Monster Media 1994 #2

home *** CD-ROM | disk | FTP | other *** search

/ Monster Media 1994 #2 / Monster Media No. 2 (Monster Media)(1994).ISO / bbs_util / cs_251.zip / CHK-SAFE.DOC next >

Wrap

PGP Signed Message | 1994-08-06 | 14KB | 383 lines

-----BEGIN PGP SIGNED MESSAGE----- CHK-SAFE 2.51 08/06/94 CHK-SAFE is a joint project of Don Peters, Robert Bullock, amd myself (Bill Lambdin) CHK-SAFE would not have been possible without the following people, and they deserve recognition for their help. Vesselin V. Bontchev David Conrad Keith A Peer David Wagner CHK-SAFE CHK-SAFE uses the MD5 Hash algorithm developed by RSA Data security, Inc. to confirm the integrity of software on BBSs. Currently there are many attempts to verify Integrity of archives available for download. 1. Authentic File Verification With PKzip. 2. Calculating 16 bit CRCs for files. VALIDATE.COM (by McAfee Associates). for example. 3. Calculating two 16 bit CRCs for files, computed differently. CHKFILE (by Wolfgang Stiller) for example. 4. Distributing the contents of archives to verify integrity. 5. PASS by Edwin Cleton, and Jeff Cook. All of these do have advantages over not checking file integrity at all, but they also have weaknesses. All of these routines are good enough to detect change to the files by viruses, or someone without adequate programming skills. All of these can be broken by anyone with adequate programming skills, and time. The MD5 Hash is _much_ harder to fool than any of the other routines listed above. There is no need to call half way around the world to download legitimate software. CHK-SAFE and other MD5 compatible programs will allow you to confirm the integrity of software on local BBSs or Internet. QUESTIONS AND ANSWERS I received these questions and more after CHK-SAFE 2.01 was released. 1. How do I use CHK-SAFE? CHK-SAFE works with DOS Wildcards ? and *. You may also specify multiple wildcards on the command line. Below are some sample commands to get you acclimated to CHK-SAFE. CHK-SAFE FILENAME Computes the MD5 Hash for one file, and displays the report to the screen. CHK-SAFE *.COM Computes the MD5 Hash for all .COM files in the current directory, and displays the report to the screen. CHK-SAFE *.* Computes the MD5 Hash for all files in the current directory, and displays the report to the screen. CHK-SAFE .COM .EXE Computes the MD5 Hash for all .COM, and .EXE files in the current directory and displays the report to the screen. CHK-SAFE C:\DOS\*.* Computes the MD5 Hash for a files in the C:\DOS directory. This saves you time because you don't have to be in the same directory the files are located in. CHK-SAFE also works with re-direction. >FILENAME Redirects the CHK-SAFE report to an ascii file on diskette or hard drive. >PRN Redirects the CHK-SAFE report to the printer. It may be useful to write a .BAT file or 4DOS alias to make it easy to run CHK-SAFE, and keep these MD5 Values in text file or printed. It Might be easier to compare the MD5 Hash. Here is the 4DOS alias I use to generate CHK-SAFE reports. This alias should be one continuous line Please use with care because this alias could be destructive if modified. CS=CLS^MD C:\#Z^PKUNZIP %&.ZIP C:\#Z^CHK-SAFE C:\#Z\*.*>C:\CHK\%&.CHK^CD\^DEL #Z /S/X/Q/Y^CLS This alias performs the following functions. Clears the screen. Creates a temporary directory to work in. (C:\#Z) Unzips the archive I specify on the command line to this temporary directory. (Do not specify the .ZIP extension. The alias adds this extension automaticaly.) Runs CHK-SAFE and calculates the MD5 Hash for all files in the temp directory, and redirects the CHK-SAFE report to the C:\CHK directory as the filename you specified on the command line, and adds the .CHK extension so you can spot the CHK-SAFE reports by listing the directory. Logs into the root directory of C: Deletes the temporary directory, and all files contained in it. Whew! More work to describe the alias than to write it. ;-) 2. How does CHK-SAFE confirm integrity of archives on BBSs? Right now, I distribute MD5 Values for new Anti-Virus software to multiple virus conferences. The users save these reports to diskette, or print them. When the user downloads the A-V software from a local BBS, they run CHK-SAFE (or any MD5 compatible program) on the uncompressed files. If the MD5 Hash values match. The files are safe to run. If the MD5 Hash Values do not match. The files have been modified, and should not be run. If you encounter modified files, you should let the SysOp know about the suspect file(s), forward a copy of the file(s) to an A-V researcher, or A-V developer for analysis. virus researcher, or A-V developer for analysis. The possible uses for CHK-SAFE are practicaly endless. Here is a sample report from CHK-SAFE. __________________________________________________________________________ CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock. MD5 Message Digest Algorithm by RSA Data Security, Inc. File name Size Date Time MD5 Hash ________________________________________________________________________ CHK-SAFE.EXE 10338 08-05-94 19:02 cf889d0b089217dbc1b7a2060910e7c0 CHK-SAFE.SIG 291 08-05-94 22:18 2565bc7236a3af6e4cb65c979a926d86 LAMBDIN.ASC 1823 08-05-94 17:47 28bde23eaf7ab6878f81feddd29b85f0 __________________________________________________________________________ CHK-SAFE.EXE is the only file you need. I would recommend for you to copy CHK-SAFE.EXE to a directory in your path so CHK-SAFE can be run from anywhere on the hard drive. CHK-SAFE.SIG is a detached PGP signature for CHK-SAFE.EXE. Users that use PGP, and a copy of my public key can confirm the integrity of CHK-SAFE.EXE. LAMBDIN.ASC is a copy of my public key. For confirmation, here are the finger print codes for my public key. Type bits/keyID Date User ID pub 1024/BA977E2B 1993/03/29 Bill Lambdin <bill.lambdin@pcohio.com> Key fingerprint = 8D 3C D4 7A 9D 98 08 6F 61 67 57 83 90 B6 76 53 3. How can you tell if a user is posting MD5 Values for authentic files? This is a matter of trust. I sign the CHK-SAFE reports with my PGP secret key. Anyone could log onto a BBS as Bill Lambdin, and distribute MD5 Hash Values for hacked or virus infected files. However; There is no way for them to forge my PGP signature; because my secret key has never been distributed to anyone. 4. Why should I waste my time to confirm the integrity of software? I've never had a problem before? If you have never encountered a trojan, Virus, or hacked file. You have been extremely lucky. If you don't see a need to confirm integrity of soft ware, that is your choice, but I would rather take a minute or two to confirm the Integrity of the files because you have no way of knowing how many BBSs and users the archives go through before the archive arives on BBSs local to you. 5. I call support BBSs to download software. Do I still need to use CHK-SAFE? No. CHK-SAFE is primarily for users that do not want to call Long distance to download files. Example. It takes 30 - 35 minutes to download F-Prot at 2400 baud, and some International calls costs $2 a minute or more. The Metaverse Anti-Virus BBS (606) 843-9363 receives International calls daily. Most of these International callers use 2400 baud. This is the main reason why CHK-SAFE was developed. 6. Shouldn't the authors of the A-V software distribute the MD5 Hash values inside the archives? Absolutely not! Any Hacker could infect or modify the files with ease, then generate new MD5 Hash values (after the file was modified), and distribute the modified archives. Users receiving the modified archives would be fooled into running a hacked program with disastrous results. It is easier to modify a text file than to modify binary files. I post the CHK-SAFE reports into virus conferences, so users concerned about viruses, and other issues of data protection will have access to these reports. 