Misstep 12: Conned Beef Hash

Before I built my forum site in 2006, I was authoring Windows applications, and before that, DOS applications as far back as 1992. I was a young kid back then, my first program being a QBASIC program that spit out ASCII art of a box of crayons, for example.

I greatly annoyed my siblings by having them try out the software packages I made for DOS “ComLinx” allowed you to use null modem cables across bedrooms to talk, I made a “SkipBo” game for my folks to play with eachother — I even made a tool to spy on the game and see what cards people had.

Something was still wanting in me, it wasn’t enough for me to build software for my family alone. I eventually got the internet at my house, and I started building a site I called “flashville”. It’s not what you think, it was to be an “ebaumsworld” sort of site full of flash games and videos I liked. I quickly realized I didn’t have the bandwidth to host this sort of site.

Finally, I settled on hosting a plethora of applications I wrote, anything from an old Microsoft keygen (remember the old xxx-xxxxxxx codes?), to an Instant Messenger Spammer application I wrote that grabs a window by its handle and emulates large amounts of keystrokes to it. Overall, nothing super useful, since I was still convinced I’d strike it big one day building stuff for people.

This misstep has to deal with the download of those files, and how I “secured them”.

I was disliked

I made a tool that spams people over AIM/MSN/etc. Back in the early/mid 2000’s, this was enough to freeze somebody’s computer. Because I made some people salty, people starting distributing my software with viruses embedded in them. This made me incredibly mad, since I’ve never distributed malware in my life, and the code I wrote was devoid of any concerns. (Later in my life, I released the source code, though I’ve lost it at this point).

MD5 Integrity Sum, kinda.

So, in my “download store”, I added an MD5 integrity sum, where folks could view the MD5 of the file they were going to download and ensure integrity on their machine. This was great, because it would stop:

  • MitM attacks that would modify the EXE before you downloaded it
  • Malware infested versions of my software from being distributed
  • Compromised CDN or other file hosts would have a different hash, which you wouldn’t run

Overall, I feel that I accomplished the goal. However, looking back, I implemented it in a stupid way. Namely:

  • I didn’t use a CDN or outside host, so there was little chance that my files would have been compromised
  • I actually generated the MD5 on-the-fly. This means that I would give you the hash of the file you were downloading, which would always match.

Instead of taking a “golden hash” of the file (man this sounds like a McDonald’s reference), I gave you a hash of the file you grabbed.

You’d never know you had a bad version, unless you were comparing a previous download from a different source.

Bonus: My own PUPpy, dawg

One day, I seen comments on my site that folks were not able to download my IMSpammer application. Not sure why, I went to investigate. It turns out that my server was running terrible antivirus software from AVG, and flagging my tool as a “PUP”, or “Potentially Unwanted Program”.

To skirt detection, I simply recompiled the program, changing the font of a label that was off the form. This changed the hash of the tool, and I republished it without incident.

About Author


Robert Lerner

Leave a Reply

Your email address will not be published. Required fields are marked *