home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cuteskunk BBS
/
cuteskunk.zip
/
cuteskunk
/
Virus
/
Virus-Magazines
/
CryPt2
/
crypt35.txt
< prev
next >
Wrap
Text File
|
2003-06-29
|
86KB
|
3,503 lines
CRYPT NEWSLETTER 35
January-February 1996
Editor: Urnst Kouch (George Smith, Ph.D.)
Media Critic: Mr. Badger (Andy Lopez)
INTERNET: 70743.1711@compuserve.com
Urnst.Kouch@comsec.org
crypt@sun.soci.niu.edu
COMPUSERVE: 70743,1711
ăƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒ°
ä Contents: Crypt Newsletter #35 ä
┐ƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒƒì
THIS ISSUE
MEDIA
Bill Gates as Citizen Kane
BOOKS
"Virus Detection and Elimination" by Rune Skardhamar
Shimomura's "Takedown" v. Littman's "The Fugitive Game"
"Data Security" by Janet Endrijonas
NEWS
Comments from Norton Anti-virus employee _re_ Central Point Anti-virus
FIDO/Internet mail gateway closed by hacker stunts
I put a spell on you: Cursing a hard disk under Microsoft DOS
Grab bag: Boza - an alcoholic beverage or just another press release
computer virus; Ludwig virus CD-ROM sales top 1400, second edition
planned; Virus-writer Chris Pile gets 18 months hard time
SOFTWARE
ARF anti-virus wins the Crypt News unique name trophy
MISCELLANY
Letters page
Crypt Newsletter Hypertext
Crypt Masthead Info
Credits/Acknowledgment
BILL GATES: A NINETIES CITIZEN KANE IN SEARCH OF HIS ORSON
WELLES AND HERMAN MANKIEWICZ
While reading William "Randolph" Gates' "The Road Ahead," Crypt
was struck by Microsoft chairman's crying need, a seeming
unconscious urge, to be seen as this age's Charles Foster Kane.
On and on Bill went about his Xanadu, the mega-gajillion Gates
electro-fortress being built as a small republic outside
Seattle.
Like William Randolph Hearst, whom Orson Welles and Hollywood
screen-writer Herman Mankiewicz pilloried as Charles Foster Kane,
Gates appears obsessed about the collection of art treasures hoarded
within his home. Visitors to Gatesadu, like party-goers at Hearst's
Rhode Island-sized estate in San Simeon, will be able to call up
portraits of "presidents, pictures of sunsets," planes, rare stamps,
the Beatles, and reproductions of paintings from the Renaissance.
Like Hearst, who essentially looted everything he saw that he liked
around the world and had it crated and shipped to San Simeon,
Charles Foster Gates has done the same for the digital era.
Unlike Hearst, Gates hasn't run into an equivalent of the Great
Depression and Franklin D. Roosevelt.
However, there is something that every cyber-citizen can encourage.
Bill Gates needs a movie like "Citizen Kane" to balance his life.
You should support this idea.
Hearst was damn near the richest man in the world when Orson
Welles - then in his twenties - collaborated with Herman Mankiewicz
on "Citizen Kane." Mankiewicz was a colorful drunk and writer who'd
been to many, many Hearst parties at San Simeon. As an insider, he
knew enough to make his screenplay hurt. According to the story, Welles
and Mankiewicz ran the script for "Kane" by studio lawyers and then
laughed and joked about how they would stick it to Hearst while working
the phrase "Rosebud" into the movie as Charles Foster Kane's dying word.
In reality, "Rosebud" was supposed to be a cruel jibe: a Mankiewicz play
on the alleged secret name Hearst used when referring to his mistress',
Marion Davies, private parts.
Weird and humorless, Gates is a natural for "Citizen Kaning."
In "The Road Ahead" he takes a paragraph to describe what he thinks
the average person carries every day: a tangle of credit cards, keys,
cameras, a tape recorder, a cell phone, a pager, a few more
electronic gadgets, notepads and last - a whistle to aid in summoning
help. In the bleak world of "The Road Ahead" Gates gives the reader the
impression that he looks forward to a life where everyone's
waking moments are recorded by video cameras, electronic sensors,
and PC's. It might be "a little chilling" but the benefits outweigh
the negatives. If you think this is awful, what did you expect when
the only offerings written about Gates that make it to mass market
are controlled autobiography and hagiography by flacks from the
computer industry?
Gates has already acquired his version of "Kane's" Jedediah Leland,
the ex-Ivy Leaguer liberal puppet and drama critic Charles Foster
Kane hired to write for his newspapers. It's Michael Kinsley.
Is there a Marion Davies in the life of Bill Gates? Who cares? Write
a script about it, anyway. Make someone up for the role. Ann Winblad,
a one-time Gates paramour, as a screechy, crossword puzzle-playing
no-talent locked away in the brightly lit labyrinth of Gatesadu,
is one possibility. Welles admitted portraying Hearst's real mistress,
Marion Davies, as a shrill alcoholic opera-singer was a dirty trick,
nowhere close to the truth -- designed merely to antagonize an old
rich man.
The circle will close when our Orson Welles nears release of
"Citizen Gates."
Enraged by the calumny in it, William Foster Kane vows from Redmond
that it will never see the light of day. He's on the phone to future
president Al Gore, urging the leader to jawbone the FBI into opening
an investigation into un-American activities inspired by the director
of "Citizen Gates." NBC and Microsoft-NBC start running news clips
attacking the producer as a pervert and philanderer. Gates threatens
to not allow any advertising for the movie or future movies produced
by Hollywood on the Microsoft Network if the industry doesn't bury
"Gates." Michael Kinsley writes a review after seeing a pre-screening
and, in a paroxysm of self-loathing and guilt over his end as an
instrument of the ultimate computer nerd, declares it brilliant. He
then passes out hunched over his word processor. Charles Foster Gates
fires Kinsley the next day with a severance check for $250,000.
Then, just as it looks like "Citizen Gates" is about to go into
massive distribution worldwide, the software magnate really starts
putting on the pressure. Gates instructs his army of lawyers to begin
a $2-billion dollar SLAPP civil suit against the studio and producer of
the movie. The campaign is a partial success. Release of "Gates" is
restricted to art houses. It receives rave reviews but dies on
the vine. The producer moves to Europe to escape Gates'
bully-boys. The only work the famous director can get as he nears
the end of his life five decades later is as a pitchman for lousy wine.
Finally, at age 93, William Gates dies. A recluse in his monster
techno-home for years, Gates fell off the national podium when
the glistening world he predicted in "The Road Ahead" became
the cruel cement of reality. Unfortunately, the Middle Class
buying power that financed Gates' empire in the 80's and
90's was also put out of work, obsolete, in his version of the
future. Unemployed or underemployed, it could no longer afford the
computing machinery needed to run and enjoy the software of Charles
Foster Gates and with that, the Microsoft magnate's world collapsed
quietly and without ceremony.
A butler and a nurse reported the last word of Charles Foster
Gates, in bed, as a gray plastic mouse slipped from his cold
grip to break silently on the floor.
"Windows."
PERILS OF WISDOM: DANISH VIRUS WRITER'S BOOK ON VIRUS DETECTION
SURE TO BE COLLECTOR'S ITEM
Faithful readers of Crypt Newsletter know that when they see
the tired hacker bromide "Information wants to be free!" it's
time to grasp the wallet firmly because a ripoff is in the
making. Danish programmer Rune Skardhamar's computer virus
book for Academic Press ($35 cash money) drop-kicks the reader
with cliches like "Information [on computer viruses] needs to be
free" in the introduction and goes steadily downhill with a
collection of humorous errors, non-working computer virus samples
pulled from virus exchange BBSes and rudimentary anti-virus
programs which, if assembled, either corrupt computer files
or pronounce virus-infected programs clean.
Skardhamar cites Fred Cohen in his reference list but amusingly
goofs up the name of the Lehigh virus and the university - he calls
them "Leigh" - where Cohen spent time prior to the outbreak
of the former. This is an interesting error because the Lehigh virus
also led to the formation of the Usenet's comp.virus newsgroup, another
citation in Skardhamar's bibliography. The last time Crypt checked,
both Fred Cohen and Virus-L/comp.virus seemed to know how to spell
Lehigh.
Anyway, another source for the book is phalcon/SKISM's 40Hex magazine
which Skardhamar calls possessed of a "propagandist" view of computer
viruses. Paradoxically, one of the viruses included in the book is a
direct action .COM-infector produced by the earliest version of the
phalcon/SKISM MPC virus-maker software which, as published, does not
work. Skardhamar's PS-MPC virus sample contains a small error in one
of its DOS function calls that ensures its code cannot be written
to host files and while it's an easy correction for most people
familiar with computer viruses, it's probably beyond the ability of
the audience of beginners at which the book is aimed.
Purely by serendipity, this is to Skardhamar's advantage.
Here's why:
"Virus Detection and Elimination" also comes with a companion diskette
containing some TASM-compatible assembly language programs written
by the author for the purpose of detecting and disinfecting the viruses
included in the book. The "disinfector" for the PS-MPC virus is quite
novel in approach: It cleans the virus by truncating infected programs
by the virus's length and then overwriting the remainder of the
program with garbage from memory, totally corrupting the file.
