back to article 11-YEAR-OLD code wizard hacks Greedy RuneScape geeks

A Trojan that promises RuneScape players gold but instead steals their passwords was developed by an 11-year-old, researchers claim. Antivirus biz AVG said it made the discovery after studying a piece of code masquerading as a cheat tool for the wizards'n'warriors online role-playing game. The malware asks victims for their …


This topic is closed for new posts.
  1. Suricou Raven

    He'd better go into hideing then.

    Before some government tries to prosecute him as a cyber-terrorist.

    1. Matt Bryant Silver badge

      Re: Suckyou Raven Re: He'd better go into hideing then.

      "Before some government tries to prosecute him as a cyber-terrorist." OMG, you're so right! Them dastardly, scheming G-men and NSA Nazis are everywhere, just waiting for an excuse to slap the irons on some innocent guy just because he tried to steal from others. In fact, they probably won't like you pointing out their nefarious plans, probably best you cut off all communications and go into hiding too! Don't forget to wrap your mobile in at least twelve layers of foil, and don't just disconnect your modem, rip the cable out at the junction box 'cos I hear they have alien tech that means they can see you through the wires.....

      /If you need a sarc tag you are too stupid to be using a computer.

      1. Destroy All Monsters Silver badge

        Re: Suckyou Raven He'd better go into hideing then.

        Forgot your pills AGAIN, Matt?

      2. Michael Hutchinson

        Re: Suckyou Raven He'd better go into hideing then.

        "/If you need a sarc tag you are too stupid to be using a computer."

        Yes Matt, you are...

  2. Oliver Mayes

    Writing a fake program that asks stupid people to enter their login details != hacking.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Oliver Mayes

      "Writing a fake program that asks stupid people to enter their login details != hacking"

      Tut, I knew someone would say that. For the purposes of a short and snappy headline, it is. The article lays it all out. What do you think the kid had planned for those passwords?


      1. Flawless101

        Re: Oliver Mayes

        I hope you alerted Jagex that people are hacking their game!

      2. Matt Bryant Silver badge
        Thumb Up

        Re: Re: Oliver Mayes

        Since he wrote code this is actually the original and proper "hacking". If he had just downloaded other people's scripts then he'd just be a skiddie.

      3. henrydddd

        Re: Oliver Mayes

        Some company should hire him as a security consultant.

    2. Andrew Moore

      'phishing' is only one letter longer than 'hacking'

    3. JDX Gold badge


      Typical software geek response... it's not about the end result, only how technically good the implementation.

      Whereas to the rest of the world... the guy sitting on a beach drinking champagne with your money for example,,, it's the exact opposite.

      1. Destroy All Monsters Silver badge
        Thumb Down


        Typical software geek response... it's not about the end result, only how technically good the implementation. ...the guy sitting on a beach drinking champagne with your money for example,,, it's the exact opposite.

        You don't need elegant solutions if you just beat up somebody, then take his purse.

        You do need elegant solutions if you want maintainable, reliable, adaptable, testable code. Or at least something viable when you just want to get paid for your shit in the marketplace.

        Two totally different things.

    4. Anonymous Coward
      Anonymous Coward

      "Writing a fake program that asks stupid people to enter their login details != hacking."

      Actually, using the proper definition of hacking it sort of does. One of my first forays into 'fun' programs I made in college was something that simulated the network's login process, it captured what people entered and presented them with an error that encouraged them to use a different machine, after a few attempts it shut itself down and let people log on normally.

      This was 20ish years ago though, when this sort of thing was harmless fun.

      1. Anonymous Coward
        Anonymous Coward

        "...One of my first forays into 'fun' programs I made in college was something that simulated the network's login process..."

        That's about the third time you've told us that anecdote now. Assuming you're the same AC each time.

        1. Nick Ryan Silver badge

          I'm not that AC, but I did do almost exactly this myself, just for my own curiosity. It caused a bit of a sense of humour failure in the IT department when they were given a list of usernames and passwords, some including their own staff.

