The Virus Story: Operation Dust Bunny

Note: I’m perfectly aware that what I wrote was not actually a virus. Virus definitions define it various ways ranging from a trojan to “potentially unwanted software”. In the purest sense it wasn’t a virus, trojan, worm, or any other derivative–which is fine by me. It wasn’t my intention to write a virus in the first place.

Every so often and a few of my close friends love to casually mention that I “wrote a virus”. This is usually in front of a cute girl or a large group of people who I don’t know very well.

This invariably leaves me in the position of either a) letting the remarks stand umodified, or b) qualifying the story with the facts. I usually choose b. A story like this might not be the key to a ladies heart (or anyone else’s for that matter), but I guess I get points for being unique.

It’s been a long time since these things happened so a lot of the details are hazy. I don’t think about it often and when I do think about it, it seems like it happened in another lifetime. Because of all of this, I’m going to write all of the details down to assist my memory, and possibly entertain you with the antics of a 19 year old with too much time and too little social life.

The Background
Almost five years ago (gosh, has it really been that long?) I had few responsibilities and more free time. That’s the nice way of saying I spent a lot of my time in my room, on my computer. Much of this free time was spent on self invented projects, useful and useless. A few of the things I worked on around this time include:

  • Extenshun – A program to interface with bulletin boards and allow people to track their posts.
  • I hosted a website called DebateGrounds.com which encouraged people to discuss politics, religion, and science. It had a decent commnunity with some good discussions.
  • I helped write a couple of chapters in a published technology book.
  • I hosted a collaborative blog called blogzine back before blogs were mainstream (I have since lost the domain–don’t ever let a domain lapse, ever)
  • I designed websites for local businesses and musicians.
  • I was the main system administrator for a small, now failed, venture capitalist company.
  • Etc.

I was a bit of a loser, but I don’t significantly regret it because these years have signicantly contributed to my success in college and my career.

During this time, I became “friends” with someone I only knew as Justin. We both frequented the FlashKit forums and had a common interest in being obnoxious. Justin lived in Chicago. He had a girlfriend named Megan. He also liked to stir up trouble and seemed to always be online.

Justin’s permanence online helped me with a lot of projects, in truth. His technical prowess was much greater than my own. If I had an idea, he could often help me implement it in about 10% of the time. He was a huge fan of all things open source and snobbishly preferred BSD flavors of *nix over anything Linux.

The idea for the virus started very primitive. We decided we wanted to put something on file share networks (Gnutella at the time) that would chastise people for pirating software. I viewed it as a social experiment. The pay off for us was simple: after it chastised them, it would tell us how long they had read the message. Simple application, simple goal.

I wrote the first version myself in .NET. We codenamed it “Walk The Plank”. (You know, pirates…the whole gig.) It took me around 30 minutes and we quickly put it on Gnutella with some fake names. Such as:

  • Microsoft Office 2000 Crack.exe
  • Britney Spears – Hit Me One More Time.mp3.exe
  • Etc, etc, etc. (We had about 500 names we released it under)

We got a few downloads but very few logged executions. We determined this was due to .NET being a new technology (version 1.1 at the time) and almost no one having the framework installed. (In other words, no one could open our program without downloading a 20 MB file from Microsoft.)

We realized that to make this really work, we were going to have to write in C or C++ and do it right. I started working on a version in C. (Did I mention I hate writing in C?) I got the basic functionality working, but we realized at this point, we wanted more.

You see, there is this time in the life of software that usually coincides with the completion of its first version. You suddenly have a thousand ideas for additional features. Often times you have to completly rewrite your application to be satisfied. This second version of WTP (Walk the Plank) was functional, but we thought of number of ways to make it more ingenious.

  1. We wanted to specifically track the progress of the application across the Internet. (The various connected interwebs, if you will)
  2. We wanted to know exactly what they had been trying to download. (i.e., Britney Spears of a software crack)
  3. We wanted the data we collected to be publicly accessible.
  4. Lest someone hijack our work and we get blamed for it, we wanted it to delete itself if it was modified.

