8

8 comments

[–] ScorpioGlitch 2 points (+2|-0)

Curiosity. I wrote a virus out of curiosity when I was trying to create a desktop that was more than just a wallpaper. There's a reason MS abandoned the Active Desktop and gadgets... the desktop was pure html.

I will forever and always be in awe of you tech geniuses. I'm studying software engineering, but the more I learn the more I realize how fucking little I know about this field. What did your virus do, by the way?

[–] ScorpioGlitch 1 points (+1|-0) Edited

As soon as you keep it as a mantra that someone always knows more than you do, you'll enjoy it more.

It was supposed to be a thing that let me have shortcuts to frequently used programs as icons as an actual part of the desktop (along with an embedded text editor with a save button), an embedded alarm clock, and an embedded media player (audio and video). You could turn icons off, rearrange them, whatever, and my stuff would stay there right where they were intended. If you used a regular html document as the background, it always asked if you wanted to save or run the program and I wanted it to behave like a normal icon. I discovered that the HTML doc that was the desktop ran under system level privileges and wouldn't even ask you for permission to download and run a file from the internet.

Once I put all that together, it was a simple little script that copied over your actual desktop shell file with the default windows bliss background, injected a download command (at any URL I wanted, any executable I wanted, and silently), then logged the user off to make the changes stay. When the user logged back on, the desktop would load, run the script and therefore download the file I specified, run said file, and all invisibly. To infect your computer, all you had to do was browse to any page where the kickoff script was embedded. To be clear, the web page would rewrite a system file and log you off. That's not a small thing.

I never actually released it and developed it under the watchful eye of a college professor because writing a virus is a serious offense. I wanted someone who knew what was going on and could back me up if something happened. Once the virus was complete, I filed a report with Microsoft pointing out the vulnerability and the research I had done about if this was a known avenue of attack (there was only and exactly one virus already in existence that exploited this). I never got a response but maybe 8 months later, they released Vista.Could have just been interesting timing but I'm sure they didn't respond because they already knew of the problem (hence the reason Vista and later only have simple desktop background options).

Had to read through your post twice just to get the full awesomeness of it. In all my time on computers, never once have I even thought of customizing my desktop in the ways you mentioned. I would absolutely love to have an embedded text editor, with a save feature, right on the desktop. I spend so much time opening and closing notepad++ and paint, it would rock hardcore to have them open all the time clutter free.

Now, on to the virus part. Keen eye you have there to catch that. I'd hold onto the title of the guy who nudged Vista into existence, but then again with the way Vista turned out I might keep that bit to myself. Who knows. And a nifty little program it was, I'm loving how elegantly easy it all seemed once you discovered the vulnerability.

How much of an offense is it to just create the virus without releasing it? I would like, for reasons of cybersecurity, to make my own viruses. I want to study the mindset and theory behind them so I can defend against them in the future. Is there a risk of having a program get out of your control when testing it and accidentally releasing it to the wilds?