious malware, but at that time there were no laws in the Philippines prohibiting the development and distribution of malicious software, thanks to which the virus writer was able to avoid punishment.
One of the close relatives of ILOVEYOU is considered to be the Melissa macro virus, which was also distributed via e-mail and released into the wild on March 26, 1999 by American David Smith. The creator named his program after a stripper he knew, and added his own nickname to the source code - Kwyjibo, borrowed from one of the episodes of the animated series The Simpsons. In fact, it was by this very nickname that Smith was identified by FBI agents, who handed the virus writer over to justice. And it was the FBI that prescribed Smith a healing pill in the form of 20 months in prison and a fine of 5,000 US dollars. Since then, the habit of signing malicious programs in the same way that Renaissance artists signed their masterpieces has gradually faded away. However, virus writers still have the habit of leaving interesting comments in the code.
For example, the creator of the Sasser network worm, which infected more than 250,000 computers around the world in the spring of 2004, delighted researchers with the commented line “I love my girlfriend,” which made them make a number of assumptions about the age of the virus writer. The worm used a vulnerability in the Local Security Authority Subsystem Service (LSASS) of Microsoft Windows operating systems and spread across the network without human intervention. The malware was written in C and infected computers by scanning random IP addresses in search of vulnerable systems. Having found the target, Sasser tried to infect the computer by copying the executable file from its own FTP server running on previously infected machines, thus continuing to spread to other network nodes.
As virus analysts correctly guessed, the author of Sasser was a 17-year-old German schoolboy Sven Jaschan, who acted, as they say, "out of hooligan motives." Microsoft Corporation announced a reward of 250 thousand dollars for the capture of the virus writer, and Jaschan was turned in by classmates who did not have enough change for Coke and gum. It is not known whether the same "girlfriend" whom Sven immortalized in the source code of Sasser appreciated his feat, but the harsh German court sentenced him to 1 year and 9 months of suspended imprisonment with a probationary period of 3 years.
But in the code of the executable file of the computer worm Lovesan, also known as Blaster, researchers found a whole message to the then head of Microsoft Corporation Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!" ("Billy Gates, why are you making this happen? Stop making money and fix your software!").
The Lovesan worm was first discovered on August 11, 2003. It exploited a vulnerability in the Microsoft Distributed Component Object Model (DCOM) remote procedure call (RPC) service that allowed arbitrary code to be executed on an infected system. Once Lovesan had infected a computer, it would scan the network for systems vulnerable to the RPC DCOM exploit and attempt to infect them. If it successfully infected, Lovesan would create a copy of itself on the compromised system and continue to spread uncontrollably. It would then start a countdown timer, after which it would force the infected computer to reboot repeatedly, rendering the system unusable. The worm was also programmed to launch a DDoS attack on port 80 of windowsupdate.com, in order to make it more difficult for users to access security updates that could protect them from the malware.
In addition to the message to Gates, the worm also contained another Easter egg: the line "I just want to say LOVE YOU SAN!!", which is how the malware got its name "Lovesan." However, the first message to the head of Microsoft did have an effect: after the distribution of Lovesan, the corporation faced criticism for the weak security in its operating systems, and responded by launching the Trustworthy Computing initiative, aimed at prioritizing security in software development.
Well, one of the absolute leaders in the number of “hidden messages” in executable code is rightfully considered by virus analysts to be the TDSS rootkit family (also known under the common name TDL). TDSS rootkits first appeared around 2008 and have been continuously evolving since then, giving rise to several generations. Early versions, such as TDL-1 and TDL-2, were relatively simple, although even then they were able to hide their presence in the system and use various mechanisms to prevent their detection. TDL-3 evolved into a more complex malware program capable of infecting the master boot record (MBR) and ensuring its own operability after a system reboot. TDL-4, the most famous variant, learned to infect 64-bit versions of Windows. It encrypted connections to control servers, was able to disable antivirus programs, and used a peer-to-peer P2P network to distribute updates and commands, which made it extremely resistant to failures.
TDSS executables use a packer in which obfuscation is achieved by adding entire excerpts from Shakespeare's Hamlet to the code. In addition, when launched under a debugger, the rootkit transmits a large number of quotes from the cartoons The Simpsons and Fight Club to the debugger, more than a dozen in total. For example, when launching and initializing the executable file, the event handler returns the string "This is your life, and it's ending one minute at a time" or the lyrics to a song from the episode "Spider-Pig" of The Simpsons: "How did the pig tracks get on the ceiling? Spider-Pig, Spider-Pig...". Well, in the comments to the malicious code, you can find quotes from the films Fear and Loathing in Las Vegas and Twelve Monkeys.