I should pause to mention: We had no intention of becoming famous at this time. None whatsoever. This was a little experiment for our own satisfaction. The fact that people trying to participate in illegal activities were the brunt of this joke made it all the better.

Accomplishing those goals required a lot of technical back flips that, had I been working by myself, I would have never finished. The program was designed like this:

Embedded in the software was an ID number. When a user would execute the program and click the button, a number of things would happen:

  1. It would contact our website and report the amount of time the message was viewed and what their ID number was.
  2. Our server would report back a new, unique ID number.
  3. We wrote out a separate executable to the temporary directory and executed it. This executable would modify the original program and replace the old ID number with the new one.
  4. If the program size was different than expected, it would delete the original executable.

Relatively simple on the surface, difficult in its implementation. (It’s hard to write a binary that contains another binary that will delete your original binary if the size is wrong because you have no good idea of what the final size will be until you’re done. The size of the original binary changes everytime you update the embedded binary to reflect the size of the container…it’s a merry-go-round.) We called this new version Operation Dust Bunny or (ODB) as it became known:


This final version of Operation Dust Bunny is nearly identical in appearance to the first version.

We released Operation Dust Bunny onto several networks, the primary one being Gnutella (you may remember it as Grokster, Kazaa, etc…). Same 500 names. I enlisted a friend to help distribute for a total of 3 people sharing 500 small files.

The number of downloads grew exponentially. Not only were people stupid enough to download it, they were also stupid enough not to delete it. We setup a website that showed how many hours of pirate’s time we had wasted, and a comprehensive list of all executions. You could click on someone’s ID and find out who they had gotten it from, all the way back to the first download. We also listed their complete IP address and country of origin. We made an unfortunate decision to host this site on my own computer on my cable connection. It was nearly permanently inaccessible after the story broke and I don’t have a copy of it today. (Not even archive.org has it. :( )

After about 12,000 individual users were logged as executing the program with over 85 hours of execution time, we realized it was much bigger than originally anticipated. We decided to add to this feat by trying to get noticed.

We first published information about it on our blog (blogzine) and posted it on a few bulletin boards. (See below for the original article as we posted it.) One of the bulletin boards we posted at was DSLReports.com. They soon picked up the story officially. All of this attracted the attention of Kevin Poulsen at SecurityFocus. He called my cellphone number while I was running the cash register at my parents service station. I was totally unprepared. I managed to stay conscious during his impromptu phone interview. A few hours later he published the story with the title “Anti-piracy vigilantes track file sharers.” Their story alone resulted in a myriad of attention that I was neither ready for nor sure I wanted.

Having been published, we submitted the story to Slashdot, the biggest most viewed technology news site. They picked up the story and that’s when the “fit” really hit the “shan”.

At this time, I had only my common sense to tell me I wasn’t going to get in trouble. I knew that the program was not a true trojan as SecurityFocus had suggested. I knew that it had caused no damage, physically or monetarily. My attitude became somewhat fatalistic. “Why stop now?” I thought.

The night after Slashdot picked up the story, we sent some instant messages on AIM to a technologically oriented talk show host, David Lawrence, who hosted a program in California, Online Tonight With David Lawrence. I had some friends help me send him some messages pretending to be interested listeners.

I can’t really describe how cool it was to hear the first words of a syndicated radio program ring something like this “Alright, alright we will be talking about this DustBunny virus…” But this ended up being the least exciting part of the evening. Within a few minutes of the show going on the air, I was emailed by the program director asking if I would agree to be on the air.

This put me in a difficult position. I had already achieved much more fame at this point than I really wanted. I was enjoying it, but I was also crapping my pants. The thought of being on the radio had never crossed my mind. Even more complicated, I hadn’t told my parents about any of this. The only thing I knew for sure is that there was no way in heck I could say no. So I said yes.

