💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CRYPT › crptltr10.vir captured on 2022-06-12 at 10:44:08.
-=-=-=-=-=-=-
??? ???????? ??? ?????? ?? ?? ??? ????? ??????? ?????
???? ????????? ???? ??????? ???? ???? ???? ?????? ???????? ??????
???? ???????? ???? ???????? ???? ???? ???? ??????? ??????? ?????
???? ???? ???????? ???? ???? ???? ??????? ????
???? ???? ??????? ?? ???? ???? ?????? ????
???? ???? ???????? ???? ???? ????? ????
???? ???????? ???? ???? ???? ???? ????
???? ????????? ???? ???? ???? ???? ????
??? ???????? ??? ?? ?? ??? ??
NEWSLETTER NUMBER 10
**********************************************************************
Another festive, info-glutted, tongue-in-cheek training manual
provided solely for the entertainment of the virus programmer,
security specialist, casual bystander or PC hobbyist interested in
the particulars - technical or otherwise - of cybernetic data
replication and/or mutilation.
EDITED BY URNST KOUCH, early December 1992
**********************************************************************
TOP QUOTE: "From Hell's heart, I stab at thee!"
--Captain Ahab in Melville's "Moby Dick"
(or Khan, from a Star Trek movie, if you're
a Philistine)
IN THIS ISSUE: A virus ate my lunch money: South American
drug lord served by computer mishap . . . A virus ate my
lunch money, part II: Crypt newsletter and the PROTO-T
hoax revisited, Jeezus H. Christ . . . Consumer report:
Trend Micro Devices' PC-Rx anti-virus software . . .
GOBBLER II test drive . . . AMBULANCE CAR virus . . .
The first annual Crypt Virus/Anti-virus Awards . . . In the
READING ROOM: Bruce Sterling's "The Hacker Crackdown" . . .
Pallbearer's AT THE MOVIES: raiding BlockBuster Video over
"Sneakers", the movie . . . Thom Media cracks jokes . . .
URNST'S SCAREWARE TOOLS . . . stupid humor and more . . .
****************************************************************
A VIRUS ATE MY LUNCH MONEY: COLOMBIAN POLITICIANS AND PABLO
ESCOBAR SERVED BY "Ghost of La Catedral" VIRUS
****************************************************************
Reuters news service reports that on Nov. 13, Colombian officials
announced from Bogota that a computer virus had
nuked a report containing critical comments on government
ministers involved in the muffed prison transfer of drug lord
Pablo Escobar. Escobar and a number of accomplices escaped
during the June transfer and a national scandal erupted, resulting
in a formal investigation of government officials involved in
orchestrating the event. The virus allegedly eliminated the
investigation's conclusions mere hours before they were to be
publicly presented. The virus was called "Ghost of La
Page 1
Catedral," in reference to the prison from which Escobar escaped.
Reuters was one of the first international news agencies to
hype the threat of Michelangelo virus.
*****************************************************************
A VIRUS ATE MY LUNCH MONEY, PART II: CRYPT NEWSLETTER AND THE
PROTO-T HOAX REVISITED
*****************************************************************
In an odd case of art imitating life and life coming back to
bite it in the caboose, the "PROTO-T" virus from Crypt Newsletter
#9 has taken on a strange will of its own.
Alert Crypt readers will remember the editor ridiculing
bogus FidoNet alerts warning of the threat posed by a new
virus, PROTO-T, which could hide in COM port buffers, video
memory, etc. Further, readers with reading comprehension well
above the level of cabbage should recall the generic, memory
resident infector supplied with Newsletter #9. This virus,
clearly labeled as a program NAMED "in honor" of "the anonymous
electronic quacks" who LAUNCHED the PROTO-T HOAX in no way
constituted prima facie evidence that PROTO-T, as described
on the networks and elsewhere, existed.
Nevertheless, many readers missed this fine distinction, prefering
to believe that the Crypt newsletter had, indeed, supplied them
with a pure sample of the REAL THING: PROTO-T in all its horror.
Readers and virus collectors surfaced on the WWIVnet, and even
on PRODIGY, in the next few days, INSISTING that PROTO-T was real
and that they had the source code and DEBUG scripts, supplied by
the newsletter, to prove it. Some even went as far to execute
PROTO-T on their machines, but more on that later.
