Page 258

Undergound. Go to Table of Contents.

   obscure load-module program. The program added features to the running

   system but, more importantly, it ran as root, meaning that it had a

   free run on the system when it was executed. It also meant that any

   other programs the load-module program called up also ran as root. If

   Anthrax could get this program to run one of his own programs--a

   little Trojan--he could get root on System X.


   The load-module bug was by no means a sure thing on System X. Most

   commercial systems--computers run by banks or credit agencies, for

   example--had cleaned up the load-module bug in their Sunos computers

   months before. But military systems consistently missed the bug. They

   were like turtles--hard on the outside, but soft and vulnerable on the

   inside. Since the bug couldn't be exploited unless a hacker was

   already inside a system, the military's computer security officials

   didn't seem to pay much attention to it. Anthrax had visited a large

   number of military systems prior to System X, and in his experience

   more than 90 per cent of their Sunos computers had never fixed the



   With only normal privileges, Anthrax couldn't force the load-module

   program to run his backdoor Trojan program. But he could trick it into

   doing so. The secret was in one simple keyboard character: /.


   Unix-based computer systems are a bit like the protocols of the

   diplomatic corps; the smallest variation can change something's

   meaning entirely. Hackers, too, understand the implications of subtle



   A Unix-based system reads the phrase:




   very differently from:


   bin program


   One simple character--the `/'--makes an enormous difference. A Unix

   computer reads the `/' as a road sign. The first phrase tells the

   computer, `Follow the road to the house of the user called "bin" and

   when you get there, go inside and fetch the file called "program" and

   run it'. A blank space, however, tells the computer something quite

   different. In this case, Anthrax knew it told the computer to execute

   the command which proceeded the space. That second phrase told the

   machine, `Look everywhere for a program called "bin" and run it'.


   Anthrax prepared for his attack on the load-module program by

   installing his own special program, named `bin', into a temporary

   storage area on System X. If he could get System X to run his program

   with root privileges, he too would have procured root level access to

   the system. When everything was in place, Anthrax forced the system to

   read the character `/' as a blank space. Then he ran the load-module

   program, and watched. When System X hunted around for a program named

   `bin', it quickly found Anthrax's Trojan and ran it.


   The hacker savoured the moment, but he didn't pause for long. With a

   few swift keystrokes, he added an entry to the password file, creating

   a basic account for himself. He exited his connection to port 2001,

   circled around through another route, using the 0014 gateway, and

   logged into System X using his newly created account. It felt good

   walking in through the front door.