          I had no intention of doing anything nefarious* with these details but these days that doesn't seem to matter. They did considerably tighten up on their security before too long though and at least they understood that I wasn't going to do anything bad with them, didn't do it to intentionally make them look bad (otherwise their reaction could have been different), didn't shout about it around the Uni and even showed them what I did.

          * Just had to use that word, it's probably underused.

      2. Destroy All Monsters Silver badge

        > This was 20ish years ago though, when this sort of thing was harmless fun.

        Right. I remember people getting booted from uni for that. Not so "harmless".

  3. Code Monkey

    "11-YEAR-OLD code wizard"

    Aka "exaggerate the skills of the idiot who was able to get around our idiot security".

    1. Andrew Moore
      Thumb Down

      Re: "11-YEAR-OLD code wizard"


      'suggests that kids are "digitally fluent far earlier than previous generations".'

      You might want to explain that to all of us who were coding home computers during the 80s.

      1. historymaker118

        Re: "11-YEAR-OLD code wizard"

        Huh what was that? Something from the government about kids not knowing how to program these days and needing special computer science courses to teach them how? Oh I'm sorry I couldn't hear you over the sound of me laughing my ass off at the irony of this article.

      2. Anonymous Coward
        Anonymous Coward

        Conspiracy theory

        "...suggests that kids are "digitally fluent far earlier than previous generations..."

        Or alternatively, now that any computer-related misbehaviour anywhere in the world leaves you open to extradition and long sentences in US prisons: that adults are hacking, using accounts set up in their kids' names.

        I've heard of shop-lifters using a similar technique by encouraging the kids to nick stuff while mum "wasn't looking". Remember though folks, this approach only works while your kids are under the age of legal responsibility!

      3. jcuk

        Re: "11-YEAR-OLD code wizard"

        Yeah but since I was born in the late 80s and now there has been a lul in said junior interest in coding. Fingers crossed that interest is returning. We need better innovation in software.

      4. Nick Ryan Silver badge

        Re: "11-YEAR-OLD code wizard"

        I was coding in Assembly by 11... but I suspect I was probably more of an exception but then so's this kid.

      5. Michael Wojcik Silver badge

        Re: "11-YEAR-OLD code wizard"

        'suggests that kids are "digitally fluent far earlier than previous generations".'

        You might want to explain that to all of us who were coding home computers during the 80s.

        Yes, this is just another variant on the "digital natives" myth, which has been widely debunked by pretty much everyone who's done methodologically-sound studies on the question, rather than just make idiotic assumptions of the sort that get you a Wired editorship.

        There have been 11-year-old hackers at least since the rise of PCs in the 1980s. I spent many an hour poking[1] around in the address spaces of Commodore, Tandy, Atari, Apple, and IBM PCs in the early '80s, and I'm sure many others here did too. I don't remember anyone I knew personally creating malware at quite such a young age, but I did have a thirteen-year-old friend whose hobby was hacking software for the Atari 800 to disable its copy-protection features.

        I spent the summer of my eleventh year writing software for the Commodore PET with my father.[2] We were working primarily on a program to track book withdrawals for the school library, which owned said PET. It was a great introduction to software development: it was a project that the ostensible customer didn't want, performance was lousy (audio-cassette media), it was unreliable (did I mention cassette media?), it took a lot longer than expected, and we never really finished it anyway.

        Good times.

        [1] Heh.

        [2] More precisely, the evenings of that summer. During the day we were residing the house in cedar shingles. Do kids still do that?

    2. JDX Gold badge

      Re: "11-YEAR-OLD code wizard"

      How is their security 'idiot' if someone puts an app on FaceBook which users download and enter their details into?

      Still, you managed to get a few plus votes by following the usual tactic of insulting someone with an argument which appears on cursory glance to seem sensible. Quite the heights of Reg debate then really...

    3. Matt Bryant Silver badge

      Re: Code Monkley Re: "11-YEAR-OLD code wizard"

      "......Aka "exaggerate the skills of the idiot who was able to get around our idiot security"....." He did not get around the security system, he used a social engineering trick to get people to load code that captured passwords and logins, presumably so he could then use those to access via the correct security protocols. The only thing he got around was the stupidity of the cheats using the code. The actual game security was just fine.

