home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Monster Media 1994 #2
/
Monster Media No. 2 (Monster Media)(1994).ISO
/
bbs_util
/
cs_251.zip
/
CHK-SAFE.DOC
next >
Wrap
PGP Signed Message
|
1994-08-06
|
14KB
|
383 lines
-----BEGIN PGP SIGNED MESSAGE-----
CHK-SAFE 2.51 08/06/94
CHK-SAFE is a joint project of Don Peters, Robert Bullock, amd myself (Bill
Lambdin)
CHK-SAFE would not have been possible without the following people, and
they deserve recognition for their help.
Vesselin V. Bontchev
David Conrad
Keith A Peer
David Wagner
CHK-SAFE
CHK-SAFE uses the MD5 Hash algorithm developed by RSA Data security, Inc.
to confirm the integrity of software on BBSs.
Currently there are many attempts to verify Integrity of archives available
for download.
1. Authentic File Verification With PKzip.
2. Calculating 16 bit CRCs for files. VALIDATE.COM (by McAfee Associates).
for example.
3. Calculating two 16 bit CRCs for files, computed differently. CHKFILE
(by Wolfgang Stiller) for example.
4. Distributing the contents of archives to verify integrity.
5. PASS by Edwin Cleton, and Jeff Cook.
All of these do have advantages over not checking file integrity at all,
but they also have weaknesses.
All of these routines are good enough to detect change to the files by
viruses, or someone without adequate programming skills. All of these can be
broken by anyone with adequate programming skills, and time.
The MD5 Hash is _much_ harder to fool than any of the other routines listed
above.
There is no need to call half way around the world to download legitimate
software. CHK-SAFE and other MD5 compatible programs will allow you to
confirm the integrity of software on local BBSs or Internet.
QUESTIONS AND ANSWERS
I received these questions and more after CHK-SAFE 2.01 was released.
1. How do I use CHK-SAFE?
CHK-SAFE works with DOS Wildcards ? and *. You may also specify
multiple wildcards on the command line. Below are some sample
commands to get you acclimated to CHK-SAFE.
CHK-SAFE FILENAME
Computes the MD5 Hash for one file, and displays the report
to the screen.
CHK-SAFE *.COM
Computes the MD5 Hash for all .COM files in the current
directory, and displays the report to the screen.
CHK-SAFE *.*
Computes the MD5 Hash for all files in the current
directory, and displays the report to the screen.
CHK-SAFE .COM .EXE
Computes the MD5 Hash for all .COM, and .EXE files in the
current directory and displays the report to the screen.
CHK-SAFE C:\DOS\*.*
Computes the MD5 Hash for a files in the C:\DOS directory.
This saves you time because you don't have to be in the
same directory the files are located in.
CHK-SAFE also works with re-direction.
>FILENAME
Redirects the CHK-SAFE report to an ascii file on diskette or hard
drive.
>PRN
Redirects the CHK-SAFE report to the printer.
It may be useful to write a .BAT file or 4DOS alias to make it easy
to run CHK-SAFE, and keep these MD5 Values in text file or printed.
It Might be easier to compare the MD5 Hash.
Here is the 4DOS alias I use to generate CHK-SAFE reports. This
alias should be one continuous line Please use with care because
this alias could be destructive if modified.
CS=CLS^MD C:\#Z^PKUNZIP %&.ZIP C:\#Z^CHK-SAFE C:\#Z\*.*>C:\CHK\%&.CHK^CD\^DEL
#Z /S/X/Q/Y^CLS
This alias performs the following functions.
Clears the screen.
Creates a temporary directory to work in. (C:\#Z)
Unzips the archive I specify on the command line to this temporary
directory. (Do not specify the .ZIP extension. The alias
adds this extension automaticaly.)
Runs CHK-SAFE and calculates the MD5 Hash for all files in the temp
directory, and redirects the CHK-SAFE report to the C:\CHK
directory as the filename you specified on the command
line, and adds the .CHK extension so you can spot the
CHK-SAFE reports by listing the directory.
Logs into the root directory of C:
Deletes the temporary directory, and all files contained in it.