7. Do I have to use CHK-SAFE? No. CHK-SAFE is 100% compatible with the original MD5 Hash algorithm designed by RSA Data security, Inc. This has been confirmed by Vesselin Bontchev, David Conrad, and others. There are several MD5 compatible programs available on BBSs and Internet 8. Do I have to check everything in the CHK-SAFE report? No. You only need to compare the MD5 Hash data. 9. Should I check all files inside the archive, or only the executable files? I would recommend for you to check all files in the CHK-SAFE report. The report below is factual. I wrote an article about this archive in the March or April 1993 issue of the Hack Report. ------------------------------------------------------------------- In March 1993, a hacker Uploaded TAXTIP93.ZIP to a BBS in Knoxville, TN. Some Users complained about this archive, and the SysOp asked me to examine this file. The archive contained the following files. TAXTIPS.EXE TAXTIP93.DAT TAXTIP_1.TXT TAXTIP_2.TXT TAXTIP_3.TXT TAXTIP_4.TXT TAXTIP_?.TXT files contained text with suggestions for preparing Federal Income Taxes in 1993. TAXTIP93.DAT was the Microsoft Mouse driver 6.11, and the file was infected with the ADA Virus (See Note below). This file was renamed to a non executable extension to prevent the Scanner (run during the upload event) from detecting the virus This simple trick defeated the scanner, and infected computers belonging to 5 or more users in the Knoxville/Oakridge Tn area. TAXTIPS.EXE had been modified to copy TAXTIP93.DAT to the C:\DOS, and C:\WINDOWS directories, then rename TAXTIP93.DAT to MOUSE.COM, and lastly return control to the original program. ------------------------------------------------------------------- In addition, By using OLE in WINDOWS 3.1, people can embed viruses or trojans into documents for Windows Write, and several other files. When the user double clicks on the embedded icon, the embedded file will run. This is why I include the MD5 Hash for all files in the CHK-SAFE reportd even though several people ask me only to include the executable files in the CHK-SAFE reports. ADA (reportedly extinct) attacks PC-cillin from Trend Micro devices by deleting PCC.EXE, and PCC.IMG from the hard drive. No virus is ever extinct as long as there is a copy in a virus collection somewhere. Your chances of encountering these "Extinct" viruses is extremely slim, but not impossible. 10. Where did you get the idea for CHK-SAFE? A few months ago, I was using CHKFILE (CHKFILE is written by Wolfgang Stiller) to post CRCs for new versions of A-V software. Vesselin Bontchev, David Wagner, and others explained the MD5 Hash was much more secure than than 16 bit or 32 bit CRCs. After I obtained source code for the MD5 algorithm. CHK-SAFE was developed. 11. How much does CHK-SAFE cost? CHK-SAFE is FreeWare. There is no registration fee and may be freely used. It can be freely distributed as long as there is no charge, other than a minimal disk duplication fee (such as shareware distributers charge). It is not public domain, and it may not be modified in any way. If you use CHK-SAFE, I would like to hear from you. My addresses are below. Bill Lambdin P.O. Box 577 East Bernstadt, Ky. 40729 Internet bill.lambdin@pcohio.com 12. Where may I obtain CHK-SAFE reports for software? Currently I post the CHK-SAFE reports for A-V software to the following networks and conferences Fido Dirty Dozen Virus ? Virus_Info ? Global Link Virus Info Ilink Virus Intelec PC-Security Internet Virus-L Nanet Disaster Recovery Virus RIME Data Protect Smart Net Virus U'NI Net Virus USE Net Alt.Secutity Comp.Virus Wild Net Virus (forwarded by Bill Nichols) My CHK-SAFE reports may be distributed to other conferences as well. I would deffinately recommend for users to check the authenticity of the PGP signature. Thanks for your time. Bill Lambdin -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLkRFYONhWXq6l34rAQG0GwQAkcCkG7UjTXBpSqlaxBU7RtopK6WK1kFq YwA6IyD3YVXndC4xLzSfqZR/O9B3fMCbOh0FY7pc0Z2T+PBoqmHN9zHXcnU/VMWF FxLdATAVZ/VcLaBKyWu2d1eMj+OAD+6oNW9juh+KaFTxW3LU4TGXnGDTGOo8khOC 2hwlIlICTps= =ceUr -----END PGP SIGNATURE-----