He had me on the show for about an hour. I sounded like cliched 19 year old nerd who who found himself suddenly in the limelight would: not that good. I will update this post soon with the audio of this program. (if my ego can handle it!) UPDATE: You can listen here.

The fallout of all of this was minor. People soon forgot about the story. I was never approached by lawyers or more than verbally maligned. The coolest things that resulted were the following:

  • 9 different antivirus companies included Dust Bunny in their definitions under various aliases. Trojan.Win32.DusBunn being the most common. McAfee was most correct in their analysis, calling it “potentially unwanted”.
  • Someone filled up my voicemail with dead air.
  • I got a threat letter with a–I kid you not–pirate sticker. “It’s your choice, Clifton. You can be with us or against us. You decide…”
  • A lot of news organizations picked up the story. Tons of technology sites linked to it. Even more bulletin boards.

It was overall a positive experience. My parents eventually found out, and while they were concerned that I had acted so foolishly, they mostly found the story to be entertaining and enjoyed passing the links to news sites around to friends.

I’m not sure if I have the source code for any of this, but if I do, I will post it online as an open source project. I probably do not have the source code for the embedded binary or the online backend.

Thanks for reading. I hope it was somewhat entertaining.

Original article, complete with hyperbole:

Behold: Walk the Plank and Operation Dust Bunny

Note: Due to responses by certain detractors, we’ve updated our legal section (again) to further clarify our stance.

Apparently, this is becoming more and more newsworthy. Security Focus called today and interviewed me. Here is the resulting article: http://securityfocus.com/news/8279

At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.

Results Pages for the Impatient: Walk the Plank Status Page | Dust Bunny Status Page (I no longer have this information, sadly)

Walk the Plank, You Pirates!

The first version of this was more-or-less a test to see if it would work. We created a program in C# that would pop-up a message scolding the user. When the program closes, it would “phone home” to our servers, giving us the filename, how long the program ran (run time), and their IP address. We entered the information we collected into a database.

We copied the binary then renamed it to a bunch of warez-like filenames that we found via Jigle.com and searching different P2P networks. We put it up on the Gnutella file sharing network and waited. Within minutes, we had downloads. However, we didn’t have entries in the database. The next day we came to the conclusion that people didn’t have .NET installed and thus couldn’t run the C# binary.

So we rewrote it in C++. Once finished, we replaced all of the C# binaries with the C++ binary. Again within moments, we had downloads and this time we have entries in the database. Goes to show the penetration of .NET.

After about two weeks, we noticed something: The file was spreading without our help. We stopped sharing after we realized this and the file kept propagating, and propagating, and propagating. In no time flat, we wasted over 16 hours of pirate time.

The Next Step: Operation Dust Bunny

The original idea we had went beyond simply logging filename and run time. We wanted to track who got what file from who. So a month after WTP, we wrote Dust Bunny. It was a two-binary system that would read the Pirate ID (PID) encoded in itself, send it to a server, then grab a unique PID returned from the server, and rewrite the ID that is encoded in the binary. Using this information, we could see who got what binary from who.

Written with one person using Visual Studio 2003, another using Dev-C++; one binary in C++, the other in C; and only one person knowing how to code in either language. It was a challenge since the “rabbit” (the GUI program) had to include the “eye” (the program that contacted the server and rewrote the rabbit) for execution. Plus the eye needed an offset that could only be gathered once the rabbit was compiled with eye included. Thanks to TightVNC and a lot of trading of information, we got through it.

Just to be safe, we added a “kill switch” to the eye. If the server returned a special ID number, the eye would delete the rabbit. This way, in case it got out of control as WTP did, we could stop it. Also, if someone renamed it to a filename we didn’t like, we could add that filename to the “evil filename list” on the server.

After it was completed, we replaced all the binaries with the new version. Once again, they started to be downloaded instantly. The next day, we already had redistributions — someone downloaded a copy from someone other then us. We could tell since we were logging the PIDs. It didn’t take long until we had multi-branch trees of pirates.

We decided after one month time of sharing Dust Bunny, we’d stop and let it propagate on it’s own. That marker was around March 9th, 2004.