Well, PROTO-T most certainly DIDN'T exist prior to our covering
the hoax. There was no evidence that any viral or Trojan code
was in the hack PKZip 3.0., the alleged "carrier" of PROTO-T.
The claims that PROTO-T could hide in a COM port buffer were
patent bullshit. (Not our bullshit mind you, but still bullshit.)
However, for all intents and purposes, PROTO-T now exists
even though OUR "symbolic gesture" is nothing close to the shambling
monster confabulated by the original hoaxsters.
In short, IT WAS SUPPOSED TO BE A JOKE.
So, now you have PROTO-T and you don't recall its features
because you were so excited you messed yourself and forgot
to read issue #9 closely. Listen up, then! PROTO-T, the demo virus
supplied by Crypt newsletter, is a simple, memory
resident .COM infector which hooks interrupt 21 and monitors
the DOS "execute" function, contaminating files just before they
run. It reduces the apparent amount of memory by approximately
1 kilobyte, a phenomenon which can be observed by recording the
amount of available memory from a MEM /C command before and after
the virus is installed on a machine. PROTO-T is not stealthy; it
is not encrypted. It will not trash your drive although
IT WILL irreversibly infect programs, making them difficult
to use. The virus contains the ASCII string, "This program
Page 2
is sick. [PROTO-T by Dumbco, INC.]"
Now, if you temporarily lost your sanity and ran PROTO-T
before reading the documentation, here is a clip-list of
"Common PROTO-T trouble-shooting questions and answers."
-=Cut here and save=-
--------------------------------------------------------------
URNST'S QUICK TIPS ON REMOVING PROTO-T FROM A CARELESSLY
INFECTED IBM PC
______________________________________________________________
Q. I stupidly ran PROTO-T and promptly forgot about it. How
do I find the virus on my system?
A. If you have NORTON UTILITIES or any reasonable facsimile,
use its text searching capability to look for strings like
"PROTO-T" or "Dumbco, INC." Delete the files that turn up,
they contain the virus.
Q. My computer makes a strange quacking noise on boot, then
the drive light comes on, stays on and the machine appears
to hang. What's up?
A. PROTO-T has infected your COMMAND.COM and it's after 4:00
in the afternoon. Either wait until morning, or boot with
a CLEAN diskette from the A: drive and delete the infected
command processor. Restore the deleted processor from your
DOS backup disk.
Q. Ever since I foolishly ran PROTO-T without knowing what
I was doing, my machine is plagued by intermittent quacking
noises, hangs and unexpected, furious activity on the C:
drive. Now my hair is turning prematurely gray. What can
I do?
A. A number of your programs have been contaminated with
PROTO-T. Either delete all the files found in question
#1, or use this "trial and error" method: Boot from a
clean DOS diskette and set your system's time to 4:00 pm.
Begin executing all the .COM programs on your disk. Those
that make the PC quack, hang or indulge in furious disk
activity are infected with PROTO-T. Delete them and restore
from your original backup or distribution disks. Presently,
PROTO-T cannot be removed from infected files. These
programs are ruined unless you wish to keep your system clock
reset to BEFORE 4:00 pm, permanently. Alternatively, you
can wait until an antivirus developer equips its software
to "clean" PROTO-T.
Q. I used a hex editor to rip the ASCII string out of
PROTO-T because I wanted to "rename" it as mine and upload
it to a virus exchange BBS for credit. Then I foolishly lost
my usually sound judgment and allowed the virus to escape on
my system. Is there any hope?
A. Use the method described above to find the PROTO-T
infected files, then delete them.
Q. I used a hex editor to, well, you know - AND my machine is
an XT with NO internal clock. I lost my head and allowed
the virus to escape on my system. Am I screwed?
Page 3
A. Could be.
Q. I don't have a "clean" DOS boot disk and I don't keep
back-ups. I infected my system with PROTO-T anyway, because
I'm so far off my rocker my parents don't even trust me
with a box of pumpkin-colored plastic leaf bags. How do I
recover?
A. Why are you fooling around with viruses? Seek psychological
counseling, you have a profound death wish. Dealing with
death wishes is beyond the scope of the Crypt Newsletter.