This appears to be another laughable gaffe which most readers
won't run across simply because the virus the book's "cleaner" is
paired with isn't contagious.
Another interesting example of Skardhamar's approach to virus
detection is the scanning program designed for a companion virus
included in the book. The virus, written by "Wonko the Sane" and
dubbed "The slightly orange avenger" works if you detect the typo
in the code and add a space. (Even for those who don't recognize
it, the error is so small that running the instructions for the
virus through any assembler will flag it and prevent compilation
until a correction is made.) However, the scanner for "Wonko the
Sane's" companion virus doesn't work, instead inspecting infected
files, the binary images of the virus, and gaily announcing to the
user "OK"!
Other virus programs included in the book are a variant of the
Trivial family of overwriting viruses, a DOS .EXE-program infector
and a Stoned derivative with a program launcher for infecting
diskettes with it. Although not all of the programs on
Skardhamar's diskette were tested, the reader might approach the
code (particularly the detection and disinfection routines) slowly,
given the performance of other examples offered upon it. Indeed,
disclaimers peppered liberally across the diskette balefully proclaim:
"No responsibility whatsoever will be taken for any damage
incidential [sic] or otherwise resulting from the use or misuse of
this program. Neither will responsibility be taken for omissions
or errors in the code, comments etc. You are now resonsibly [sic]
for your own actions."
This type of indirect warning that the reader is about to suffer
a computer hotfoot is paraphrased straight from the computer virus
underground.
The point to be made here, and which I suspect was a bit beyond
the technical editors at Academic Press when they went over the
manuscript - is "Virus Detection and Elimination" is in many ways,
simply the product of trolling virus exchange BBSes and refitting
the subject matter recovered in a more expensive-looking suit.
It's fair to say that lay readers will find portions of "Virus
Detection and Elimination" extremely fascinating
but it would have been easier on consumers to give it a title like
"What I Found After a Few Months of Visiting Virus Exchanges on
BBSes and the Internet" since there is nothing in the book's enclosed
programing that is of much practical use in "detection and
elimination." Of course, a good editor could shorten the new title
to something a bit more zippy and saleable.
Additionally, "Virus Detection and Elimination" covers technique, also
apparently lifted from 40Hex and other files from the computer
underground, on making viruses refractory to trivial attempts at
analysis. In its computer virus history portion, retold again is the
legend of Bulgaria as computer virus factory for the world. The story
has been repeated and exaggerated so often for magazines and newspapers
it's now an inescapable tenet of computer virus lore. An enterprising
individual in search of a few quick bucks would be smart to consider
printing up some black T-shirt's, perhaps emblazoned with "I survived
the Bulgarian computer virus factory!" and setting up a kiosk at
hacker conventions in 1996.
Dave Hannon, an editorial staffer at Academic Press, commented to
Crypt that English was Skardhamar's second language. For readers
of "Virus Detection and Elimination," it's, uh, noticeable. As for the
faults in the anti-virus programs and viruses included with the book,
Hannon also conceded appraising the material and code included in the
book was beyond the technical ability of its American publisher and it
fell to the author to look over his own material for mistakes of this
nature prior to publication.
"Please do not use the information carried in this book to wreck
havoc," Skardhamar writes near the end of his book. He means "wreak
havoc." Further, he writes, "Any stupid fool can make a virus; the
genius is the one who will put the coding techniques to some creative
use." In view of the "code" included with "Virus Detection and
Elimination," this statement - as Skardhamar's parting shot - is
a bone-crusher. His bones, though, not yours, making the book
a solid collector's item amid the increasing "lore" devoted to
the world of computer viruses.
SEX, LIES & COMPUTER TAPE: ON THE TRAIL OF KEVIN MITNICK IN
TSUTOMU SHIMOMURA'S PAEAN TO HIMSELF AND JON LITTMAN'S
"THE FUGITIVE GAME"
At least two volumes will catch your eye this month as US publishers
gear up for the Kevin Mitnick-money chase: Tsutomu Shimomura's
"Takedown," an auto-hagiography of the author that only incidentally
deals with the dark-side hacker, and writer John Littman's "The
Fugitive Game" which holds up much better than "Takedown" in
terms of human interest, computer shenanigans and controversy.
"Takedown" (Hyperion) is an unpleasant, tedious read revolving
around the reality that while Shimomura may have been able to track
Kevin Mitnick, he can barely write an interesting story even with
New York Times reporter John Markoff to prop him up.
"Takedown's" turgid quality is magnified by Shimomura's intent
to sing a paean to himself and his computer feats. He's so
hell-bent on it, in fact, he comes off unselfconsciously repellent.
In "Takedown," everyone but Shimomura and his cohort, John Markoff, are
criminal worms, in the way, or country bumpkins and dolts.
The reader will feel particularly sorry for the FBI's Levord Burns. As
written up in "Takedown," Burns is a fossilized piece of wood,
intermittently described as either always home in bed fast asleep when
the game's afoot, baffled to the point of silence by the technical
nature of the pursuit of Mitnick, or falling into a doze on the
telephone while being badgered to perform some minor duty connected
with the chase. The Computer Emergency Response Team is a vague,
inefficient, slow-moving bureaucracy. The NSA is another big, dumb
government institution to Shimomura, even though he's trying to squeeze
funding from it at the beginning of the tale. Andrew Gross, Shimomura's
Renfield, is always screwing things up, tampering with files, messing up
evidence or being a stumblebum for our cyber-Poirot. Julia Menapace, the
girlfriend, is a co-dependent who can't decide to throw over her
ex-paramour - John Gilmore of Sun Microsystems - fast enough for our
hacker tracker, even while Shimomura's being a cad with her in Gilmore's
home.
At least fifty percent of the book is devoted to Shimomura explaining
his life of privilege in the same detail he uses to describe the
names of his computers. Eventually, the battle is joined and our
cyber-sleuth and his entourage light out on the trail of Mitnick,
blamed for invading Shimomura's computer over Christmas. It would be
exaggerating to say this is interesting. The details of the
Mitnick-hysteria and Shimomura chase have been repeated so often in the
media already none of the story is fresh except for parts near the
end where Shimomura grudgingly admits that it might not have been
Mitnick who was into his computers in the first place, but an unknown
collaborator who finally panicked and begged him off the chase
in a message on his answering service after Mitnick was in custody.
Yes, but Mitnick and his collaborator called Shimomura names and made
dirty jokes about our hero on an Internet talk channel, dammnit!!
That made it personal! Nyahh, nyahh, nyahh! And Mitnick was reading
other people's mail on the Well and into Netcom! Of course, Kevin
Mitnick is no hero but Shimomura's a thin, thin choice for
a celebrity cybersavior. Ultimately, "Takedown" is completely lacking
in the kind of humanity, self-effacing wit and style of Cliff Stoll's
"The Cuckoo's Egg," a prior classic on hacker takedown, mostly because
its author can't help being a boor.
However, there is a choice on bookshelves. Jonathan Littman's
"The Fugitive Game" (Little, Brown) is better. For reasons probably
having to do with the general knowledge that Littman was writing a
book about hackers, Mitnick started calling the reporter regularly
during the same period of time Shimomura was on his case. And unless
Littman's making everything up, the result makes Shimomura and John
Markoff look like turds.
Littman's book bolsters the idea that it wasn't Mitnick who was
into Shimomura's system and that what the San Diego scientist did
wasn't particularly special -- a Seattle man, Todd Young, had
tracked and spotted the hacker in that city long before Shimomura
came along but allowed him to escape through a combination of ignorance,
bad luck and disinterest in the gravity of Mitnick's alleged
criminal doings.
In "The Fugitive Game," Littman accuses Markoff and Shimomura of
a cozy relationship stemming from an old article in WIRED
magazine on cellular phone crime. Markoff's original article
anonymized the identities of the cell phone hackers because they
were playing around with illegality. Littman insists they were
Shimomura and Mark Lottor, an acquaintance of the author and hacker
Kevin Poulsen. The story goes that Shimomura reverse-engineered
code designed to program an Oki cellular phone for the purpose of
reprogramming it into a transmission snooper, or something like
that. When Shimomura's computer was broken into, the material
was copied off it. Littman draws the conclusion in "The Fugitive
Game" that Shimomura, in addition to being fired up over the invasion
of his system, was also embarrassed by the loss of this software,
software he engineered, the author implies, under quasi-legal
circumstances. Indirectly, "Takedown" supports this argument.
Shimomura obsesses over the loss of a file which a reader of both
books might guess contained the Oki software.
Throughout "The Fugitive Game," for the first time in book, Mitnick
is portrayed as a real human being, not a caricature. He has a sense of
humor, regrets, weaknesses, and a pack of serious neuroses stemming from
his jail-time and uncontrollable cyber-fame. But the author isn't
easy on him: Mitnick also comes off as a hardened con-man who relishes
snooping other people's privates, cruel treachery, and duping the
unwitting into compromising themselves or their places of employment.
At one point Mitnick indicates something very interesting about
users of Pretty Good Privacy. Some users of it on the 'Net,
particularly those running services hooked directly to it,
keep their PGP software on the public host. Mitnick laughs at the
lapse - he implies it's been a simple matter for him to put a
backdoor into the PGP source which deliver the keys and passphrase
of the user to another spot on the host he's invaded, compile it and
replace the original host copies. From here, it's simple, he maintains,
to read their encrypted mail -- this in a conversation on Mark Lottor
in which the hacker says he's read Lottor's electronic correspondence.