Current Status

By now, WTP has racked up over 62 hours in wasted pirate time. Dust Bunny is well on its way with 20 hours. Dust Bunny has around 3,500 unique pirates and over 6,200 executions. It’s estimated that WTP has around 9,000 unique pirates and is known to have over 18,000 executions.

WTP is still going strong, with around 400 executions a day. Dust Bunny has slowed down since we stopped sharing it and are relying on redistributions. We contribute WTPs success due in part because each file is exactly the same, so the hashes are the same and P2P clients group based on hash. Each Dust Bunny binary is unique since each one has a unique ID. So even though there may be 40 Dust Bunny’s in search results on Gnutella, a P2P client will not group them together.

Oddly, Pinnacle Studio 9 keygen was a very popular filename on both operations. Most of the WTP executions are Pinnacle Studio 9 keygen. On Dust Bunny, it’s the most popular filename with over 530 unique executions. This really surprised us considering some of the other filenames we had.

In February, TurboTax became a pretty popular filename we logged. I guess they don’t mind breaking copyright laws but have to get their taxes in. In just the past two days, Unreal Tournament 2004 keygen and cracks have become popular filenames.

When the Windows source code was leaked, we immediately renamed a copy to the rumored source code filename. In minutes, people were downloading it. Apparently the 204KB size didn’t bother them.

One thing that had us scratching our heads were the filenames “/home/caleb/LimeWire/Shared/ windows 2000 source code.zip.exe” and “/home/heihoe/Downloads/pinnacle studio 9 edition keygen.exe”. Since we didn’t log the complete filename (we strip out the path of the file), we aren’t sure if these are executions under WINE or Linux filesystems being mounted on Windows or something completely different. If anyone could share some insight, we’d appreciate it. I think it’s good to see people aren’t running as root.

Is this legal?

We believe so. People spread it willingly, not covertly like mass-mailing viruses. Other then rewriting itself, it doesn’t add, delete, or modify any files. It doesn’t remain active or start on boot. It’s not destructive or malicious in anyway. Removing it is simply deleting the file they downloaded off of the P2P network. For all of these reasons and more, we feel it’s not any type of malware and is perfectly legal. But it wouldn’t surprise us if anti-virus vendors labeled it as some type of malware.

Update:

Much more debate than we ever thought would be given to this has occurred on various websites since we went “public” with our program this yesterday evening. Some issues bear clearing up.

  1. No data is collected by our software that isn’t already collected when our software is downloaded.
    The only personally identifiable information that we have would be the executer’s IP address. However this information is freely available at time of download and is completly public information.
  2. The software acts with the confines of its own entity.
    The program does not compromise their system in any way, shape, or form. Every action it performs it performs soley for the purposes of logging an event. We are not in this to compromise downloader’s systems, only to learn a little bit about who they are. It’s a social experiment.
  3. We dissagree with the notion that this is a “Trojan”.
    A trojan horse gains access to a system through deviant methods. Not through user initiated downloads on a P2P network. Secondly, a trojan horse by definition has a payload or attempts to give the author access by working from the inside. Our program is aboslutely dormant unless specifically and purposefully executed by the downloader. And the program is riddled with cues to what the contents might be. For instance, the company name is “C.R.A.P. Citizens Raging Against Pirates”. Not what you’d expect from a “legitimate” crack or keygen.
  4. We are not raging against pirates, we are studying them in a clever way.
    While we joked in private this was our “war against piracy” the sole purpose of this project was to collaborate on a technically merited application for fun. It’s always cool to see something you created take on a life of its own, and that is exactly what occurred here. If you are someone who was trying to download illegal software, or just searching for our file…relax. The information we collected is absolutely harmless to you.

Old update:
Some people think this is illegal. They think it’s entrapment or we are
stealing data. They think this is some type of malware. It’s not.

First, this can’t be entrapment. We aren’t reporting these people to anyone in
the law enforment field, even though we should be.