Whew! More work to describe the alias than to write it. ;-)
2. How does CHK-SAFE confirm integrity of archives on BBSs?
Right now, I distribute MD5 Values for new Anti-Virus software to
multiple virus conferences. The users save these reports to
diskette, or print them. When the user downloads the A-V software
from a local BBS, they run CHK-SAFE (or any MD5 compatible program)
on the uncompressed files.
If the MD5 Hash values match. The files are safe to run.
If the MD5 Hash Values do not match. The files have been modified,
and should not be run.
If you encounter modified files, you should let the SysOp know
about the suspect file(s), forward a copy of the file(s) to an A-V
researcher, or A-V developer for analysis. virus researcher, or A-V
developer for analysis.
The possible uses for CHK-SAFE are practicaly endless.
Here is a sample report from CHK-SAFE.
__________________________________________________________________________
CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.
File name Size Date Time MD5 Hash
________________________________________________________________________
CHK-SAFE.EXE 10338 08-05-94 19:02 cf889d0b089217dbc1b7a2060910e7c0
CHK-SAFE.SIG 291 08-05-94 22:18 2565bc7236a3af6e4cb65c979a926d86
LAMBDIN.ASC 1823 08-05-94 17:47 28bde23eaf7ab6878f81feddd29b85f0
__________________________________________________________________________
CHK-SAFE.EXE is the only file you need.
I would recommend for you to copy CHK-SAFE.EXE to a directory in
your path so CHK-SAFE can be run from anywhere on the hard drive.
CHK-SAFE.SIG is a detached PGP signature for CHK-SAFE.EXE. Users
that use PGP, and a copy of my public key can confirm the integrity
of CHK-SAFE.EXE.
LAMBDIN.ASC is a copy of my public key. For confirmation, here are
the finger print codes for my public key.
Type bits/keyID Date User ID
pub 1024/BA977E2B 1993/03/29 Bill Lambdin <bill.lambdin@pcohio.com>
Key fingerprint = 8D 3C D4 7A 9D 98 08 6F 61 67 57 83 90 B6 76 53
3. How can you tell if a user is posting MD5 Values for authentic files?
This is a matter of trust.
I sign the CHK-SAFE reports with my PGP secret key.
Anyone could log onto a BBS as Bill Lambdin, and distribute MD5
Hash Values for hacked or virus infected files.
However; There is no way for them to forge my PGP signature;
because my secret key has never been distributed to anyone.
4. Why should I waste my time to confirm the integrity of software? I've
never had a problem before?
If you have never encountered a trojan, Virus, or hacked file. You
have been extremely lucky.
If you don't see a need to confirm integrity of soft ware, that is
your choice, but I would rather take a minute or two to confirm the
Integrity of the files because you have no way of knowing how many
BBSs and users the archives go through before the archive arives on
BBSs local to you.
5. I call support BBSs to download software. Do I still need to use
CHK-SAFE?
No.
CHK-SAFE is primarily for users that do not want to call Long
distance to download files.
Example.
It takes 30 - 35 minutes to download F-Prot at 2400 baud, and some
International calls costs $2 a minute or more.
The Metaverse Anti-Virus BBS (606) 843-9363 receives International
calls daily. Most of these International callers use 2400 baud.
This is the main reason why CHK-SAFE was developed.
6. Shouldn't the authors of the A-V software distribute the MD5 Hash values
inside the archives?
Absolutely not!
Any Hacker could infect or modify the files with ease, then
generate new MD5 Hash values (after the file was modified), and
distribute the modified archives.
Users receiving the modified archives would be fooled into running
a hacked program with disastrous results.
It is easier to modify a text file than to modify binary files.
I post the CHK-SAFE reports into virus conferences, so users
concerned about viruses, and other issues of data protection will
have access to these reports.
7. Do I have to use CHK-SAFE?
No.
CHK-SAFE is 100% compatible with the original MD5 Hash algorithm
designed by RSA Data security, Inc. This has been confirmed by
Vesselin Bontchev, David Conrad, and others. There are several MD5
compatible programs available on BBSs and Internet
8. Do I have to check everything in the CHK-SAFE report?
No. You only need to compare the MD5 Hash data.
