It was in my first few semesters of my bachelor studies. I studied Software Engineering, and I was mainly interested in programming my own video game engine (which later became the DbofX Engine). Around that time, I was an active member (over 2.5k posts) of a rather popular, international hacking forum, and started learning about web security, software development, and also game hacking. I learned about isolating programs in a sandbox, so they would not harm your system, and used this to run a lot of viruses on my computer.
I also liked to play a small game that I called “Pikachu volleyball game”. What looks like a shitty 90s game is a really entertaining and short multiplayer game, which requires dedication and some skill to fully master. And I just discovered you can play it online now!
A stupid mistake that I regretted much later
In the hacking forum, there were a lot of people sharing their newly developed malware, which were “100% FUD” (fully undetectable), and sometimes, suspicious accounts shared what looked like a legitimate collection of useful PDFs, but which installed a virus on your system. So you always had the risk of infecting your system by running programs some online people created. This is why you always needed to have an active and updated antivirus program running.
To protect against potential viruses, I learned to use a sandboxing program, which does the following: you tell the program which executable file you want to run, and it takes this file, creates an isolated environment where it cannot access your private files, and then runs it. Whatever happens next, it won’t affect your files, your other programs, or your computer. You could simply stop it and the potential virus would go away.
One day, I tested different programs that people had shared, and always used a sandbox to run them. On one of these programs, I noticed that it would not open, because nothing would happen after running it. No window, no process, no reaction. Was it broken, maybe? I figured that, perhaps, it simply was not able to run in a sandbox, and would therefore silently crash.
In my brain, the file did not work, so why not test it directly? I ran the program without a sandbox. And… nothing happened, again. Okay, so it must have been completely broken. I deleted the file and continued doing stuff.
A few days later, I wanted to test a “cheat” I created myself. The cheat program allowed me to set the score of my Pikachu to the value I wanted. I wanted to have 8 points, so I typed in 8 into my program, ran the game, and immediately started with 8 points in.
What I did not know at this time: The file that was supposed to be the Pikachu volleyball game was slightly changed, and included some other code that the original game did not have. I had been infected!
The game was so old and simple that when you started the game, it would load almost instantly. There is almost no delay. Except: there was a delay this time. I noticed a very small delay between clicking on the game and its window opening. It seemed like the icon flickered for a split second. It was very suspicious to me, and I wondered if anything was wrong.
Side note here: when you download loads of random files from a hacking forum, you end up getting very paranoid at any noise your computer fan does. Every suspicious change immediately triggers the reflex to check the process list and find out what may be running in the background.
Anyway, I did not find any clue what had happened, and continued playing the game and testing my cheats.
A painful reminder that I was stupid
It must have been 4–6 weeks later, when I learned what had happened. I was in class, busy with finishing my homework which I needed to submit in the evening, when I got the first email. My heart skipped a beat or two.
Hello Davide,
I clicked on the link you sent me, but it was some strange website. You sure you sent me the right link?
I was in shock. What the hell was my university friend talking about? And it hit me surprisingly fast, because I remember thinking: “Shit, it really was a virus!”. I asked my friend to forward me the email, and to run a virus check on his machine.
When the email arrived, I was again in shock and pain. The email came from a weird email, but had my name as the sender. The subject was my full name, and there was only a link in the mail. I set up a browser sandbox, copied the link and opened it in the sandbox. The page showed some explicit ads, a lot of very explicit pictures of men violently putting body parts in shocked Asian women, and the page was in Chinese or some other language I did not recognize.
But the worst situation possible had happened: The email was sent to my friend, and 22 other contacts. An email with my name all over it, a gory and aggressively violent porn website linked to it, and it was sent:
- to my professors
- to more colleagues from university
- to recruiters and HR people of companies that I had applied to 6 months earlier
- to family members
- to random other mails I did not recognize
- several do-not-reply addresses from companies
A few hours later I got another email forwarded to me by another university contact, which had over 30 recipients listed. Which were different recipients than the mail before.
Making sense of what happened
After running multiple virus scans, and also some other specialized programs to find malware, a file was found, “put in quarantine” and eventually deleted: the Pikachu volleyball game. So there was no doubt about how it happened, and my initial suspicions were correct.
Several very embarrassing follow-up mails and messages to people in my life follow, and I also warned everyone in my classes that they might have received some spam with my name on it. I did not openly admit I had been infected, I just warned people that my name was being misused.
So what actually happened was that, the initial virus probably had infected the first executable file it had found (because no other programs seemed to be affected), which was the game I was regularly playing before. When I started the game after the infection, it must have stolen all my contacts from my Thunderbird email program, which contained any mail addresses I ever interacted with in the last 3–4 years. This was clear from the number of unrelated email addresses the spam was sent to. So it was not only my “recent contacts”, but all addresses at once.
The antivirus did not trigger at that time because it did not know the virus, and most (cheap) anti-malware programs work using signatures of already known malware. When I manually ran the virus scan weeks later, it found the correct file almost immediately.
The spam mail was not very convincing, it really only contained a weird looking URL. But apparently it was enough that my name was in the subject title for people to open and click it. This happened between 2012 and 2015, btw. I knew of at least 3 people who had admitted to clicking the link in the email. My professors did not reply to my initial warning, and never addressed the issue again.
A painful regular reminder that I was stupid
Since the event, life has changed, the internet has changed, and I have changed a lot. What has not changed, is the yearly reminder of the event. I still get spam mails with my name in the subject and a suspicious link in the body, sent to my old (and now unused) email address. And still, there are other recipients of this mail that I sometimes still recognize from the name in the email address. But today, I almost appreciate it.
It reminds myself of the errors of my past self. But also serves as a reminder to all my acquaintances that they once met a guy which was hacked. A guy who calls itself “security expert” today.
Be First to Comment