Note: I’m perfectly aware that what I wrote was not actually a virus. Virus definitions define it various ways ranging from a trojan to “potentially unwanted software”. In the purest sense it wasn’t a virus, trojan, worm, or any other derivative–which is fine by me. It wasn’t my intention to write a virus in the first place.
Every so often and a few of my close friends love to casually mention that I “wrote a virus”. This is usually in front of a cute girl or a large group of people who I don’t know very well.
This invariably leaves me in the position of either a) letting the remarks stand umodified, or b) qualifying the story with the facts. I usually choose b. A story like this might not be the key to a ladies heart (or anyone else’s for that matter), but I guess I get points for being unique.
It’s been a long time since these things happened so a lot of the details are hazy. I don’t think about it often and when I do think about it, it seems like it happened in another lifetime. Because of all of this, I’m going to write all of the details down to assist my memory, and possibly entertain you with the antics of a 19 year old with too much time and too little social life.
Almost five years ago (gosh, has it really been that long?) I had few responsibilities and more free time. That’s the nice way of saying I spent a lot of my time in my room, on my computer. Much of this free time was spent on self invented projects, useful and useless. A few of the things I worked on around this time include:
- Extenshun – A program to interface with bulletin boards and allow people to track their posts.
- I hosted a website called DebateGrounds.com which encouraged people to discuss politics, religion, and science. It had a decent commnunity with some good discussions.
- I helped write a couple of chapters in a published technology book.
- I hosted a collaborative blog called blogzine back before blogs were mainstream (I have since lost the domain–don’t ever let a domain lapse, ever)
- I designed websites for local businesses and musicians.
- I was the main system administrator for a small, now failed, venture capitalist company.
I was a bit of a loser, but I don’t significantly regret it because these years have signicantly contributed to my success in college and my career.
During this time, I became “friends” with someone I only knew as Justin. We both frequented the FlashKit forums and had a common interest in being obnoxious. Justin lived in Chicago. He had a girlfriend named Megan. He also liked to stir up trouble and seemed to always be online.
Justin’s permanence online helped me with a lot of projects, in truth. His technical prowess was much greater than my own. If I had an idea, he could often help me implement it in about 10% of the time. He was a huge fan of all things open source and snobbishly preferred BSD flavors of *nix over anything Linux.
The idea for the virus started very primitive. We decided we wanted to put something on file share networks (Gnutella at the time) that would chastise people for pirating software. I viewed it as a social experiment. The pay off for us was simple: after it chastised them, it would tell us how long they had read the message. Simple application, simple goal.
I wrote the first version myself in .NET. We codenamed it “Walk The Plank”. (You know, pirates…the whole gig.) It took me around 30 minutes and we quickly put it on Gnutella with some fake names. Such as:
- Microsoft Office 2000 Crack.exe
- Britney Spears – Hit Me One More Time.mp3.exe
- Etc, etc, etc. (We had about 500 names we released it under)
We got a few downloads but very few logged executions. We determined this was due to .NET being a new technology (version 1.1 at the time) and almost no one having the framework installed. (In other words, no one could open our program without downloading a 20 MB file from Microsoft.)
We realized that to make this really work, we were going to have to write in C or C++ and do it right. I started working on a version in C. (Did I mention I hate writing in C?) I got the basic functionality working, but we realized at this point, we wanted more.
You see, there is this time in the life of software that usually coincides with the completion of its first version. You suddenly have a thousand ideas for additional features. Often times you have to completly rewrite your application to be satisfied. This second version of WTP (Walk the Plank) was functional, but we thought of number of ways to make it more ingenious.
- We wanted to specifically track the progress of the application across the Internet. (The various connected interwebs, if you will)
- We wanted to know exactly what they had been trying to download. (i.e., Britney Spears of a software crack)
- We wanted the data we collected to be publicly accessible.
- Lest someone hijack our work and we get blamed for it, we wanted it to delete itself if it was modified.
I should pause to mention: We had no intention of becoming famous at this time. None whatsoever. This was a little experiment for our own satisfaction. The fact that people trying to participate in illegal activities were the brunt of this joke made it all the better.
Accomplishing those goals required a lot of technical back flips that, had I been working by myself, I would have never finished. The program was designed like this:
Embedded in the software was an ID number. When a user would execute the program and click the button, a number of things would happen:
- It would contact our website and report the amount of time the message was viewed and what their ID number was.
- Our server would report back a new, unique ID number.