    4. MrT

      But code wizard...

      ...refers to the target game and not the coder skills.

      I might be reading too much into this though...

  4. Lee Dowling Silver badge


    When I was 11, I wrote a thing in VB (I think it might even have been VB 1.0, I can't remember) which perfectly emulated a Windows 3.1 network login screen (I can't remember the underlying tech, but it was RM-branded and probably Netware-based), complete with working help file and everything.

    You logged in as any old dummy account, ran that program, it went full-screen, it even intercepted things like trying to switch away or kill the program (this was pre-Ctrl-Alt-Del providing the logon screen), and it looked and worked pixel-for-pixel identical as a login screen. They you got your target to log in. It faked a password refusal. They would invariably try a couple of times and then move onto another computer. You come along and "log in" with your details and it would let you access ("Must have been typing your password wrong"), and in the user area would be left a nice plain-text list of usernames and passwords tried, which you could then go and try on the REAL login screen at your leisure.

    Got admin access to the whole network that way, at least twice, and(because I'm nice) revealed how.

    When I was 15, we got admin to the whole network in a way that was so obscure, I had to craft the defence against it for the school network manager, on an OS that had NO concept of security at all (it involved using Word macros to discover hidden drive shares, but it worked and was only about 200 lines of code).

    Why is it surprising that 11-year-olds can do this? They *SHOULD* be able to do this already, rather than peeing about in Logo and Scratch. They shouldn't ACTUALLY do it, because of the legal issues involved, but they should be capable of at least worrying the network admin. And I'm a school network admin!

    P.S. physics teachers shouldn't use words like "displacement" and make a password like "d15placemen7" from them. Hell, after that I guessed his next 3 passwords without even trying to write a program to do so. Teachers should also NEVER challenge a group of kids to "hack the network, because it'll be a learning experience and you'll find out that we're pretty locked down", especially not when there's a geeky-kid in the room.

    1. Anonymous Coward
      Anonymous Coward

      I just...

      Used paint and took a screen print... ;)

    2. mark 63 Silver badge
      Thumb Up

      me too

      I did that too, with the DOS based NOVELL 3 login routine at college circa '92

      Got a special "Written warning" certificate I'm very proud of.

      Could've done it better, and never keep your source code in your home drive.

      Got blamed for a lot of stuff that really wasnt me!

    3. Sooty

      I recall the good old days of school computer security... Where the drives were just hidden to secure them, and creating a Shortcut to c: could get you access to them.

      I don't think the IT teacher ever figured out I was using winpopup to troll the thickies, and was completely stumped as to how a group of us were playing network games of hearts in the lessons.

      I was coding long before I was 11, good old Sinclair basic and computer magazines full of code listings and I learned all sorts from it. Even when I started on pcs it wasn't plain sailing. My first experience of dos was fiddling around with interrupt and dma settings in several vain attempts to try and get some sound in games. Nevermind the joys of EMS and XMS. Kids today have it far too easy to actually learn much from what they are doing.

      But things are far too easy and reliable nowadays, nothing ever goes wrong so you don't get people delving into the internals to try and get things working, they may be able to do a lot more than we could, but it doesn't mean they actually know and understand what they are doing.

    4. P. Lee

      vb... geeky-kid...

      Until you have at least one subroutine written in hex, (ok wuss, assembly if you must!) it doesn't count!

      Now, gerroff my lawn, young'un!

      Mine's the one that patched together from 8 bits of cloth with holes you can peek and poke through...

      1. Lee Dowling Silver badge

        The school only used VB, so I was spending my school time productively on the products they wished me to learn.

        The week before, I'd written an x86 assembly CD-protection-removal "crack" for a game I'd bought. It involved Ralf Brown's Interrupt List and MS-DOS debug.

        Geeky enough for you? It was just a waste to use those sorts of things in schools when a simple Word macro or VB interface was enough.

        1. Anonymous Coward
          Anonymous Coward


          Yes, when I was young I did lots of learning as well.

          One thing I thought was pretty common sense though is what is illegal and what isn't.