Malware is often thought of as the work of evil geniuses bent on profit and destruction, but the presence of Easter eggs like these paints a more human side to the malware writers. These hidden elements in the code serve as a reminder that even the most malicious software is made up of people with a sense of humor and, sometimes, a certain pride in their craft. While the damage caused by malware should not be underestimated, Easter eggs like these provide insight into the thinking of its creators and, in some cases, can even be used to identify them, acting as a form of evidence.
The comments, which are only visible to the people analyzing the code, can be seen as a form of communication between the malware writers and the analysts examining their work. Regardless, these hidden elements add a certain intrigue to the process of studying the internal architecture of malware, reminding us that even in the most unexpected places — within the lines of malicious code — there can be flashes of creativity and personal expression.
Source
Ever since the legendary Elk Cloner, which displayed a funny poem on the screen every fiftieth boot, malware creators have repeatedly “delighted” malware researchers with all sorts of surprises.
In June 2010, the world media reported the appearance of the Stuxnet worm, which information security experts immediately dubbed a “cyber weapon.” And for good reason: Stuxnet is believed to have been created specifically to attack industrial infrastructure facilities and computer systems that control equipment. The worm was capable of intercepting data transmitted between Simatic S7 programmable logic controllers (PLC) and Siemens SCADA systems. These were the devices used at enterprises working on Iran’s nuclear project. Technically, Stuxnet is considered one of the most complex malicious programs known to date: it used four zero-day vulnerabilities in Microsoft Windows and was capable of more than just spying. The worm sent incorrect commands to uranium enrichment centrifuges, causing them to operate in an unstable mode. As a result, the equipment failed without causing immediate failures, but reducing overall efficiency and reliability. Moreover, the entire process took place covertly.
Researchers who studied the Stuxnet code found a kind of "Easter egg" in it. Namely, in the disassembled source codes, they came across the word "Myrtus", which is a reference to the Old Testament Book of Esther. It tells the story of the Jews uncovering a Persian conspiracy, the purpose of which was to destroy the entire Jewish people. This discovery, along with other indirect signs, confirmed analysts in the opinion that Israeli intelligence services were involved in the creation of Stuxnet, seeking to slow down Iran's nuclear program. If this hypothesis is correct, then Stuxnet became the first known example of the use of cyber weapons at the state level to achieve political goals. But it was far from the first malicious program in the depths of which all sorts of "greetings" from the developers were found.
For example, the world-famous mail worm ILOVEYOU, which made a lot of noise in 2000 and caused a real computer epidemic. This malware, also known as the Love Bug or Love Letter, spread across the entire planet in a matter of days, infecting millions of computers and causing damage later estimated at billions of dollars.
Users received an email with the enticing subject line "I LOVE YOU" from a familiar sender. Inside the email was an attached file named "LOVE-LETTER-FOR-YOU.TXT.vbs". Most of the not very sophisticated victims believed that this was a text file containing a love letter and easily opened it, infecting their own system. The Visual Basic script that was triggered at that moment began to copy itself to system folders, ensuring its automatic execution every time the computer was started, and then began mass mailing of its copies to all contacts from the email client's address book. In addition, the worm corrupted files on the infected computer, as a result of which users lost access to their images, music recordings and documents.
In the malicious VBS code, virus analysts found the comment "I HATE GO TO SCHOOL" and the email address left by the worm's author - 24-year-old Filipino student Onel de Guzman. Later, thanks to these lines, investigators were able to prove that de Guzman was the creator of the notorious malware, but at that time there were no laws in the Philippines prohibiting the development and distribution of malicious software, thanks to which the virus writer was able to avoid punishment.
One of the close relatives of ILOVEYOU is considered to be the Melissa macro virus, which was also distributed via e-mail and released into the wild on March 26, 1999 by American David Smith. The creator named his program after a stripper he knew, and added his own nickname to the source code - Kwyjibo, borrowed from one of the episodes of the animated series The Simpsons. In fact, it was by this very nickname that Smith was identified by FBI agents, who handed the virus writer over to justice. And it was the FBI that prescribed Smith a healing pill in the form of 20 months in prison and a fine of 5,000 US dollars. Since then, the habit of signing malicious programs in the same way that Renaissance artists signed their masterpieces has gradually faded away. However, virus writers still have the habit of leaving interesting comments in the code.