If there's a need for a bona fide, hiss-able villain in "The
Fugitive Game," Littman produces one: Justin Petersen. Petersen
aka Agent Steal, is a side-plot in the book: a pathological
liar, car thief, and con-man who portrays himself as a
combination cyberpunk/heavy metal rock 'n' roller. Fond of
artificially busty stripper/hookers from the sleazy end of Sunset in
Hollywood, Littman paints Petersen as the maximum disinformer
and criminal -- a squealer for the FBI who embarrassed the agency
by embezzling Social Security funds and then going on the lam when
lawmen tried to reel him in. "The Fugitive Game" has him
bargaining with the FBI for tidbits on Mitnick's whereabouts.
Littman wraps up "The Fugitive Game" with broadsides at Shimomura
and Markoff. With Markoff playing Mitnick as the enemy of all
computerized civilization on the front page of the New York Times,
the stage was set to ensure maximum hysteria and the subsequent
introduction of the reporter's friend, Tsutomu Shimomura, into
a carefully arranged media spotlight. Behind the scenes, Markoff's
agent was negotiating a big money deal - approximately $2 million,
says Littman - for the reporter and Shimomura, three days _before_
Markoff put the physicist on the front page of the New York Times.
Ironically, the increasing cynicism which is the natural crop sown
and cultivated by this type of media rigging for the benefit of men
of privilege is a tale of treachery and contempt, too, but one that
goes well beyond hacker Kevin Mitnick.
Additional notes:
(From July - August - October 1995)
Both the government and Kevin Mitnick's attorneys appeared to be
working privately to settle the case against him without a trial
in late 1995.
In August, Mitnick appeared in court dressed in a conservative
suit and tie for arraignment on a 1989 probation violation.
Mitnick was on probation for an earlier hacking case when he fled
California in November, 1992.
Although no one was talking, it was believed Mitnick's representation
and authorities "were trying to reach an agreement under which Mitnick
would plead guilty to a number of charges in order to avoid going to
trial in all the jurisdictions across the country where he may
[or may not] have committed electronic crimes during his flight."
"We're looking for him to take responsibility for the entirety of his
conduct," said Assistant U.S. Atty. David Schindler. At the time,
Schindler would not say what type of sentence he was driving for.
In various articles printed throughout the news media, Mitnick
was reported able to plea-bargain his infamous early-1995
cross-country hacking and media jaunt into a sentence that commits him
to about eight months in prison, according to John Yzurdiaga, his
attorney.
Mitnick, for part of the plea, will concede guilt in possession
of stolen cellular phone numbers, one of twenty three federal
charges - all concerning cellular phone fraud - against him.
JANET ENDRIJONAS' "DATA SECURITY," A CLEARLY WRITTEN INTRODUCTORY
BOOK ON COMPUTER SECURITY CONCERNS
"Data Security" (Prima, $34.95), although slightly overpriced,
is a clearly written introduction to computer security for
laymen.
While not going over the book point-by-point, one of the more
interesting sections is devoted to computer viruses and what
Rob Rosenberger, a contributor to the section, dubs "false
authority" syndrome. The condition, as Rosenberger describes it,
has contributed to the body of disinformation bandied about in
public on the subject of computer viruses. It addresses the same topic
Crypt Newsletter has touched upon for the past two years: the
unreliability of sources in the mainstream general news media and
computer industry and the lack of proper skepticism leveled at them.
It's a ring-around-the-rosy phenomenon in which "experts" cited in
one news piece become the same experts used by other reporters and
editors jumping on a story as it bumps over the wires. The result:
the same names appear again and again in multiple places with no
question of their credentials as "experts," simply because they
appeared in a primary newspiece. The logical drawback of this is
that if the "expert" is someone who has no idea what he's talking
about but happened to be in the right place at the right time when
a reporter needed a source, the phlogiston he's peddling becomes
magnified over and over until it becomes the accepted version, even
if it's incompetent or utterly self-serving. Information and history on
computer viruses has always been plagued by the phenomenon, the
best example being the hysteria surrounding the Michelangelo virus
non-crisis of 1992.
Pointedly, Rosenberger writes while skewering editor Jeff Duntemann
of PC Techniques magazine: "Jeff Duntemann . . . editor of PC
Techniques, has seen this trend and likens it to what he calls
the 'Green Paint Factor.' If you want to extol the virtues of
a can of green paint, and the best you can say is that it's _green_,
well -- it's probably not good paint." Rosenberger interjects:
"If you want to quote somebody about computer viruses, and the best
you can say is that he edits a computer magazine . . . " Ouch.
"Data Security" is a good, non-patronizing read for the average PC
jockey and is especially user-friendly to those just stepping off into
cyberspace.
SYMANTEC SUPPORT OF CENTRAL POINT ANTI-VIRUS: OBLIGATED BUT RELUCTANT
Crypt Newsletter often sees on-line users inquiring about support for
Central Point Anti-virus. Although the company was gobbled up by
Symantec some time ago, the Norton Anti-virus effort continues to pass
on updates to the program, some of which produce hangs and errors
in the software, often further cruelly confounding the helpless.
The newsletter has also noticed Symantec employees have little
enthusiasm for supporting Central Point Anti-virus. The issue is of
some interest due to Central Point Software's nettlesomely large
consumer base. If Symantec is not enthusiastic about supporting
Central Point licensed software, even to the point of rubbishing it
in public comment, why support Central Point Anti-virus and its
offshoots at all?
Crypt posed this question to Michael Messuri, a Norton Anti-virus
research specialist, in the National Computer Security Association's
InfoSec forum on Compuserve.
His comment:
"Symantec is obligated to provide support for [Central Point Anti-virus].
(I am not aware of the wording of these obligations). However, it is my
opinion that users should be aware of the limitations of [Central Point
Anti-virus] so that they may make the best choice possible for their
antivirus protection policy. While I will provide the best support
possible for [Central Point Anti-virus], I will also inform the user of
the problems of using [Central Point Anti-virus].
Further, Crypt asked, why not just send flyers to the Central Point
Anti-virus user base saying: "The product's not supported, we liquidated
the licensing company, we think it stinks from a technical standpoint
and we're dropping it from our on-line libraries. As a substitute, buy
Norton Anti-virus."
Messuri replied, "On a personal level, I would love to make these kind
of decisions but, sadly, I am only a common worker in the bigger picture
of things and thus am not aware of the many decisions behind these types
of actions."
Crypt appreciates Michael Messuri's candor and hopes the recirculation
of it doesn't result in an unwanted seminar at Symantec corporate.
SONGS OF THE CYBER-DOOMED, II: THE TERMINATOR TERMINATES THE FIDONET'S
INTERNET E-MAIL GATEWAY
Earlier this year, Burt Juda, an administrator for the FIDOnet's
Internet mail gateway announced the network would lose the gateway
as a consequence of a denial-of-service attack on his system
carried out by a couple of the network's ex-sysops, one
of whom - The Terminator - is familiar to Crypt Newsletter followers
of the FIDOnet "cyber-doomed" news stories (Crypt 27 - 28).
Juda commented recently in a post widely distributed by various
on-line networks:
"Effective March 1, 1996, the Internet Gateway at 1:1/31 will
be shutting down. At that point, there will be NO MORE 'default'
gateway for electronic mail inbound from the Internet for [the US].
"The reasons for this termination of service are numerous . . .
"Most recently, an excommunicated SysOp has gone on a rampage of
forging subscription messages to subscribe numerous FidoNet
addresses to . . . unwanted Internet mailing-lists
in a deliberate attempt to 'break' [FidoNet] routing . . . and
the gateway structure."
Further, Juda writes, "I can no longer deal with the voluminous
netmail being received from [people] querying what has happened to
their inbound [electronic mail] coming [through the affected gateway].
Juda added he no longer had the time to support the service when
cyber-denizens "continue[d] to break the rules of its use and
bypass . . . controls."
The Fidonet Internet-netmail junction, which provides service to the
community of amateur, pro and semi-pro BBS sysops and callers who use
the FIDOnet nationwide, was brought to the point of collapse
as a result of mass electronic mail forgery by The Terminator and
another collaborator.
In late 1995, The Terminator and a partner spent an evening ramming the
Fidonet-Internet gateway in Piscataway, New Jersey, with posts forged to
look like they originated from as many FIDO-sysop network e-mail accounts
as could be gathered. This is quite a few -- thousands -- as it turns out.
Many, many of these posts were simply subscription requests to Internet
mailing lists.
Subsequently, the Fidonet/Internet junction was overwhelmed with the
volume of nuisance mail and hung.
The Terminator had been involved in disruption of the FIDO Virus
Information echo and others throughout 1994 and 1995 with re-directed
spam-mail. The mail-bombs, rammed through unsecured FIDOnet mail links
from Europe, Israel and the United States, consisted of virus source
code interspersed with a great deal of text hardcore filth dealing with
transvestism and scatological material fabricated for the occasion
and/or cross-posted from an adult-oriented network.
One example of such mail:
"Are there any persons out there that get off by watching a woman pee?
There is just something about seeing and hearing a woman pee. Not sure
if I am into getting peed upon, but I am always open to new adventures."