- We wrote out a separate executable to the temporary directory and executed it. This executable would modify the original program and replace the old ID number with the new one.
- If the program size was different than expected, it would delete the original executable.
Relatively simple on the surface, difficult in its implementation. (It’s hard to write a binary that contains another binary that will delete your original binary if the size is wrong because you have no good idea of what the final size will be until you’re done. The size of the original binary changes everytime you update the embedded binary to reflect the size of the container…it’s a merry-go-round.) We called this new version Operation Dust Bunny or (ODB) as it became known:
This final version of Operation Dust Bunny is nearly identical in appearance to the first version.
We released Operation Dust Bunny onto several networks, the primary one being Gnutella (you may remember it as Grokster, Kazaa, etc…). Same 500 names. I enlisted a friend to help distribute for a total of 3 people sharing 500 small files.
The number of downloads grew exponentially. Not only were people stupid enough to download it, they were also stupid enough not to delete it. We setup a website that showed how many hours of pirate’s time we had wasted, and a comprehensive list of all executions. You could click on someone’s ID and find out who they had gotten it from, all the way back to the first download. We also listed their complete IP address and country of origin. We made an unfortunate decision to host this site on my own computer on my cable connection. It was nearly permanently inaccessible after the story broke and I don’t have a copy of it today. (Not even archive.org has it. )
After about 12,000 individual users were logged as executing the program with over 85 hours of execution time, we realized it was much bigger than originally anticipated. We decided to add to this feat by trying to get noticed.
We first published information about it on our blog (blogzine) and posted it on a few bulletin boards. (See below for the original article as we posted it.) One of the bulletin boards we posted at was DSLReports.com. They soon picked up the story officially. All of this attracted the attention of Kevin Poulsen at SecurityFocus. He called my cellphone number while I was running the cash register at my parents service station. I was totally unprepared. I managed to stay conscious during his impromptu phone interview. A few hours later he published the story with the title “Anti-piracy vigilantes track file sharers.” Their story alone resulted in a myriad of attention that I was neither ready for nor sure I wanted.
Having been published, we submitted the story to Slashdot, the biggest most viewed technology news site. They picked up the story and that’s when the “fit” really hit the “shan”.
At this time, I had only my common sense to tell me I wasn’t going to get in trouble. I knew that the program was not a true trojan as SecurityFocus had suggested. I knew that it had caused no damage, physically or monetarily. My attitude became somewhat fatalistic. “Why stop now?” I thought.
The night after Slashdot picked up the story, we sent some instant messages on AIM to a technologically oriented talk show host, David Lawrence, who hosted a program in California, Online Tonight With David Lawrence. I had some friends help me send him some messages pretending to be interested listeners.
I can’t really describe how cool it was to hear the first words of a syndicated radio program ring something like this “Alright, alright we will be talking about this DustBunny virus…” But this ended up being the least exciting part of the evening. Within a few minutes of the show going on the air, I was emailed by the program director asking if I would agree to be on the air.
This put me in a difficult position. I had already achieved much more fame at this point than I really wanted. I was enjoying it, but I was also crapping my pants. The thought of being on the radio had never crossed my mind. Even more complicated, I hadn’t told my parents about any of this. The only thing I knew for sure is that there was no way in heck I could say no. So I said yes.
He had me on the show for about an hour. I sounded like cliched 19 year old nerd who who found himself suddenly in the limelight would: not that good. I will update this post soon with the audio of this program. (if my ego can handle it!) UPDATE: You can listen here.
The fallout of all of this was minor. People soon forgot about the story. I was never approached by lawyers or more than verbally maligned. The coolest things that resulted were the following:
- 9 different antivirus companies included Dust Bunny in their definitions under various aliases. Trojan.Win32.DusBunn being the most common. McAfee was most correct in their analysis, calling it “potentially unwanted”.
- Someone filled up my voicemail with dead air.
- I got a threat letter with a–I kid you not–pirate sticker. “It’s your choice, Clifton. You can be with us or against us. You decide…”
- A lot of news organizations picked up the story. Tons of technology sites linked to it. Even more bulletin boards.
It was overall a positive experience. My parents eventually found out, and while they were concerned that I had acted so foolishly, they mostly found the story to be entertaining and enjoyed passing the links to news sites around to friends.
I’m not sure if I have the source code for any of this, but if I do, I will post it online as an open source project. I probably do not have the source code for the embedded binary or the online backend.
Thanks for reading. I hope it was somewhat entertaining.
Original article, complete with hyperbole: