Hackers Underworld 2: Forbidden Knowledge

home *** CD-ROM | disk | FTP | other *** search

/ Hackers Underworld 2: Forbidden Knowledge / Hackers Underworld 2: Forbidden Knowledge.iso / VIRUS / PSTROJAN.DOC < prev next >

Wrap

Internet Message Format | 1990-12-02 | 13KB

From Jeff Shulman While I have yet to actually see this trojan there does seem to be enough evidence that one actually exists. What it is is either some font, graphic or document that resets the LaserWriter password to something other than zero (the default) causing further print jobs the next time the LW is reset to fail. Since it really isn't a Mac executed piece of code you cannot use something like "GateKeeper" to prevent it from doing anything. I suppose you can scan for it but you would have to virtually scan every document for it. The best remedy is to either prevent the password from being changed or just change it back to zero. The following are some messages I have seen that discusses these options. Note, I personally cannot vouch for them and am provided them with no warranty... Jeff VirusDetective author ------------------------------------------------------------------ Subj: LW PW Change Prevention - 90-07-26 19:15:22 EDT From: Jeff Shulman I've attached a copy of the fax Henry Norr forwarded to me to the end of this note. I don't know how knowledgable Peter Fink is. He certainly knows more about PostScript than I do, but that's easy, since I don't know any PostScript. I've also included a copy of a posting by Woody Baker which appeared on comp.virus today. This posting claims that it is possible to read EEPROM and hence determine the "evil password." This is important, since it means that it would NOT be necessary to replace the EEPROM as claimed by Fink. I'm passing all of this on to the rest of you in the hopes that some Masher is a PostScript expert and can make some sense out of all of this. John Norstad -------------------------------------------------------------------------- From: Peter Fink, DesktopTo Press, 617-527-1899, FAX 617-332-1533 To: PostScript Imagesetting Community - Manufacturers, Software Vendors, Press Date: July 22, 1990 Subject: Password-change vandal and protective Password Alert! PostScript code Peter Fink Communications, Inc. DesktopTo Press 26 Wetherell Street Newton MA 02164. Dated July 22, 1990 Message: It appears that some sort of "Trojan Horse" PostScript file has been vandalizing PostScript RIPS and printers by resetting their passwords to an unknown value. This forces the owner to replace the printer's EEROM. The problem has occurred in several separate areas of the USA during the past few weeks. MacPrePress reported the problem two weeks ago. Friday we received a report from New York City of a password change that day. The nature of the password vandal is not yet known. We have developed simple protective PostScript code, however, and are disseminating it free of charge. This code will also help find the offending file. Details and Password Alert! PostScript code follow. Please feel free to distribute this material inside and outside your organization as needed. ----------------------------------------------------------------------------- Subj: LW PW Change Prevention (cont) 90-07-26 19:17:54 EDT From: Jeff Shulman Password Alert! serverdict begin 0 exitserver statusdict /setpassword {userdict begin /evilpassword exch def pop (!! PASSWORD ALERT - NOTIFY OWNER!!) - flush /Helvetica findfont 24 scalefont setfont 20 50 720 {70 exch moveto (!! PASSWORD ALERT - NOTIFY OWNER!!) show} for showpage } put [note - I have transcribed this from a fax of a fax, and I do not know any PostScript. It was particularly difficult to distinguish between curly braces and parentheses in the copy I received. So there may well be errors in the code displayed above - JLN] Password Alert! is designed to do three things: 1. It protects your RIP by redefining the setpassword operator. This redefinition remains in effect from the time you donwload Password Alert! until the time you reset or reboot the RIP. 2. If a print job tries to reset your password, Password Alert! crashes the job (which probably doesn't produce a page anyway), sends an PostScript message to the printing application, and screams bloody murder via its alert page. 3. Password Alert! also captures the "evil" password you were about to receive and stores it harmlessly in userdict so you can reveal it to the world. (If we're lucky, the vandal substitutes the same evil password for zero in all cases. If this is so, knowing the evil password will save future victims considerable time and money. By the way, the evil password might not be an integer, despite what it says in the Red Book.) If an alert page shows up in your shop, you should apprehend the file being printed, complete with associated graphics and fonts (likely candidates for the vandal code). You should also immediately use the Print Evilpassword utility on the next page to obtain a printout of the evil password - and of course you should contact us and the entire PostScript community. Associated with Password Alert! are three brief utility PostScript files: 1. Test - Attempts to change password (to confirm that Password Alert! is installed) serverdict begin 0 exitserver statusdict begin 0 1 setpassword Test tries to change the password from 0 to 1. Download this file after downloading Password Alert! - you'll probably see the alert message and the alert page should print. If this doesn't happen, Password Alert! hasn't downloaded successfully (or has been transcribed incorrectly). You will probably see the standard %%[exitserver... message. If so, Test has changed your password to the number 1. 2. Revert to Zero - Changes the password from 1 back to 0 if needed. serverdict begin 1 exitserver statusdict begin 1 0 setpassword Revert to Zero changes the password from 1 back to 0. Download Revert to Zero if Test gives you the standard %%[exitserver... message and no alert. 3. Print Evilpassword /Helvetica findfont 12 scalefont setfont 70 70 moveto (The evil password is: ) show userdict /evilpassword load 256 string cvs show showpage [The word "cvs" in the third line above may have been "cvg" or something else - it's very unclear on the fax of the fax. I think it must be "cvs" for the PostScript "convert to string" operator - JLN] If Password Alert! prints an alert page, someone has attempted to change your password. You may have foiled the vandal - and captured the evil password! If so, download Print Evilpassword to print a page with the evil password. Do this before rebooting the RIP, because rebooting will remove the captured /evilpasswor that generated the alert page, plus all associated fonts and graphics files! If you obtain the evil password (and/or a suspected vandal file), contact Peter Fink and DesktopTo Press at the address, phone or FAX below. Password Alert! should work on all PostScript implementations, and probably also on clones that use exitserver and the PostScript password sheme. I'd like credit for writing this program but claim no commercial rights - this code is free and (as always) used at your own risk. Every service bureau with PostScript or PostScript-compatible printers should use this or similar code immediately. Hope this helps you! Peter Fink, DesktopTo Press 617-527-1899, FAX 617-332-1533 26 Wetherell Street, Newton, MA 02164 ----------------------------------------------------------------------------- Subj: LW PW Reset 90-07-26 19:20:13 EDT From: Jeff Shulman From: quando@ibmpcug.co.uk (Nigel Yeoh) Subject: resetpassword.ps Summary: resetting passwords on the laserwriter Date: 19 Jul 90 23:22:47 GMT Organization: The IBM PC User Group, UK. Here is the piece of code that resets the password in a PostScript printer, which I've obtained. I'd like to make a point of clarification. Some people might know that Woody Baker offered to make copies of his code available to people who wrote in to him, subject to slightly more onerous conditions than at least one other person on the net thought correct. I then offered to make