Because of the level of trust in the inherently wide-open, difficult
to secure FIDO technology network, FIDO administrators and sysops
were never able to completely plug the system breaches exploited by
The Terminator, leading more recently to the collapse of its Internet
gateway when expanded attacks overpowered the message handling capacity
of the junction and the patience of its administrator.
At the time of the original nuisance mail rammings in the FIDO
Virus Information message base, some BBS operators monitored their
systems more closely for obviously fake mail; others attempted to
secure their automated mailer software with mixed success. Still
others took the expedient cure. They simply dropped service on
the special interest groups affected, the same answer given to the
problem by the FIDO/Internet electronic mail gateway administrator.
Shortly after the initial failure of the FIDO/Internet mail gateway,
The Terminator contacted Crypt Newsletter from Moberly, Missouri, to
point out the interruption in service brought about by the attack.
"The FIDO/Internet gateway is crashed," he said.
The start of attacks on FIDOnet computer virus information message
feeds in 1993 were attributed to Paskell "Geno" Paris of Oklahoma City,
a FIDO sysop and self-styled "technopath" who waged a guerilla war
for control of a small section of cyberspace moderated by Ed Cleton,
a European host of virus information topics on the FIDOnet. Paris was
later indicted and convicted on fraud charges, crimes unrelated to his
activity on the FIDOnet. As a consequence, Paris served time in state
and federal prison. The Terminator carried on Paris' mail war with Virus
Information moderators Jeff Cook, a representative of Thunderbyte
Anti-virus, and his successor, Allen Taylor. During the period and
as a result of repeated mail bombing runs, The Terminator was banned
from the message base. Nuisance mail-rammings of virus source code
and forged messages, however, continued to plague the FIDOnet echo.
I PUT A SPELL ON YOU: THE CURSED HARD DISK PHENOMENON UNDER
MS-DOS
Crypt Newsletter recently ran into an old, obscure fault in Microsoft's
DOS operating system. Referred to as the "cursed hard disk" by
researchers in IBM's anti-virus software development group, it's a real
eye-opener. When the cursed disk fault is created on a machine running
versions of MS-DOS from 4.00 onward, the system runs aground in an
unproductive loop while parsing the system file IO.SYS. The real
crusher occurs when the nonchalant user tries to start the machine from
his fall-back position, the trusty A: drive. In goes the boot diskette.
The machine is restarted smartly and it . . . hangs.
Oops! Must have not seated the diskette correctly. Restart . . .
and the machine . . . hangs. Curses, still some lint on the platter!
Reboot again and the machine . . . hangs.
Your neck suddenly breaks out in a cold sweat.
From the standpoint of current PC users, the problem is remarkably
ancient - dating to 1992 when Mike Lambert, a computer security
professional, stumbled across it and wrote extensively on it in an
interesting paper entitled "When the magic floppy won't boot."
"The hard disk access light remains on," during the fault, Lambert
writes. However, because the machine can't be started even when using
the diskette drive, "A technician is likely to diagnose a [hard disk]
problem because of . . . the disk's access light being on. The technician
will probably use component replacement techniques to verify [his]
suspicion. When the PC boots properly from a new [hard disk]
. . . this will tend to confirm the diagnosis that the [disk] has failed.
"The result is a perfectly good disk classified as failed . . . The user
is forced to recover from any backups available."
The error isn't hardware-based although it often stuns those who run
across it into thinking so the first time they experience it. Instead,
it lies within the operating system's handling of data written in the
partition table. Lambert and his colleague, Charles Moore, dubbed this
the "circular extended partition" fault which is - technically - a good
description for it, since the problem involves a futile, circular
processing within the operating system.
For those who encounter the problem, Lambert's paper indicates it's
difficult, without understanding what is transpiring, to get in
front of the fault before it runs the PC aground. The error lies
in the system program IO.SYS, where it evaluates the partition table
data for the purpose of mounting file system volumes attached to the PC.
If the error is present, IO.SYS loops fruitlessly on the partition
table, which is altered in "cursed disk" syndrome to point to itself as
the beginning of the booting volume, and the machine cannot be started.
One logical place to intervene is with code loaded from the boot
sector on the booting diskette. A fix circulated with Lambert's
paper did just that: It provided the user with a custom-made
diskette with code written into the diskette boot sector to read
the partition table data for evidence of the "cursed disk" corruption,
which is found in the MS-DOS description for what are known as
"extended partitions." If found, it writes a temporary fix - simply
altering the byte which tells DOS to support "extended partitions"
within the partition table data, so the machine can be started normally.
The error can then be cleaned up completely and the system restored to
proper working order with standard partition table editing software.
Once one understands the nature of the fault, this cure almost sounds
easy to do. And, in fact, it is. Keep in mind, however, that the great
majority of current diagnostic disk management and security/anti-virus
software programs provide no help for this problem unless it's picked
up before the machine is restarted and the changes take effect.
Fortunately, the "cursed disk" phenomenon has remained quite rare
since 1992.
More interestingly, the September issue of Virus Bulletin contained
comment on a multi-partite virus that introduces the fault to make
itself difficult to remove from hard disks infected by it. The virus,
called Rainbow, infects .COM and .EXE programs as well the master boot
record (MBR) of hard disks, inserting a 25-byte change in the target at
physical sector 0,0,1 pointing to the rest of its code copied to space
assumed to be unused on track 0 of the hard disk and spanning physical
sectors 0,0,2 - 0,0,5. An uninfected copy of the original MBR is copied
to 0,0,6.
Rainbow introduces the "cursed disk" fault to make itself difficult
to remove if the machine is started cleanly from the A: drive. In
this case, the idea the virus writer had in mind was to make the
machine appear frozen. When the machine is started from the
Rainbow infected hard disk, the virus loads first and produces
the original uncorrupted partition sector at 0,0,6 for the machine,
masking the problem. Bill Arnold, a researcher in the anti-virus
software development group at IBM's T.J. Watson installation commented
Rainbow was not considered a threat in the wild.
In interview, Mike Lambert said he first noticed the fault in 1992
when asked to troubleshoot a disk security program that had been
installed on a PC, one that was proving difficult to remove. The
program used the "cursed disk" error to secure the machine, making it
impossible to bypass by booting from the standard bootable floppy. This
led to Lambert writing the "When the magic floppy won't boot" paper
with collaborator Charles Moore. The use of the "cursed disk" fault
as a basis for a disk security program, while unusual, is not without
precedent. Patrick Toulme, the programmer of Virus-90 and Virus-101
and a number of powerful systems level software utilities, has fielded
a disk securing program utilizing the error to halt the machine when
starting from a diskette.
More recently, Crypt Newsletter recovered a software boobytrap
written by Stefan Kurtzhals, a German programmer who associates himself
with an organization called Virus Help Munich and dabbles in the
writing of anti-virus software. Kurtzhals wrote this software
bomb, called Megatest, in an attempt to trick a more successful
competitor with the "cursed disk" effect.
In electronic mail obtained by Crypt, Kurtzhals said, "I have quite
good [connections] to both AV companies and virus coders, but it's not
perfect yet. I need more connections and information. Hmmm, quite funny.
I get both AV software and new viruses for beta testing." Kurtzhals
added the "cursed disk" fault used in his boobytrap "is also known to
almost every better virus coder. It will be mentioned in [the
Australian virus-writing magazine] VLAD#6, too. I've seen a preview of
some it's [sic] parts." Kurtzhals anti-virus software (not the
"cursed disk" boobytrap), called Suspicious, is available from the
Munich, Germany, Web-site WWW.LEO.ORG.
Lambert said to Crypt Newsletter he has been informally notifying
the various developers of DOS of the "cursed disk" fault since 1992.
Bill Arnold of IBM said current versions of PC-DOS are no longer
vulnerable to "cursed disk" syndrome. Lambert added Novell DOS has also
been cured of the problem. MS-DOS versions 4.0 to current still
carry the bug, a not insubstantial user base.
Additional notes:
1. This bares mentioning one more time in case readers have decided the
sky is falling because of MS-DOS and the "cursed disk" phenomenon.
Time and the inexorable march of technology are slowly eroding the
annoyance of the fault. It is quite rare. And current versions of PC-DOS
and DR-DOS eliminate the problem. Therefore, booting from any current
DOS other than Microsoft's flavor will unlock the "cursed disk," and enable
remedy of the problem. A Rand Corporation scientist in Santa Monica was
recently overheard muttering something that sounded like "Microsoft" and
"suckware" under his breath.
---Other fixes for a "cursed disk" are contained in Lambert &
Moore's original paper, "When the magic floppy won't boot" from
the Web site: http://www.frontiernet.net/~mlambert
The ARF anti-virus software, reviewed later in this issue, creates a
rescue system disk invulnerable to the "cursed hard disk" fault.
It is similar to the Lambert/Moore fix in that it allows a user to get
in front of the problem by putting a jack-handle for system restoration
directly into the code loaded from the boot sector of a rescue
diskette. Another option is to start the machine with an alternative
to Microsoft-DOS and use a program with the functionality of Netz
Computing's Invircible ResQPro/ResQDisk that can automatically correct
corrupted partition table data snarled in this manner.