          I could have hacked a whole bunch of things; I might even have got away with it, but I knew it was wrong. Even when I was seven years old I knew the difference between right and wrong. I could have written malicious code then, and could probably make a pretty good virus today, but I choose not to because I understand the potential consequences and take responsibility for my actions.

          Unauthorised access to a computer is illegal. Deception is illegal. It is obvious why we have laws against such things.

          Sometimes, we may not agree entirely with the letter of the law but we all have to play by the rules. If you do something you know is ethically wrong and then get caught, you have absolutely no room to whine about it.

          1. mark 63 Silver badge

            Re: "Learning"

            yeah well things were a lot greyer up till early 90's

            The authorities were still busy hammering out laws they didnt understand and the spirit of adventure was in full bloom.

  5. Anonymous Coward
    Anonymous Coward

    No surprise.

    I'm one of the authors of the new release of the ISECOM Hacker Highschool project, and from what I hear from those who have now taken this into classrooms, kids simply *are* that ahead. They grow up with this technology, so they don't have any barriers when it comes to trying things, and it's up to the older generations (like us, he says, reaching for his Zimmerframe with attached VT100) to guide that into more safer areas.

    Switching it off won't work, it just means you lose the ability to guide them towards a safer MO and an understanding of the consequences.

    1. adnim
      Thumb Up

      Re: No surprise.

      I downloaded that a few weeks ago after the notification in FD. Must get around to reading it sometime. I expect i might learn something.

      Thanks for making it free.

      The thumbs up is for you

    2. Michael Wojcik Silver badge

      Re: No surprise.

      Sigh. Another "digital natives" myth-bearer.

      Look into the reliable studies. In general, the current generation is not significantly more technologically savvy in any useful way (eg in understanding how technology actually works, or in awareness of security risks associated with technology). Yes, there are exceptions; but there have been such exceptions for decades.

      The only "barrier to trying things" was access, and that began to rise dramatically in the early 1980s. Since then the only changes have been quantitative.

  6. adnim


    During a 'C' coding course I took in the early nineties I wrote code that emulated the login prompt. The system was Xenix. My code would dump both the user name and password to a file and return "password incorrect" regardless of the password entered, and then run the real login prompt. It emulated the Xenix logon exactly. I managed to do this just a couple of weeks into the course, so I was hardly a wizard or a competent programmer.

    I ran it on the terminal that the course tutor used... The silly man always logged in as root.

    I didn't consider that hacking because it wasn't... Neither is this.

    1. JDX Gold badge

      Re: hacking?

      Well done, it only took you a few weeks of teaching to reach the level of an 11-yo.

      1. adnim

        Re: hacking?

        idiot. It took me a couple of weeks of LEARNING. I was the pupil.

        Who pissed on your strawberries?

    2. Anonymous Coward
      Anonymous Coward

      Re: "didn't consider that hacking"

      The thing is, the law doesn't care what an ignorant moron like you considers to be legal or illegal.

      We have something called writing which allows the rules to be defined.

      May I suggest therefore that you look up the Computer Misuse Act 1990 for a start. Those who are unfamiliar with the concept are also encouraged to read about deception in criminal law which I think you will find interesting.

  7. EvilGav 1

    Hacking ?


    Having seen the "app" in question it's little more than a C# variation of the "Hello World" intro code.

    Adding in two text boxes and a drop-down and prettying up the interface, along with the submit button, is a long, long way from hacking.

    It even requires the user to download and run the application.

    It's social engineering, nothing more.

    1. JDX Gold badge

      Re: Hacking ?

      Social engineering is hacking. The best hack is the one that doesn't take much work.

      1. Destroy All Monsters Silver badge
        Thumb Down

        Re: Hacking ?

        > Social engineering is hacking.

        No. Social engineering is Social engineering.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hacking ?

          In the UK there is no offence called "hacking".

          There are plenty of other offences though that one can fall foul of when straying into this area.

          Whatever it was that he did, he was deliberately deceptive and knew that was wrong, whether he be 11 or 111 years old.

  8. Mr. Nobby


    In the classic sense, yes. The kid hacked out some crappy code for a quick and dirty solution to a problem he was having regarding other people's accounts and his lack of access to their phat loot.

