11-YEAR-OLD code wizard hacks Greedy RuneScape geeks
Kid's .NET Trojan offers hard coin but teleports passwords
A Trojan that promises RuneScape players gold but instead steals their passwords was developed by an 11-year-old, researchers claim.
Antivirus biz AVG said it made the discovery after studying a piece of code masquerading as a cheat tool for the wizards'n'warriors online role-playing game. The malware asks victims for their login details and, rather than send them in-game currency as promised, it passes the sensitive data to its munchkin master.
But the little tyke was outed by his own source code: it contained personally identifiable information that a more experienced VXer would never reveal.
AVG Technologies said this isn't the first time a child-built nasty has wandered onto its radar, and said the age of the Canadian developer suggests that kids are "digitally fluent far earlier than previous generations".
While snooping on players' login details may at first seem a petty triumph, gaming accounts often store credit-card details or virtual currency for in-game purchases.
And many people use the same passwords for their accounts on Facebook, Twitter, Google and other websites and gaming networks, potentially putting the victims at serious risk across the entire web: as well as the inconvenience of regaining access to compromised accounts, there's a possibility information could be exploited by online bullies and identity thieves.
"We have now seen a number of examples of very young individuals writing malware, including an 11-year-old from Canada," said Yuval Ben-Itzhak, chief technology officer at AVG Technologies, referring to the RuneScape Gold Hack tool.
"The code usually takes the form of a basic Trojan written using the .NET framework, which is easy to learn for beginners and simple to deploy via a link in an email or posted on a social media page.
"We believe these junior programmers are motivated mainly by the thrill of outwitting their peers, rather than financial gain, but it is nevertheless a disturbing and increasing trend. It is also logical to assume that at least some of those responsible will be tempted to experiment with much more serious cyber-crimes."
The rise of the pre-pubescent VXer is documented in AVG Technologies' latest security dossier (PDF here), which also reports that almost 60 per cent of all threat activity online was carried out using exploit toolkits. The newly created Cool Toolkit accounted for 16 per cent of the top web threats in Q4 2012, topped only by the Blackhole Exploit Kit at 40 per cent. ®
When I was 11, I wrote a thing in VB (I think it might even have been VB 1.0, I can't remember) which perfectly emulated a Windows 3.1 network login screen (I can't remember the underlying tech, but it was RM-branded and probably Netware-based), complete with working help file and everything.
You logged in as any old dummy account, ran that program, it went full-screen, it even intercepted things like trying to switch away or kill the program (this was pre-Ctrl-Alt-Del providing the logon screen), and it looked and worked pixel-for-pixel identical as a login screen. They you got your target to log in. It faked a password refusal. They would invariably try a couple of times and then move onto another computer. You come along and "log in" with your details and it would let you access ("Must have been typing your password wrong"), and in the user area would be left a nice plain-text list of usernames and passwords tried, which you could then go and try on the REAL login screen at your leisure.
Got admin access to the whole network that way, at least twice, and(because I'm nice) revealed how.
When I was 15, we got admin to the whole network in a way that was so obscure, I had to craft the defence against it for the school network manager, on an OS that had NO concept of security at all (it involved using Word macros to discover hidden drive shares, but it worked and was only about 200 lines of code).
Why is it surprising that 11-year-olds can do this? They *SHOULD* be able to do this already, rather than peeing about in Logo and Scratch. They shouldn't ACTUALLY do it, because of the legal issues involved, but they should be capable of at least worrying the network admin. And I'm a school network admin!
P.S. physics teachers shouldn't use words like "displacement" and make a password like "d15placemen7" from them. Hell, after that I guessed his next 3 passwords without even trying to write a program to do so. Teachers should also NEVER challenge a group of kids to "hack the network, because it'll be a learning experience and you'll find out that we're pretty locked down", especially not when there's a geeky-kid in the room.
Re: "11-YEAR-OLD code wizard"
'suggests that kids are "digitally fluent far earlier than previous generations".'
You might want to explain that to all of us who were coding home computers during the 80s.
Writing a fake program that asks stupid people to enter their login details != hacking.
'phishing' is only one letter longer than 'hacking'
"11-YEAR-OLD code wizard"
Aka "exaggerate the skills of the idiot who was able to get around our idiot security".