2. Patrick Toulme's Virus-90 and Virus-101 were demonstration
file-infecting viruses that confined themselves to operation on
floppies in the A: or B: drives. Virus-90 contained the name and
address of its author, Virus-101 was encrypted, packed a video display
and an activation that overwrote non-system floppy boot sectors with a
message that is was a "safe, educational virus utility," furnished
to/for John McAfee.
GRAB BAG: BOZA - THE PAUSE THAT REFRESHES -or- ANOTHER KNEE-JERK
PRESS RELEASE COMPUTER VIRUS STORY
As Crypt Newsletter went to press, the Associated Press triggered
another round of ridiculous computer virus alarms with a story
on the Boza computer virus, an admittedly barely infectious
parasite on Win95 executables. Attributed to the VLAD Australian
virus-writing group due to the equivalent of a computer underground
press release embedded in the virus extolling VLAD members and their
technical virtuosity vis-a-vis computer viruses, Associated Press
reporter Sue Leeman issued a news brief and it echoed internationally.
In a pattern of action and reaction that has become standard for
most computer virus stories reported in the mainstream press, the
Boza piece generated countless questions from on-line users who thought
they were in danger from it, although realistically they were
statistically more likely to be hit by an automobile than the virus in
their lifetime. The original Associated Press attributed Sophos' Paul
Ducklin saying the Boza virus wasn't on the loose, but most subsequent
news stories and fragments derived from it, including copycat
press releases from other vendors, stripped this from the original.
The results were predictably confusing. Some PC users who did not
even have Windows 95 installed on machines concluded they might have
been exposed to Boza.
From the Associated Press: "Analysts [meaning anti-virus software
developers at Sophos, a United Kingdom-based company] have named the
virus Boza after a Bulgarian liquor 'so powerful that just looking at
it will give you a headache,' [Paul] Ducklin said." It was a colorful,
ingenious turn of phrase which had nothing to do with computer viruses
per se but which made for a more interesting line of discussion.
It being cyberspace, of course, opinions tended to differ. In the
National Computer Security Association's Anti-virus forum on Compuserve,
Zvi Netiv, author of the Invircible anti-virus added, "I had Boza quite a
few times with my [Bulgarian] in-laws. Boza is a home-made beverage,
prepared from ground barley, left fermenting in water for a few days.
It's milder than beer, looks like thin oat porridge and smells like
. . . well, if you once visited a beer brewery, then you know what
[it smells like] -- Quite far from what you would call liquor and as
strong as camel's milk." Netiv added worrying about the Boza virus
was absurd.
The Boza mini-panic illustrated the need for more and more media
criticism, particularly when it comes to technology stories. A
few rules of thumb to keep in mind when dealing with this type
of thing are:
1. Computer virus stories are the best vehicle in which software
developers selling cures can pimp for their products. Even if the
virus is shown to be pathetic as a public menace, interest in those
cited peaks transiently during the run of the story. This amounts
to cash money in software sales and on-line time spent through
commercial services offering information or software fixes through
download, even if it's relatively unnecessary.
2. Being the first vendor mentioned in a story like Boza throws
competitors immediately on the defensive, scrambling to recover
and fueling the story in the process. Even though competing
companies may have known of a virus weeks previously and quietly
written cures into software as the usual course of business, the
average PC user - after reading this type of story - will be given
the impression everyone else was asleep at the wheel. This sets
off a chain reaction in which competitors quickly release copycat
press releases which drive developments and strip more information
from the primary seed in an effort to maximize individual product
exposure. Those vendors who don't do this often face tons of
witless questions from those needlessly frightened by the news in
on-line computer help forums. They also face a transient image
that they've been caught flat-footed, and being called the equivalent
of cyber-chumps by vendors more successful at generating press. From
a consumer standpoint, this leads to counter-productive behavior in
which vendors burned by the lack of exposure gear up to generate
even more press releases on potential future threats _before_
they materialize.
3. It encourages some vendors to increase their contact with
known active virus-writers and their groupies so that they will be
the first to receive new viruses which, may or may not (more often
"not"), work. This is a nasty spiral which tends to encourage
virus-writers to produce even more than they usually would for
their "audience."
A central point that should not be missed is that stories like
"Boza" are symptoms of a kind of contempt in which the computer
industry holds consumers. In this case, the contempt is shown
in the use of virus-writers and computer viruses as sales and
marketing tools, magnified by the exploitation of the relative
ignorance and ease of manipulation of the news media and average
PC user. In a more general sense, the computer industry, as a
whole, has always shoveled a great deal of marketing effort into
generating well-publicized "problems" for which it conveniently
provides the snake-oil. Boza was another in this tradition.
VIRUS CD-ROM SALES TOP 1400
Mark Ludwig, author of "The Black Book" series on computer viruses and
the publisher of a widely distributed CD-ROM of the programs and
related material commented to Crypt that sales of the compact disc
had topped 1400. The disc sells for $100 cash money/copy which
grosses to $140,000 collected in sales of bulk computer viruses
through American Eagle, Ludwig's parent Arizona-based company. Ludwig
added that a second edition of the virus CD-ROM was envisioned
containing about twice the data volume of the original in computer
viruses.
REALLY BLEW'D, SCREWED & TATTOO'D: BLACK BARON GETS 18 MONTHS IN GAOL
In mid-November 1995, the English trial of virus-writer Chris Pile
finally ended with an 18-month prison sentence for the author of
the SMEG computer viruses.
The English newspaper The Independent referred to Pile as a "'mad and
reclusive boffin' who wreaked havoc on computer systems by spreading
[viruses] . . . across the world . . ." [Webster's New World Dictionary
informs readers "mad boffin" is Brit slang for "mad scientist."]
"'I dare say you were looking forward to reading in the computer press
about the exploits of the Black Baron,' said [judge Jeremy Griggs] to the
defendant before sending Pile to the bighouse for 18 months. "'Those who
seek to wreak mindless havoc on one of the vital tools of our age cannot
expect lenient treatment.'"
In America, Dr. Alan Solomon - developer of the UK-based Solomon
Anti-virus Toolkit (S&S International), worked the news into a
presentation given by his firm at the Fall ComDex in Las Vegas, Nevada.
The following week, Graham Cluley - a colleague and employee of Solomon
at S&S, privately remarked on the Compuserve on-line service that the
severity of Pile's sentence surprised him.
The treatment of Pile, a 26-year old unemployed programmer, by the
English press was slightly reminiscent of the US media's portrayal of
Kevin Mitnick. In America, Mitnick was attributed with almost
superhuman malevolence, dangerous enough to bring down the Internet or
break into military computers controlling NORAD. For The Independent
Pile was the "most famous" of virus-writers and the "most dangerous"
of a small band of them working in England. The Independent
exaggerated when adding further that Pile's SMEG virus programs
were "the two most sophisticated ever written." This was probably
surprising news even to the anti-virus software developers interviewed
for the Black Baron stories.
Pile's viruses had reached "criminal elements" working in Northern
Ireland, the US, and Germany, according to the Independent. The future
damage, "inevitable" and "incalculable."
The demonization and denunciation of Pile was unusually harsh in light
of the fact that prosecution witness Jim Bates commented to
Crypt Newsletter that UK authorities were uninterested in sending
officials to collect evidence on the SMEG viruses in the United
States because a guilty verdict had been arrived at by mid-1995
(Crypt Newsletters 32 - 33).
The Times echoed The Independent's hyperbole, maintaining Pile had
written a "training manual" for virus-writers found "in America and
Northern Ireland where it was being used by criminals."
Ali Rafati, as part of Pile's legal defense, said his client was a
"sad recluse." The real Pile is difficult to describe in any detail
even though an excessively overwrought and lugubrious "Biography of a
virus-writer" was written about him and circulated widely in the
computer virus underground.
As bombastic and pompous as anything written by The Independent,
Black Baron's biography begins:
"In 1969 Neil Armstrong stepped onto the moon. It was a momentous
year for the world. But no-one [sic] at the time paid much attention to
a baby boy being born in a town in southern England. This baby boy
was destined to grow into one of the most infamous computer virus
writers of all time. In 1969 The Black Baron was born!"
Curiously, almost 80 percent of the Black Baron's "biography" is a
reprint of material written by Ross M. Greenberg, a semi-retired
programmer who wrote the Flu_Shot and VirexPC sets of anti-virus
software. The reprint dates from 1988 and contains rather
standard anti-virus rant and rave, calling virus-writers "worms." This,
if the Black Baron's biography is taken at face value, formed the
basis of Pile's desire to write viruses and impress people with them.
Black Baron's biography reads (errors reprinted), ". . . when computers
stop attracting social inadequates, but whom I am refering to the
arrogant members of the anti-virus lobby as well as the nefarious virus
authors. But what of the Black Baron? What is he? Is he a malicious
criminal? A computer terrorist? A social inadequate trying to
reassure himself of his own inadequacies through destroying computer
data? I don't [believe] so. I have spoken to Black Baron on a number of
occassions. He is happy to discuss his work, and, at my request, he has
even released a document detailing the design of SMEG. He doesn't feed
on the panic and fear that SMEG viruses such as Pathogen and Queeg cause.
Rather he revels in the embarrasement and panic which his software causes
the arrogant anti-virus writers."
