Against the background of the Russian military operation in Ukraine, cases of the emergence of so-called protest software (protestware) have become more frequent. More often than not, this particular malware poses little threat and only results in a political statement appearing on the screen of the infected computer. However, sometimes activist developers resort to much more radical actions.
Evangelist-destroyer
Node-ipc is an open source program that defines a format for efficient communication between different devices. An ordinary user may never hear about this program, but node-ipc is very popular among developers of various applications. It is downloaded a million times a week.
In early March, independent developer Brandon Nozaki Miller, known by the nickname RIAEvangelist, added several updates to the node-ipc library at once – on March 7 and 8, versions 10.1.1 and 10.1.2 appeared here. As it soon became clear, Miller deliberately added malicious code to these versions of updates, which, when the program was activated, initiated a check of the user’s IP address. If it turned out to be from Russia or Belarus, the program automatically began to destroy the contents of all files on the infected device that it could get to. So RIAEvangelist expressed his protest against the Russian military operation in Ukraine.
The next version of the program was added to the library (this time by another user) a day later, and the malicious code was no longer there. And versions 10.1.1 and 10.1.2 have been removed from the node-ipc library. The GitHub administration flagged these versions as malicious only a week after they were published.
How many developers managed to download the infected version of node-ipc is still unclear. There are hundreds of programs using node-ipc code alone. And there can be thousands of ready-made user applications that work with these programs.
If app developers have time to release an update to their product with a virus version of node-ipc inside, end users may lose all data on their device.
On March 18, Sberbank issued a statement in which it urged users to refuse software updates due to the increased risk of device infection.
“Currently, cases of provocative media content being introduced into freely distributed software have become more frequent. In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure,” the bank said in a statement. The statement did not mention Miller’s story in any way, but Fortune magazine experts linked the two events.
As for Miller himself, his protest is not over. The 11.0.0 version of node-ipc that he released and the 11.1.0 version that followed it contain code that creates a WITH-LOVE-FROM-AMERICA.txt text file on the desktop of the infected device, which contains Miller’s call against military operations in Ukraine.
The community of developers and specialists in the field of cybersecurity reacted extremely negatively to Miller’s act.
According to experts, nothing is more important for open source software than the trust factor, and such actions seriously undermine it.
“Even if the deliberate and dangerous act of the developer RIAEvangelist is perceived by some as a legitimate act of protest, how will this reflect on his future reputation and his place in the development community? Will people believe that this developer won’t do something similar or even more aggressive in the future?” Liran Tal, a security researcher at Snyk, says.
Brian Fox, CTO of open source company Sonatype, told SC Media that users can now turn their backs on many independent developers: “You have to trust the people who supply you with components.”
Online war for peace and prosperity
Software in which developers inject malicious code as a sign of protest against some socio-political event or against specific actions of the authorities was called protestware – as a derivative of the words protest (“protest”) and software (software).
Another example of this phenomenon dates back to January of this year. Then the programmer Marak Squires published updates for two of his programs at once. And if node-ipc has about a million downloads a week, then Squires’ programs had 22 million downloads a week. And they are built into about 21 thousand applications.
A program that developers have trusted for years has turned their apps into an endless random character generator on the screen.
All the gibberish that the applications now gave out was preceded by the inscription: “Liberty Liberty Liberty” (“Freedom Freedom Freedom”). And in the text file accompanying the library update, Squires left a short message: “What really happened to Aaron Schwartz?”
Aaron Schwartz was an American Internet activist who advocated the principle of open science and the availability of scientific data to the entire Internet community. In September 2010, he broke into the grounds of the Massachusetts Institute of Technology (MIT) and plugged his laptop into a network switch in the institute’s switch cabinet. Through his MIT account, Schwartz accessed JSTOR’s online library of scientific journals, books, and other materials, from which he downloaded 4.8 million articles. JSTOR did not press charges against Schwartz, but demanded the return of all stolen documents.
However, in January 2011, Schwartz was apprehended and charged with breaking and entering in order to commit a felony. Six months later, he was released on bail.
The articles of indictment changed constantly, but in the end, in September 2012, federal prosecutors charged Aaron with 13 counts. Schwartz faced up to 50 years in prison and a fine of up to $1 million. The prosecution offered him to plead guilty in exchange for a prison term of just six months. Schwartz refused. In early January 2013, the corpse of Aaron Schwartz was discovered in his apartment, after which the whole story took on an ominous tone and attracted the attention of both ideological fighters against data privacy and numerous conspiracy theorists.
Schwartz’s pro-Schwartz protest software developer Marak Squires believes that Schwartz, infiltrating the MIT system, actually found large amounts of child porn there and was later killed by the authorities.
When new doesn’t mean safe
Distribution of protestware is just one form of protest. The reaction of hacker activists to a particular event can be completely different – from simply sending out appeals to blocking entire computer systems and hacking databases.
So, for example, at the beginning of this year, a group of “Belarusian cyber partisans”, as they call themselves, hacked and blocked access to the servers of the Belarusian Railway. They published a statement on Twitter and Telegram, where they put forward demands for the release of 50 political prisoners, as well as for the cessation of the use of the transport infrastructure of the Belarusian Railway for the movement of Russian troops around the country. The same group, in addition, distributed online the personal data of people (from police and military personnel to government officials) whom it considered guilty of human rights violations or suppression of protests that swept across the country in 2020.
And last year, online publication The Quint, citing data from the Indian data protection organization Quick Health, reported the spread of a virus that blocked users’ computers across the country. The virus was spread via e-mail and contained in a Word file that was attached to the letter. As soon as the user opened the file, a virus from the Khalsa Cyber Fauj hacker group got on his computer. The virus encrypted all files on the infected computer, and when users tried to open them, they saw a message from hackers. It said that the hacker group supports the protest movement of farmers. Instead of the traditional ransom demand for such hacker attacks, a demand was put forward for the federal government of India to withdraw a number of laws adopted in September 2020 and aimed at modernizing the country’s agricultural sector.
The farmers themselves – in particular, the United Peasant Front movement – said they did not support the actions of the hackers. Protests in India continued for more than a year, and in November 2021, the country’s prime minister announced the repeal of controversial laws and apologized for the actions of the government.
However, both experts in the field of online security and simply concerned users say that, unlike the more or less directed actions of hacktivists in the past, the distribution of protestware has at least one important drawback. Protestware does not control what the military calls collateral damage.
This, according to representatives of the Electronic Frontier Foundation, one of the world’s leading organizations for the protection of digital privacy, freedom of speech and innovation, has already shown the story of Brandon N. Miller. “This is a terrible idea… the results of which can be nightmarish and inconsistent (with the stated goals.— “b”), — said Cooper Quintin, one of the EFF’s leading experts in the field of cybersecurity. — What if some Russian human rights or anti-war group, or a Russian hospital uses this particular (infected. — “b”) ON? Such an action, even though it was conceived as a simple non-violent protest by its creator, can lead to the loss of important data … medical documents or even the death of innocent people … Random mindless mailing … is such an uplifting action, equal to shooting in the dark.