How a college student fooled 17,000 professional programmers into running his sketchy script

It is a well known fact that hackers and cyber criminals thrive on charm more than technical expertise. This was once again proved when a German university student got 17,000 coders from governmental and military organisations to run his malware laden code with his charm. Luckily the malware laden code wont do much harm as this was part of an experiment.

University of Hamburg student Nikolai Philipp Tschacher was conducting an experiment as part of his bachelor thesis. He was testing whether he could fool coders using to run his program using a variation of a decade-old attack known as typosquatting

Tschacher used the variation of typosquatting and uploaded his code to three popular developer communities and gave them names that were similar to widely used packages already submitted by other users. During his experiment which spanned over several months, Tschacher’s imposter code was executed more than 45,000 times on more than 17,000 separate domains. Even more surprising is that as many as half the downloaders who were seasoned coders themselves, gave Tshacher’s code all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military also downloaded and ran his script.

“There were also 23 .gov domains from governmental institutions of the United States,” Tschacher wrote in his thesis called “Typosquatting in Programming Language Package Managers. “This number is highly alarming, because taking over hosts in US research laboratories and governmental institutions may have potentially disastrous consequences for them.”

Typosquatting technique has been used by hackers and cyber criminals since the dawn of Internet era. The technique has its roots in so-called typosquatting attacks, in which attackers and phishers registered domains such as gooogle.com, appple.com, or similarly mistyped names that closely resemble trusted and widely visited domains. When end-users accidentally entered the names into their address bars, the typos sent their browsers to malicious imposter sites that masqueraded as legitimate destinations while pushing malware or trying to collect user passwords.

Another variation was introduced by security researcher Artem Dinaburg in 2011. He called his technique Bitsquatting and it worked similar to typosquatting but relied on users to enter a wrong domain name, which then capitalised on random single-bit errors made by computers.

Tschacher based his attacked on Bitsquatting. He first identified 214 of the most widely downloaded user-submitted packages on PyPI, RubyGems, and NPM, which are community websites for developers of the Python, Ruby, and JavaScript programming languages respectively. Once he had identified most popular packages, he upload his untrusted code to the websites and gave them names that closely resembled the 214 packages.

Tschacher’s script also provided a warning that informed developers that they may have inadvertently installed the wrong package. But before it did, the code sent a Web request to a university computer so he could keep track of how many times his untrusted code was executed and whether administrative rights were given.

As Tschacher hoped, his experiment was a success with the sketchy code being downloaded by as many as 17,000 users from military and governmental background. It was executed as many as 45,000 times which may give you a idea how charm can still fool users to run unwanted scripts.

LEAVE A REPLY

Please enter your comment!
Please enter your name here