At the time, Pile was unemployed. The "biography" concludes:
"After talking with him, I understand the Black Baron. I feel sorry for
him as well. He is a highly gifted individual who has not been given a
chance by computer society. So he has made his own chance. We all need
recognition. Mainly through employment, but we as thinking machines must
receive recognition for our abilities. Otherwise we sink into melancholy
and paranoida. Black Baron has received his recognition. We, the
computer society are responsible for the creation of Pathogen, Queeg,
SMEG and all the other computer viruses. We have no one to blame but
ourselves. It is our desire to keep the computer fraternity a closed
club which has alienated so many of our colleagues. By rubbing their
noses in it, so to speak, we have begged for trouble, and like the
inhabitants of Troy, we have received it."
In retrospect, the underground remains of Chris Pile's cyberpersona
have become an even more cryptic, sad counterpoint to his stay in
an English gaol.
Pile's representation was contacted repeatedly by Crypt Newsletter
but, surprisingly, lacked e-mail addresses and could not be reached
for concluding opinion.
ARF ANTI-VIRUS: THE SYSTEM SHIELD THAT IS NOT A DOG
The ARF anti-virus program is a set of software shields designed
to block virus infection and enable easy recovery of executable program
and system area code on a disk beset by computer virus. Its linchpin
is a module called ARFMAIN which is a memory resident behavior blocker.
Virus activity blockers aren't new. ARF's authors, Stephen Poole and
Leonard Gragson - a team in Kansas and North Carolina linked by the
nature of cyberspace, admit this and state they've gone to some length
to minimize the knocks leveled against this type of protection: prone
to false alarms, not air-tight, saps system resources. The pro's and
con's of the approach of fine-tuning virus blocking software until
the drawbacks don't exist have been trotted out and argued repetitively
over the years by the multitude of software vendors.
Central Point/Microsoft Anti-virus's VSAFE, for instance, was
elementary to use and install but so porous it was very little
insurance against computer viruses. Robert Hoerner's Nemesis, a
German product, was so paranoid and restrictive no virus could operate
against it. Indeed, some virus writers, most notably Germans who
envisioned their creations running into Nemesis, wrote their programs
to test for the presence of the software and just quit if it was around.
However, Nemesis also tended to be rather airtight to normal use of
the PC.
The ARF virus blocker is one of the best behaved device drivers of
this nature Crypt has worked with. Purely incidentally, it is
similar in look and feel to Trend Microdevice's PCRx so users
familiar with that software will be comfortable with it. Alone,
the ARF driver makes it impossible for most types of viruses to
act on a system without generating numerous trapping and warning
messages which allow the user to get in front of infections. The
warnings are delivered with varying amounts of information and
a suggested response dependent upon the severity of the problem.
As implied, its false alarm rate is minimal and when acting as a
safety-net in the background its presence is largely imperceptible.
One of the ARF driver's best selling points is its efficient disposal
of partition sector and boot-sector infecting computer viruses.
The ARF driver knows the ROM address of the Interrupt 13h hard disk
for a secured machine and, as a consequence, can easily remove these
types of viruses in most instances even when they taken control
long before the ARF driver. This means that if the PC is booted from
an infected diskette and the partition of the hard disk contaminated,
the ARF driver will load on restart, warn the user the disk has been
infected and offer to restore the system. Viruses like Monkey, AntiEXE,
Russian Flag, Urkel, Stealth Boot C, Stoned variants, Sampo and
Leandro & Kelly could all be removed with a keystroke on testing.
The machine is halted when the virus is purged.
Alert readers may remember a recent Crypt Newsletter article that
out-lined some weird gymnastics Quantum and Symantec were going through
to come up with a hardware and software-based anti-virus solution that
did just this very thing, only badly. Programs like ARF show the
discerning that large companies with extensive R&D budgets are not
necessarily immune to stupidity in design and that smaller firms often
can and do figure out superior solutions.
The ARF driver is also compatible with anti-virus scanning software.
Crypt Newsletter knows how to select weird computer viruses under
extreme conditions to poke holes in just about any anti-virus software
and ARF is no exception, however, without going into a lot of needless
detail it's accurate to say the software is extremely robust against
the vast majority of computer viruses in circulation. ARF trips up
most viruses that do fancy things in memory by being acutely sensitive
to attempts to trace or exploit unusual or poorly documented aspects of
the operating system kernel, aspects often used by computer viruses.
In most cases, such viruses produce immediate warnings or simply result
in the ARF driver hanging the system. Nightfall, a subtly transparent
.COM/.EXE infector that does some slippery things in computer memory, was
one exception. A virus written precisely like Nightfall could,
theoretically, execute directly past the ARF driver, infect the command
shell and run without generating a peep from the software. It should be
noted that Nightfall can do this with almost every other anti-virus
software on the market, too, if not detected by scanning. Paradoxically,
Nightfall is one of the German computer viruses that simply surrenders
and goes dormant against the Nemesis virus blocker.
The ARF driver is meant to run in conjunction with a PC treated
by an ARF utility, called INJECT, which encapsulates executable
programs in a code fragment that confers self-recognition and
auto-restoration capability to protected programs. Many anti-virus
software developers consider this heresy but the ARF authors have
gone their own way and generated something which works quite well,
anyway. ARF-protected programs will restore themselves after
most virus infections. The protection is much stronger when the
ARF driver is present although still quite functional when forced to
stand alone. There are a couple caveats: A virus exactly
like Nightfall can infect ARF-protected programs without generating
alarms since the virus, from the standpoint of the INJECT-ed program
is invisible, effacing itself from the executable prior to self-check
and re-infecting the target on exit. Quite a number of "stealth viruses"
try to do this type of thing and are prevented from being
successful against an ARF-protected machine by the presence of the
device driver virus block. Simply, they just can't get going
enough to infect any meaningful number of programs before the
software halts the system.
ARF-encapsulated programs are not proof against overwriting
viruses or simple software boobytraps that totally corrupt programs or
the disk. Nothing is. However, if the ARF suite is installed
properly - not piecemeal - none of these types of computer hotfoots
can execute even once without being trapped unless they're quite
sophisticated or write to the hardware directly. This would be
extremely unusual.
Since the ARF INJECT utility modifies executable code on your disk,
using it in a test run or full installation will cause other anti-virus
programs that analyze your PC for changes to programs to pop a nut. This
is another good example of why it's excessively dumb to mix and match
anti-virus programs willy-nilly if you have no idea what you're doing.
The ARF anti-virus programs also create a "magic diskette" for when
the machine won't boot from the hard disk or if the device driver
needs a helping hand. The diskette is assembled so it
contains vital data on the system area of the machine and a
unique identifier for the PC it was made from. The ARF software
renders it unreadable by DOS as insurance against intemperate
meddling. The ARF rescue disk is made so its restore feature is
loaded directly from the diskette's boot sector. This means it will
get a head start on just about anything save a complete hardware
meltdown on a disabled PC. The ARF disk offers a number of options
including restoration of the hard disk's damaged or corrupted partition
sector and is absolute insurance against the "cursed disk" fault mentioned
previously in this issue. This ARF utility also offers an option
to create a special partition sector for a secured machine but
the protection is not critical for the overall performance of the
software.
Those users yearning for anti-virus scanning software to wave
obsessively like a magic wand at suspicious programs and diskettes
could be uncomfortable with the ARF programs. ARF is also potentially
troubling to users whose level of expertise is exceeded by anything
beyond the stabbing of the America On-Line button. Anyone else will get
excellent service and would be well-advised to give ARF a look.
Contacts:
ARF Enterprises
Leonard J. Gragson ╞╪ ╞╪ ╞╪ ╞╪ Stephen M. Poole, CET
1405 Sheridan Bridge Lane 122 N Main Street
Olathe, Kansas 66062 Raeford, NC 28376
(913) 764-9091 (910) 875-3571
CompuServe 73131,1034 71234,3263
AOL ARFMAN2 SMPoole
Internet lgragson@fileshop.com SMPoole@aol.com
THE LETTERS PAGE: SPAM MAIL FROM JOHN PERRY BARLOW-CORN, ANKLE-BITERS,
THE LONELY GUY FROM SINGAPORE, MIXED-UP EURO-COLLEGIANS AND A JOURNALIST
-or- A DIVERSE GROUP OF ASSORTED RUPERT PUPKINS FROM THE GREAT
CYBER-FUNNYFARM
RAISE YOUR CYBERFIST AND YELL WHILE I'M SKIING WITH ARNO PENZIAS
AND LOUIS, SEZ JOHN PERRY BARLOW SPAM
=================================================================
From: John Perry Barlow
Subject: A Cyberspace Independence Declaration
Yesterday, that great invertebrate in the White House signed into
the law the Telecom "Reform" Act of 1996 . . . [edited for clarity].
I had also been asked to participate in the creation of [a] book
by writing something appropriate to the moment. Given the atrocity
that this legislation would seek to inflict on the Net, I decided
it was as good a time as any to dump some tea in the virtual harbor.
[More edited for brevity.]
I have written something (with characteristic grandiosity) that I
hope will become one of many means to this end. If you find it
useful, I hope you will pass it on as widely as possible . . .
John Perry Barlow, Cognitive Dissident
Davos, Switzerland
[Crypt replies: Hold it right there, pardner. Please remove Crypt's
name from the John Perry Barlow spam-mailer. Crypt Newsletter
drily notes, too, that for a guy supposedly for the commoner - every
man jack of us - it's rather novel to spam from the redoubt of the
rich, famous cognitive elite at Davos in der Schweiz.]