9. Should I check all files inside the archive, or only the executable
files?
I would recommend for you to check all files in the CHK-SAFE
report.
The report below is factual. I wrote an article about this archive
in the March or April 1993 issue of the Hack Report.
-------------------------------------------------------------------
In March 1993, a hacker Uploaded TAXTIP93.ZIP to a BBS in
Knoxville, TN. Some Users complained about this archive, and the
SysOp asked me to examine this file.
The archive contained the following files.
TAXTIPS.EXE
TAXTIP93.DAT
TAXTIP_1.TXT
TAXTIP_2.TXT
TAXTIP_3.TXT
TAXTIP_4.TXT
TAXTIP_?.TXT files contained text with suggestions for preparing
Federal Income Taxes in 1993.
TAXTIP93.DAT was the Microsoft Mouse driver 6.11, and the file was
infected with the ADA Virus (See Note below). This file was renamed
to a non executable extension to prevent the Scanner (run during
the upload event) from detecting the virus
This simple trick defeated the scanner, and infected computers
belonging to 5 or more users in the Knoxville/Oakridge Tn area.
TAXTIPS.EXE had been modified to copy TAXTIP93.DAT to the C:\DOS,
and C:\WINDOWS directories, then rename TAXTIP93.DAT to MOUSE.COM,
and lastly return control to the original program.
-------------------------------------------------------------------
In addition, By using OLE in WINDOWS 3.1, people can embed viruses
or trojans into documents for Windows Write, and several other
files. When the user double clicks on the embedded icon, the
embedded file will run.
This is why I include the MD5 Hash for all files in the CHK-SAFE
reportd even though several people ask me only to include the
executable files in the CHK-SAFE reports.
ADA (reportedly extinct) attacks PC-cillin from Trend Micro devices
by deleting PCC.EXE, and PCC.IMG from the hard drive.
No virus is ever extinct as long as there is a copy in a virus
collection somewhere.
Your chances of encountering these "Extinct" viruses is extremely
slim, but not impossible.
10. Where did you get the idea for CHK-SAFE?
A few months ago, I was using CHKFILE (CHKFILE is written by
Wolfgang Stiller) to post CRCs for new versions of A-V software.
Vesselin Bontchev, David Wagner, and others explained the MD5 Hash
was much more secure than than 16 bit or 32 bit CRCs.
After I obtained source code for the MD5 algorithm. CHK-SAFE was
developed.
11. How much does CHK-SAFE cost?
CHK-SAFE is FreeWare. There is no registration fee and may be
freely used. It can be freely distributed as long as there is no
charge, other than a minimal disk duplication fee (such as
shareware distributers charge). It is not public domain, and it may
not be modified in any way.
If you use CHK-SAFE, I would like to hear from you. My addresses
are below.
Bill Lambdin
P.O. Box 577
East Bernstadt, Ky. 40729
Internet
bill.lambdin@pcohio.com
12. Where may I obtain CHK-SAFE reports for software?
Currently I post the CHK-SAFE reports for A-V software to the
following networks and conferences
Fido Dirty Dozen
Virus ?
Virus_Info ?
Global Link Virus Info
Ilink Virus
Intelec PC-Security
Internet Virus-L
Nanet Disaster Recovery
Virus
RIME Data Protect
Smart Net Virus
U'NI Net Virus
USE Net Alt.Secutity
Comp.Virus
Wild Net Virus (forwarded by Bill Nichols)
My CHK-SAFE reports may be distributed to other conferences as
well. I would deffinately recommend for users to check the
authenticity of the PGP signature.
Thanks for your time.
Bill Lambdin
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBLkRFYONhWXq6l34rAQG0GwQAkcCkG7UjTXBpSqlaxBU7RtopK6WK1kFq
YwA6IyD3YVXndC4xLzSfqZR/O9B3fMCbOh0FY7pc0Z2T+PBoqmHN9zHXcnU/VMWF
FxLdATAVZ/VcLaBKyWu2d1eMj+OAD+6oNW9juh+KaFTxW3LU4TGXnGDTGOo8khOC
2hwlIlICTps=
=ceUr
-----END PGP SIGNATURE-----