  9. Lars Silver badge


    "kids are "digitally fluent far earlier than previous generations"".

    Digitally or what ever, If this wasn't true we would have disappeared long ago.

    Kids keep surprising me, and sometimes I wonder what goes wrong later. The disease of growing up and loose ones confidence, fear, religion, teachers or something.

    1. Anonymous Coward
      Anonymous Coward

      Re: "loose"

      I think that by most measures I have 'grown up' but I like to think that I am still quite tight.

  10. Stevie


    "AVG Technologies said this isn't the first time a child-built nasty has wandered onto its radar, and said the age of the Canadian developer suggests that kids are "digitally fluent far earlier than previous generations"."

    Well what do you expect when you give kids the Raspberry Pi and make them learn "real computing"?

    Surface-mount madness. Satan on a PCB. Ban them now. Fought two wars. Threat to the Empire. Etc. More Etc.

  11. Katie Saucey
    Thumb Down


    People are retards, and will always cheat/take the easy way for profit (even if it's just Rune gold).

    Also, WTF is with the hardware/games comment pages? Defaulting to a "most votes" ranking seems kind of pointless for the Reg forums. Since a fair % of comments generate further response/follow-up, most of the top voted comments are left displayed with no context. Basically to find out what's up, you need to click through to the "all comments". This would be done anyway if you had any interest in the discussion. This, leaving the "most votes" section at best, a waste of electrons, and at worst an inconsistent eyesore.

    1. Anonymous Coward
      Anonymous Coward

      Re: Comment page style

      I agree, this new layout is rubbish.

      It encourages commenting on a post without reading the actual thread, which is going to result in lots of repetition of the same points.

  12. Anonymous Coward
    Anonymous Coward


    nothing a date with a wooden spoon can't fix.

  13. Anonymous Coward
    Anonymous Coward

    A perfect example...

    ...of why all hackers, scammers and pirates should be seriously punished. If they're dumb enough to hack, steal or scam, then they're dumb enough to go to reform school until 18 years of age and prison if over 18 years of age.

    1. Naughtyhorse

      Re: A perfect example...


      cos with a few more right thinking people like you then woz and jobs would still be in the slammer (blue box anyone??) and the world would be a better place.

      not a bad comment from a self confessed fandroid!

      It's frankly astonishing to see so many narrow minded, closed in viewpoints being expressed here. probably envy, but an 11 year old kid saw a 'problem' and fixed it (from the 11 year old's perspective).

      they showed some initiative, somewhat misguided i'll concede, but nonetheless initiative.

      stick a white hat on them and they could turn out to be of some benefit to mankind.

      1. Anonymous Coward
        Anonymous Coward

        He cheated.

        That's not a "fix", it's deception.

        Parents should be teaching their kids the difference between right and wrong.

      2. Anonymous Coward
        Anonymous Coward

        Re: A perfect example...

        "woz and jobs would still be in the slammer"

        a) and this would be a bad thing because... ?

        b) I think they'd have removed Jobs from his cell, he'd be starting to smell a bit

  14. RAMChYLD


    I thought these little runts are known as "Script Kiddies"!

    1. Naughtyhorse

      Re: Hacker?

      just shows how little you know then dont it

  15. JaitcH
    Thumb Up

    " ... very young individuals writing malware, including an 11-year-old from Canada"

    I guess this is the audience that Raspberry Pi seeks to encourage with their project.

    These youngsters should be encouraged to pursue their interests, although not password cracking, and the Canadian authorities should go light on this chap (he has not reached an age of criminal responsibility which is 12 in Canada) so that, hopefully, will keep him from getting a lengthy stretch of incarceration in a US jail, (the present Harper Tory government prostrates itself in front of the US government), or driven to suicide by an over zealous US prosecutor.

  16. TimChuma

    Social engineering strikes again

    "Social" methods of hacking such as ringing people on the phone and asking for passwords have been around for decades. Exploiting people's greed or wanting to get ahead in games without having to either pay for it or earn the advancement by actually playing the game is a newer thing. Why would you not want to play the game though?

This topic is closed for new posts.

Other stories you might like