ANKLE-BITERS, PART I
====================
Hi:
I've heard that if you have a fake account on America On-line or
something else there is no way that _they_ can trace you. Is that true?
Because I don't want to get into any major trouble, like getting arrested.
I know it's illegal and everything but it's so much FUN!!! Thanks a lot.
Mr. Ankle-biter: CIS
[Crypt replies: Watch out. Tsutomu Shimomura has your name and he's
running a trap-n-trace.]
Hey!
I need a virus or more for a Novell Netware network. Is there such a
thing? I guess I just want a virus that will spread quickly over my
school's computers because someone there pissed me off.
Sincerely,
Lord Ankle-Biter
[Crypt replies: Crypt News has stripped the ID from your request and
remailed it to New York Times computer crime journalist John
Markoff. The ball's in your hands and you won't want to fumble
now that you're close, so use an anonymous remailer to forward the
New York Times a .GIF portrait suitable for publication. If you're
lucky, in 1996 Mr. Markoff could make you CyberPublic Enemy Number 1
and get Tsutomu Shimomura or Dan Farmer on your trail. You'll be
caught, but after the initial discomfort of the strip search and one
night with a 260-lb. mesomorph cellmate named Cheech, the movie deals
will roll in and your school colleagues will die of envy. It will be
the best possible revenge.]
LONELY SINGAPORE NATIVE LOOKS FOR SIGNS OF LIFE
===============================================
Dear Crypt:
Can you please tell me where to get the Biological Warfare
computer virus creation kit?
I am a curious thrill-seeker who is still a student. The
information from Biological Warfare will help me do a program
I am researching. My plan is to make a program that will encrypt
and add polymorphic power to a normal .EXE or .COM-file in order to
prevent hackers from getting into it.
Anyway, I like viruses, because I think they are "cute" in the sense
that they seem so much like little animals. They reproduce, they
"eat" and sometimes destroy. In fact, if you imagine the computer
as a "desert," viruses can be wild animals while anti-virus programs
could be hunters.
Squane in Singapore
[Crypt replies: Dear Squane, you can't get this kind of information from
Bio Warfare. It's a virus-making kit, not an artificial life
generator or a Philosopher's Stone. As for encrypting programs as a
barrier to reverse-engineering, you might consider digging up for
examination some programs that already offer this service: Jeremy
Lilley's Protexcm and Tranzoa's TinyProg come to mind. Crypt Newsletter
19 also included a couple of simple, easily used examples that performed
roughly the same thing. They were not foolproof, state-of-the-art or
impenetrable, but they were easily understandable. You should recognize
that polymorphic encryption as practiced by virus writers isn't tough to
crack from the standpoint of a cryptographer or a software disassembler.
It's only utility is that it renders brute force simple bitstream
scanning of computer viruses encrypted in this manner impractical to
impossible. From a cryptologic standpoint, however, I would think
polymorphism is uninteresting.
Keep in mind there are also a number of people who've made it their
business to program reverse protection software utilities solely to
peel off the types of code armoring you're interested in. And it seems
to Crypt they have the edge.
As for viruses being "cute," for God's sake, man, get a grip on yourself
before it's too late! Thrust yourself away from the PC for a minute
and pour yourself a stiff drink. Out of concern for your mental
health, Crypt has forwarded your message to the Singapore Department
of Corrections and Caning. I know they'll put you in good hands.]
Ree-raw! Ree-raw! Ree-raw!
╨╨╨╨╨╨╨╨ñ╨╨╨
------ ñCaning &ñ \
--- ñCorrectionsñññ
■■ OO ■■■■■ O ■
MORE ANKLE-BITING
=================
To Whom It May Concern:
I recently downloaded the Virus Creation Laboratory from the Usenet. I
already have the virus making kit, the NuKE Randomic Life Generator, but
decided I would give VCL a shot, too. Actually, I'm pretty sick of typing
out all the assembly code for viruses myself. I don't see why I should
spend a week or two working on a new computer virus when I could create
one much easier with VCL! What's technology for, anyway? However, when
I tried installing it I came across a problem. The software unzipped
from its archive OK but when I tried running the program it issued an
error message that VCL could only be used on the original computer it was
installed upon. This was the first time I executed VCL so how can it not
be the original? Is this archive simply a repackaged copy from a prior
installation or something? Jeezus.
Thankx.
Alfred E. Ankle-biter: CIS
[Crypt replies: Dear Alfred - by Jove, I think you've got it!]
STRAGGLER ANKLE-BITERS
======================
Dear Crypt:
Send me the files ASM.BAT and MAKE.BAT. I kant [sic] find them
anywhere on-line.
Dark Ankle-Biter, Netcom
[Crypt replies:
______
/ \
ä O O ä
¼ƒ¼ƒ¼ƒ¼ƒ¼ƒ¼ƒWW¼í¼ƒ ¼ƒëƒWW¼ƒ¼ƒ¼ƒ¼ƒ¼ƒ¼ƒ
¼í¼í¼í¼í¼í¼í¼í¼í¼í¼ í¼í¼í¼í¼í¼í¼í¼í¼í¼
í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í
¼í¼í¼í¼í DOH! Too many .BATs in ¼í¼í¼í¼í¼
í¼í¼í¼í¼ the Belfry!! í¼í¼í¼í¼í
¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼
í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í
Dear Crypt:
Hmmm, it's occurred to me that I might be asking a dumb question. Well,
here it is, anyway. I need virus source code BIG TIME. Can you
somehow give me a list of cheap, dependable sources of computer virus
source code? I would DEEPLY appreciate it.
Thank you.
Mike Bleiweiss, Awaiter BBS/Netcom
[Crypt replies:
______
/ \
ä O O ä
¼ƒ¼ƒ¼ƒ¼ƒ¼ƒ¼ƒWW¼í¼ƒ ¼ƒëƒWW¼ƒ¼ƒ¼ƒ¼ƒ¼ƒ¼ƒ
¼í¼í¼í¼í¼í¼í¼í¼í¼í¼ í¼í¼í¼í¼í¼í¼í¼í¼í¼
í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í
¼í¼í¼í¼í DOH! Reading comprehensioní¼í¼í¼
í¼í¼í¼í¼ courses are not part of theí¼í¼í
¼í¼í¼í¼í¼íCrypt Newsletter charter!í¼í¼í¼
í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í¼í
A PUZZLED JOURNALIST REQUESTS RESEARCH ASSISTANCE, ANSWERS TO BURNING
QUESTIONS
=====================================================================
Hello Crypt Newsletter:
I am working on an report concerning the dangers of electronic
database crossovers and the security implications for each of us. I
am looking for some ideas to present hacking as a way to create an
opposite, balancing power to the "masters of the electronic world,"
sort of like Sandra Bullock in the movie, "The Net."
Thierry Maillet: CIS
[Crypt replies: Before we get started on this I want to bring
something to your attention that, perhaps, has a more local angle for
you. I was just exchanging mail with a fellow by the name of JeanBernard
Condat in response to a small that appeared in Crypt Newsletter 34.
JeanBernard, whose reputation is that of one of the most famous French
hackers, was apparently an agent of a French surveillance agency. It's
my understanding he was turned while a student, was pressed into
service as a front and report writer on hacker activities, and eventually
broke away after a number of years of this type of thing.
Now while my grasp of the events are very incomplete, it seems to me
that it immediately throws into serious question whether hackers can
monolithically be presented in the way you're aiming. If
you grab a copy of the Jonathan Littman's book, "The Fugitive Game,"
you'll quickly read that "hacker" Justin Petersen (better known as
Agent Steal) while an FBI informant, was a pure-and-simple
menace to the privacy, bank accounts and mental health of just about
everyone and anyone he could screw: other hackers, girlfriends, complete
strangers, his law enforcement handlers.
Obviously, if you're going to bother to take the time to do a
comprehensive report, you will have to look at these issues in a
discerning manner.
Some of the best examples I can give you, and I'll make this
brief, are in my book, "The Virus Creation Labs." There are
many instances of hacker profiles in it and the picture that emerges
is complex, not at all like a Hollywood fantasy in which rebel computer
gurus act as counterbalances to corporate and institutionalized power.]
EURO COLLEGE STUDENT ASPIRES TO WRITE BOOK ON COMPUTER VIRUSES
==============================================================
Dear Crypt:
Why doesn't the Crypt Newsletter deal with virus-programming techniques
anymore? I'm planning to write a book about virus-programming
technics [sic]. That's why I am looking for virus source codes.
I'm attending the Eotvos Lorand University of Science in Budapest,
Hungary.
Szabin Szoke, Budapest
[Crypt replies: That's t-e-c-h-n-i-q-u-e-s, Szabin, not "technics."
Writing a book, eh? If Crypt received one thin dime for every
anonymous clown who sent this line . . . but, to your question.
I haven't made any effort to make virus source code available in the
last two years of issues for a number of reasons, a couple of which I'll
mention. First, computer virus retrieval on the Internet is trivial
business. It's easy to come by hundreds, even thousands, of the programs.