For example, the creator of the Sasser network worm, which infected more than 250,000 computers around the world in the spring of 2004, delighted researchers with the commented line “I love my girlfriend,” which made them make a number of assumptions about the age of the virus writer. The worm used a vulnerability in the Local Security Authority Subsystem Service (LSASS) of Microsoft Windows operating systems and spread across the network without human intervention. The malware was written in C and infected computers by scanning random IP addresses in search of vulnerable systems. Having found the target, Sasser tried to infect the computer by copying the executable file from its own FTP server running on previously infected machines, thus continuing to spread to other network nodes.
As virus analysts correctly guessed, the author of Sasser was a 17-year-old German schoolboy Sven Jaschan, who acted, as they say, "out of hooligan motives." Microsoft Corporation announced a reward of 250 thousand dollars for the capture of the virus writer, and Jaschan was turned in by classmates who did not have enough change for Coke and gum. It is not known whether the same "girlfriend" whom Sven immortalized in the source code of Sasser appreciated his feat, but the harsh German court sentenced him to 1 year and 9 months of suspended imprisonment with a probationary period of 3 years.
But in the code of the executable file of the computer worm Lovesan, also known as Blaster, researchers found a whole message to the then head of Microsoft Corporation Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!" ("Billy Gates, why are you making this happen? Stop making money and fix your software!").
The Lovesan worm was first discovered on August 11, 2003. It exploited a vulnerability in the Microsoft Distributed Component Object Model (DCOM) remote procedure call (RPC) service that allowed arbitrary code to be executed on an infected system. Once Lovesan had infected a computer, it would scan the network for systems vulnerable to the RPC DCOM exploit and attempt to infect them. If it successfully infected, Lovesan would create a copy of itself on the compromised system and continue to spread uncontrollably. It would then start a countdown timer, after which it would force the infected computer to reboot repeatedly, rendering the system unusable. The worm was also programmed to launch a DDoS attack on port 80 of windowsupdate.com, in order to make it more difficult for users to access security updates that could protect them from the malware.
In addition to the message to Gates, the worm also contained another Easter egg: the line "I just want to say LOVE YOU SAN!!", which is how the malware got its name "Lovesan." However, the first message to the head of Microsoft did have an effect: after the distribution of Lovesan, the corporation faced criticism for the weak security in its operating systems, and responded by launching the Trustworthy Computing initiative, aimed at prioritizing security in software development.
Well, one of the absolute leaders in the number of “hidden messages” in executable code is rightfully considered by virus analysts to be the TDSS rootkit family (also known under the common name TDL). TDSS rootkits first appeared around 2008 and have been continuously evolving since then, giving rise to several generations. Early versions, such as TDL-1 and TDL-2, were relatively simple, although even then they were able to hide their presence in the system and use various mechanisms to prevent their detection. TDL-3 evolved into a more complex malware program capable of infecting the master boot record (MBR) and ensuring its own operability after a system reboot. TDL-4, the most famous variant, learned to infect 64-bit versions of Windows. It encrypted connections to control servers, was able to disable antivirus programs, and used a peer-to-peer P2P network to distribute updates and commands, which made it extremely resistant to failures.
TDSS executables use a packer in which obfuscation is achieved by adding entire excerpts from Shakespeare's Hamlet to the code. In addition, when launched under a debugger, the rootkit transmits a large number of quotes from the cartoons The Simpsons and Fight Club to the debugger, more than a dozen in total. For example, when launching and initializing the executable file, the event handler returns the string "This is your life, and it's ending one minute at a time" or the lyrics to a song from the episode "Spider-Pig" of The Simpsons: "How did the pig tracks get on the ceiling? Spider-Pig, Spider-Pig...". Well, in the comments to the malicious code, you can find quotes from the films Fear and Loathing in Las Vegas and Twelve Monkeys.
Malware is often thought of as the work of evil geniuses bent on profit and destruction, but the presence of Easter eggs like these paints a more human side to the malware writers. These hidden elements in the code serve as a reminder that even the most malicious software is made up of people with a sense of humor and, sometimes, a certain pride in their craft. While the damage caused by malware should not be underestimated, Easter eggs like these provide insight into the thinking of its creators and, in some cases, can even be used to identify them, acting as a form of evidence.
The comments, which are only visible to the people analyzing the code, can be seen as a form of communication between the malware writers and the analysts examining their work. Regardless, these hidden elements add a certain intrigue to the process of studying the internal architecture of malware, reminding us that even in the most unexpected places — within the lines of malicious code — there can be flashes of creativity and personal expression.
Source