Second, it’s not malware. It doesn’t modify, add, or delete files other
then itself.

So, to the pirates out there who think this is in some way illegal, it’s
not. However, what you do is illegal.

Men With No Titles: Clifton Griffin and Justin X. B.
E-mail: pirateproject@blogzine.net
Website: http://blogzine.net

  • Peter

    You’re a retard. Technically, an app like this is trivial. Screwing up the first iteration (by using .net) requires ingenious stupidity. Second, piracy is not theft. It is copyright violation. It is illegal, immoral, but not theft. Theft consists of depriving someone of property. Piracy consists of violating someone’s rights under the copyright act. Propaganda of the MPAA/RIAA/SPA tries to rename this theft, but just because they release propaganda doesn’t mean you need to confuse yourself with it.

  • mxhax

    wow,

    I remember hearing about this but it didn’t seem to get much attention.

    but wondering, after the program “phoned home” and then received the new ID, and it made the 2nd program, wouldn’t someone be able to see that a new program was being made, someone could just modify that program, to stop the checking of the main program which would then allow a person to modify the original program for malicious use?

    very interesting

  • BillyJoeBob

    Lame… It’s not a virus and you’re not funny. It would have been better if it had warned n00bs not to run stuff they download from Gnutella…

    I have to admit, though, that’s it’s pretty cool to have one’s code signature in an anti-virus product…

  • http://reidscones.com reid

    just semantics, but kazaa used the fasttrack network, not gnutella

  • Zac

    I find your blind support of law and heady Christian overtones hilarious.

  • http://clifgriffin.com clifgriffin

    Peter: Thanks?

    mxhax: Possible, but very difficult if you didn’t understand the composition of the program. We had checks on both sides so jumping into the process and satisfying those checks would have been very difficult. But then again, I think we added them for fun more than out of fear of a serious threat.

    BillyJoeBob: Yeah, probably lame, but it is very cool to have code you wrote included in virus signatures.

    Reid: You are very correct, I should have known that.

    Zac: I have a moral obligation to obey the law, but my support is in no way blind.

  • http://www.reddit.com/ Artificial Incompetence

    Every so often, I question my own skills in software dev. Then I read a blog article like this one, and the burgeoning ignorance assuages my self-doubt.

    You’re already 19, and you still don’t understand the difference between a virus and a trojan? Time for a new hobby…

    PS. Your “subscribe”-id checkbox is missing meaningful text.

  • Clifton Griffin

    AI, it’s almost like my audience is people who don’t know or care about the difference between a virus and a trojan.

    P.S. If you want to be technical about it, it wasn’t even a true trojan.

  • http://techpp.com Raju

    Not just entertaining, it was engrossing. Brand me as a sadist, but I was guessing (not hoping) that you would end up busted!

  • http://techpp.com Raju

    btw, I have just found out why akismet branded your comments as spam ;) Just kidding :)

  • Dan Schoppe

    Cool story. Very good read.

  • http://www.stratos.me stratosg

    you know i wouldn’t have the balls to do it. i find it a very interesting thing because you got many facts (12 seconds just looking at it. wow!). also i BET that if it was to be done again today it would have the same success because people tend to download stuff and run them without any hesitation nor thought. i also enjoyed your writing :) all in all a very nice post!

    • http://clifgriffin.com clifgriffin

      12 seconds was nothing…a few people left it running hours like they were afraid to click the button.

      Thanks for commenting!

      • http://www.stratos.me stratosg

        now you got me thinking… i think this would be even scarier today since more people not only use the PC but use pirated software. finding a crack today is as easy as searching google. i guess this would make a better hit today…

  • JamesD

    Thanks for the useful info. It’s so interesting

  • http://teachnv.org angelo

    first, thanks for the theme.
    Second, i completely understand the challenge of creating something as a social experiment and watching to see how it manifests itself. Too bad its over with; you could engineer a bigger experiment and take some serious statistical data and probably get it published.

  • http://vinelamoti.com “માનવ”

    nice…