And since my favorite parts of the Crypt Newsletter weren't devoted to
virus source code in the first place there was little harm to my
enjoyment of the magazine in ditching the material. Other e-zines on
the Internet still do publish virus code and their editors are lot more
enamored of the idea than I am, so they're the people to patronize.
In addition, it's all been done. The technology of computer viruses for
the Intel platform is extremely prosaic. If you're unfamiliar with the
subject, it may seem exotic but . . . it's not. There are also some books
on computer viruses one can purchase. One is reviewed in the this issue.
(I admit it's pretty shabby, but it might be something that floats your
boat.) Or, you can acquire virus collections, complete CD-ROMs of
computer viruses. If you must have computer viruses, whether you want
them as resources for a book, objects of idle curiosity, trivial
start-ups to anti-virus work or quite some other thing, and you're so
inhibited you can't strike out on the info highway and find some - this
is one route that can be travelled. Don't be a dilettante.
Computer viruses also restricted the audience of the newsletter making
it _too_ much a specialty publication. Crypt News is still specialized,
but anti-virus researchers and virus-writers were a very narrow
demographic. As an extremely eccentric, inbred and highly secretive
subculture of propeller-heads, a great many of whom you'd be embarrassed
to be seen in civilized company with, they make for excellent subject
material but an awful sole readership.]
LONG-TIME CRYPT READER OFFENDED BY SANDRA BULLOCK AS VIRTUAL
SYMBOL OF CYBERSPACE CITIZEN, AFFLICTED BY BRAIN FLUKE WHILE
WATCHING EVENING NEWS, BREAKS RECORD FOR NUMBER OF HYPHENS IN LETTER
TO EDITOR
============================================================
Dear Crypt:
I'll get right to the point: Howdy-dooty, howya doin'????
I saw - but didn't really want to expend any of my remaining
limited and non-renewable mental resources on reading - the reference
to the K-HiP MoOViE "ThE NeT," starring Sandra Cyber-Bullock. I do
not wish to see this flick! I doubt I could handle it, especially
in my weakened condition. You see, I accidentally exposed myself - er,
you know what I mean - to nearly 6.3 seconds of evening network news
hosted by Tom Brokaw before I realized what was happening.
In a rush to cancel the offending broadcast, I accidentally
flipped over to C-SPAN and was further exposed to approximately 2.1
seconds of Dianne Feinstein blathering on about one thing or
another in her New World Order Lite(tm) sterile corporate
I-Know-Better-Than-You-What's-Good-For-You-And-Besides-My-[Word Effaced
by Crypt Corporate Standards & Practices]-Bigger-Than-Hillary's
monotone.
Unfortunately, the doctors say that some of the damage is probably
irreversible. Their diagnosis also told me that if I had encountered
any footage of flag-and-bunting-encrusted Republicans or
giant-inflexible-pompadour-sporting televangelists, I might very well
not have survived.
I'm not certain whether I got the good end of the bargain.
Cory Tucker (NekroMantik)
[Crypt replies: "Th3 nEt" has now gone to video so you may want
to avoid your neighborhood Blockbuster during convalescence.
Get well soon.]
-=The Crypt Newsletter welcomes thoughtful mail from readers at
crypt@sun.soci.niu.edu. Published letters may be edited for length
and clarity or anonymized to protect the naive from themselves.=-
REACHING CRYPT NEWSLETTER
Send software, books, or public-relations phlogiston for review
and consideration to:
Crypt Newsletter
1635 Wagner St.
Pasadena, CA 91106
E-mail: crypt@sun.soci.niu.edu or 70743.1711@compuserve.com
CRYPT NEWSLETTER HYPERTEXT
If you're reading this, you don't have it.
Crypt Hypertext can be registered through Compuserve's
on-line SWREG service.
To purchase a copy of Crypt Hypertext through your CompuServe account
simply use the GO menu and enter the keyword: SWREG. You will
be presented with a menu to identify your geographic location.
When prompted to search the software database enter the number:
# 9228 or the name CRYPT NEWSLETTER HYPERTEXT V. 1.0 and provide
the requested information.
You will receive a copy of Crypt Hypertext through US Mail.
Operating Systems - DOS, WINDOWS
Cost: $30.00 + $4.00 shipping and handling in US, Canada and Mexico.
+ $8.00 shipping and handling worldwide.
The database contains not only Crypt Newsletter 1992 - 95
but also a great deal of additional material and unpublished notes.
Where appropriate, additions have also been made to old
issues and articles to provide current perspective and background.
The database also contains a keyworded glossary and extensive
subject index spanning the length and breadth of the newsletter.
Cut and paste any information to your customized specification.
In the database you'll find comprehensive stories, tutorials
and news on:
--the computer virus underground and virus-writers
--the anti-virus industry
--on-line culture and sociology
--book reviews of current titles in security
--annals of computer crime & computer virus spread
--virus descriptions and history
--walkthrough simulations, imagery and displays - aural and visual -
from computer viruses and controversial virus-making software
toolkits
--discussion of legal issues with regard to computer viruses and
related computer crime
--extensive companion material for the author's book, "The Virus
Creation Labs"
--review of the mainstream media: the shams and scams reported as
real news. Take a skeptic's look at the information highway!
The Crypt Newsletter database is also extensible. Future
hypertext issues, distributed through CIS forums, can easily be
copied to the database's directory on your home computer and
seamlessly integrated into the collection.
The complete index of topics 1992 - 96 is on the Crypt News
Web page:
http://www.soci.niu.edu/~crypt
CRYPT ON COMPUSERVE
Those readers with accounts on Compuserve can now take part in the
dedicated Crypt Newsletter message base and attached file library in
the National Computer Security Association special interest group.
GO NCSAFORUM and look for message base #20, Crypt Newsletter.
Current issues are on-line in the attached file library.
CRYPT NEWSLETTER WORLD WIDE WEB HOME PAGE
You can visit Crypt & The Virus Creation Labs on the
World Wide Web, download back issues and sample a chapter
from VCL!
Set your graphical browser (Mosaic, Netscape, etc.) to:
URL: http://www.soci.niu.edu/~crypt
ACKNOWLEDGMENTS - In one way or another, this issue couldn't
be the scintillating read it is without:
Bob Casas, Ph.D., of CPC Ltd.(COMSEC), Glenview, Illinois, for
hypertext & hyperlinks prodding; Roger Thompson of Thompson
Network Software, Marietta, Georgia, for sundries; Steven
Aftergood of the Federation of American Scientists, Washington,
D.C., for keeping Urnst, the cat, in good reading material with
those timely FAS reports; Dave Kennedy of NCSA for consumer
alerts.
----------------------------------------------------------------
If you quite enjoy the Crypt Newsletter, editor George Smith's book,
The Virus Creation Labs: A Journey Into the Underground," will
really flip your wig. In it Smith unravels the intrigue behind
virus writers and their scourges, the anti-virus software
developers and security consultants on the information highway.
What people are saying about THE VIRUS CREATION LABS:
"I couldn't stop reading it . . . As hype continues to
build about security on the Internet and movies like
_Hackers_ ooze the real hackers into the mainstream arena,
this book is definite apropos material for the time.
Read it! A+"
---The Net magazine, February 1996
"[VIRUS CREATION LABS] is informative and stunningly
incisive . . . "
---Secure Computing, October 1995
"George Smith . . . takes a look at the world of virus writers
and anti-virus software vendors in a style similar to that
of 'Cyberpunks' -- anecdotal, humorous and revealing . . . a
lucid and entertaining read."
---Computer Security Journal
"There are relatively few books on the 'computer underground' that
provide richly descriptive commentary and analysis of personalities
and culture that simultaneously grab the reader with entertaining
prose. Among the classics are Cliff Stoll's 'The Cuckoo's Egg,'
Katie Hafner and John Markoff's 'Cyberpunk,' and Bruce
Sterling's 'The Hacker Crackdown.' Add George Smith's
'The Virus Creation Labs' to the list . . . 'Virus Creation
Labs' is about viruses as M*A*S*H is about war!"
---Jim Thomas, Computer underground
Digest 7.18, March 5, 1995
"THE VIRUS CREATION LABS dives into the hoopla of the Michelangelo
media blitz and moves on to become an engaging, articulate,
wildly angry diatribe on the world of computer virus writers . . .
Expert reporting."
----McClatchy NewsWire
-------------------------order form-------------------------
Yes, I want my wig flipped and wish to receive a copy of George
Smith's "The Virus Creation Labs: A Journey Into the Underground"
(American Eagle, ISBN 0-929408-09-8).
Price: $12.95/copy plus $2.50 shipping per book (add $7.50 overseas)
NAME: _____________________________________________
ADDRESS: __________________________________________
CITY/STATE/ZIP: __________________________________
Payment method:
___ Master Charge
___ Money Order
___ Check
___ Visa
Credit Card # ___________________________________________
Expiration date _________________________________________
Name: ____________________________
Orders can be taken by voice or fax through regular phone
number and/or 1-800 number in USA. COD welcome.
American Eagle: 1-800-719-4957
1-602-367-1621
POB 1507
Show Low, AZ 85901
-------------------------------------------------------------
George Smith, Ph.D., edits the Crypt Newsletter from Pasadena,
CA. Media critic Andy Lopez lives in Columbia, SC.
copyright 1996 Crypt Newsletter. All rights reserved.
