That time I wrote malware and got caught
Monday, October 30, 2023
Most of us make some bad decisions in high school. While other people were drinking, going to parties, and who knows what else, I was doing some experimentation of my own. I was writing my first (and only) piece of malware.
From as early as I can remember, I've had a fascination with security. In games, I would play rogues and try to pickpocket people or pick open locks. This came from two inner drives.
The first one is the obvious one: getting access to things you're not supposed to. I was a curious kid 1 and wanted to know everything. Nothing seemed like it should not be my business. So playing as a character who could get into any room was just my cup of tea: unfettered access to know what was going on.
The second one was less obvious and took me a while to realize in myself: a deep desire to know how things work. More precisely, a deep desire to figure out how things work. If I read a book about something, that's fun and I learn something. But if I poke at a system enough to figure out how it works and why it works that way, that's deeply satisfying and such a thrill.
Our high school had computers in most classrooms, and we had a few computer labs
Like is common with computer labs, these required logging in with your school credentials
Once you logged in, you had access to your personal drive (mounted at
P:\\, I assume for "personal") as well as a few shared drives.
Students could read files on some of these drives, and could read and write to one of them.
Is this foreshadowing? Is it ever.
Another thing that our computers had was
spyware "monitoring software" so that the lab supervisor could see what we were doing.
On the one hand, high school students do many unwise things so this is probably a reasonable practice.
But on the other hand, it inures people to being spied on, and it definitely didn't prevent me from doing naughty things, soooo... it wasn't very effective.
To prevent us from killing the process that monitored us, we had no access to Task Manager.
My junior year, I was in a programming class, and we used .NET languages (VB.NET and C#) in our classes. Since we were using Visual Studio, we had access to a fun drag-and-drop builder, and we also had hooks into Windows APIs to do convenient things. You could capture keystrokes, like Ctrl-C for copy if you want to do something different with it.
Naturally, I wanted to explore the limts of these APIs. What would it let me capture, and what would it not? Unfortunately, they let me capture almost everything. From here, I created my malware: Fluffy, Destroyer of Worlds.
Fluffy was a simple program. When you ran it, it would expand itself to full screen and display a picture of a kitten jumping through a field, labeled with "Fluffy, Destroyer of Worlds"—in Comic Sans, of course. Below that was a loading bar which started out quick but would slow down exponentially, so you would get to 90% quickly but then would never get to 100%.
Users would sit there and wait expectantly for this program that Nicole wrote to do something cool, presumably. But eventually they'd pick up on the gag, maybe because I was giggling. So they would try to close it. But I was able to capture Alt-Tab and prevent the user from changing windows. And I was able to capture Ctrl-Q and Alt-F4 and prevent the user from closing the program. I was not able to capture Ctrl-Alt-Delete.. but that took you to a login screen that only had options to resume, log out, or restart the computer (no admin controls could even override this, shocking to me to this day).
They had no choice but to log out or restart, which would make them lose any work they had open.
Like any good hacker, I developed my malware in my parents' basement. And like any good hacker, I tested it on my friend first. Shoutout to Andrew for running something I sent him without really questioning it. He got off easy because his home computer did not have Ctrl-Alt-Delete blocked. We tried to transfer it to him by AIM or email, but .exe files were blocked, so naturally we transferred it by pretending it was a .zip file.
Once Andrew had confirmed that it did work as expected, I carried Fluffy, Destroyer of Worlds to school with me on a flash drive. Our computers didn't prevent running arbitrary executables, so I was able to just copy it onto my personal drive and run it. But it was more fun if someone else ran it, so I put it on that shared drive. (It returned!)
Then I told my friends to run it. They thought it was funny. I had my Latin teacher run it, and she lost half a period of notes; I felt slightly bad about that. My English teacher ran it, and he thought it was hilarious even though he lost notes too. I thought that was the end of it, I'd had my fun.
The next day my programming teacher asked me about the program. Apparently, some other people had run it, because they found it on the shared drive. And some of them had our librarian run it, and hoo boy she did not find it funny in the slightest. She wanted me to immediately lose all computer privileges which, honestly, fair.
My programming teacher went to bat for me, and struck a deal with IT to keep my computer privileges 4 . The deal was that I had to get rid of the program and monitor for it coming back, and make sure (as far as I could) no one else was affected by it. I deleted that copy from the shared drive but people kept putting it back. Why??? So I kept deleting it over and over, until the novelty wore off and we all forgot about it.
Side note, can we just say how shocking it is that everyone ran a random executable? That we just ran things we found? Security understanding sure has changed over the last two decades.
High school was a weird time.
By writing some very unsophisticated malware, I learned quite a bit.
I was able to explore the bounds of a system and what it was able to do. But more importantly, I learned that writing malware wasn't harmless and could hurt other people and could also put my own activities at risk. It scared me out of doing any sort of security work for a while.
It taught me how much privilege I had. What I did was not legal and violated school rules, and some people may have had the book thrown at them. Instead, I had a teacher and mentor go to bat for me and ensure I could keep on learning.
It also taught me about the boundaries of systems, and the ways that security features can be abused. The ways that the systems we put in place can be exploited. Exploring systems, boundaries, what you can and cannot do—such a great way to learn. Just, do it with consent.
- Now I'm a curious adult. For a while I was very good at OSINT until I learned to mind my own business. ↩
- Computers are ubiquitous in schools today, but in 2006, we were on the forefront of access for a public school. There were private schools with more tech, but few public schools in my area with more. ↩
- A friend's password was the German word for a penguin. We did not have good security practices, as shown by his password and by me knowing his password. ↩
- I was one of two programmers for our robotics team, so if I lost computer privileges we would have had a rough time, or had a very early lesson in pair programming. I would have also probably failed my programming class as a result. ↩
If this post was enjoyable or useful for you, please share it! If you have comments, questions, or feedback, you can email my personal email. To get new posts, subscribe to the newsletter or use the RSS feed.
Want to become a better programmer? Join the Recurse Center!