***************************************************************
-*-
***************************************************************
WESTERN DIGITAL ANNOUNCES HARDWARE & SOFTWARE-BASED ANTI-
VIRUS MEASURES INCLUDED IN ITS CLASS OF 386/486 MICROPROCESSORS.
YOGI BERRA COMMENTS, "I'LL BELIEVE IT WHEN I BELIEVE IT!"
***************************************************************
"Without some form of generic virus detection methodolgy, the
industry cannot hope to keep up with the growing epidemic of
more than 1000 known virus strains, much less the dozens of
unidentified and mutated strains that are introduced into the
community each month," said Charles Haggerty, Western Digital's
president.
Western Digital's generic anti-virus technology will be served
through a combination of proprietary control logic
and associated software shipped with the company's WD8755
system logic controllers. Initial customers will
be the company's PC manufacturing clients. The anti-virus
measures are designed to cover IDE-type hard files equipped with
DOS or Windows.
Impenetrable jargon supplied by press release.
As to the effectivess of "generic" virus detection, see report
on PC-Rx's "rules-based" generic protection later in this issue.
****************************************************************
-*-
****************************************************************
MO' NEWS, BY WAY OF Compute Magazine, December 1992 -
REMOTE POSSIBILITY OF VIRUS WRITING BEING DECLARED OUTLAWRY
REARS ITS HEAD . . . AGAIN
****************************************************************
In a short story called "Controlling The Infectious:",
the December issue of COMPUTE magazine reported that the
International Computer Security Association (ICSA), a
Washington-based spin-off group of the Carlisle, PA-based National
Computer Security Association, is attempting to call for legislation
which would felonize virus authors, their software and publications.
To quote briefly from that piece:
Page 4
"Last July, a hacker calling himself Nowhere Man released version
1.00 of Virus Construction [sic] Laboratory, a slick, professional
product intended to write a variety of viruses that resist
debuggers and can contain up to 10 of 24 programmed effects such
as clear the screen, cold reboot, corrupt file(s), lock up the
computer, drop to ROM basic, trash a disk, and warm reboot.
According to the [ICSA], most of the viruses are undetectable
by today's anti-virus products. Creating a new virus takes just
a few minutes with a virus construction kit. David Stang, Director
of Research at the ICSA, says such products are destined to make
today's virus problems look like 'the good ol' days.'"
Because of this, the ICSA is moving to strengthen current computer
crime law with regards to virus writing and/or enabling.
It seems clear that "publicly," software like the VCL 1.0
(and its Holiday Season-timed update, VCL 2.0), Phalcon/SKISM's
[viral] code generators, the publication of Mark
Ludwig's "Little Black Books of Computer Viruses" (Volume 2
tentatively scheduled for release early in 1993) and "Computer
Virus Developments Quarterly," underground publications like 40HEX,
Dark Angel's Phunky/Crunchy/Crispy Virus Writing Guides and the
Crypt Newsletter (not to mention the dozens of "research" viruses
which just 'happen' to end up in the wild - man, this is running
on ;-]) have alarmed segments of the anti-virus
community enough so that they feel there is a need for new
law. At present, existing law DOES NOT dub the
publication or writing of hazardous, replicative code a crime.
Alert Crypt newsletter readers may recall a similar move
proposed by U.S. Senator Patrick Leahy. Although Crypt newsletter
no longer retains the particulars, Leahy's legislation would
have provided legal ground for the prosecution of programmers
whose creations directly damaged public computer systems regardless
of who planted or spread the code. This legislation failed.
Anyone who follows mainstream computer news is also aware of how
"threat descriptions" of software like VCL 1.0 are played up in
the world of gleaming white-shirt/corporate-toady computer
publications. For example, the Mutation Engine was blown out of
proportion in places like Newsweek, mainly because its technology
writers seem to lack even the most basic understanding of computer
programming.
Privately, anyone who frequents the networks knows that the
same anti-virus community commentators supplying the "expert"
opinion for such high-impact stories openly downplay the
complexity and practicality of software like VCL 1.0 in copious,
fleering public e-mail transmissions.
There is a lesson to be learned from this in public
relations and political persuasion 101 which should not be lost on
any card-carrying members of "the computer underground." The editors
leave it to you to dope out the nut of it, or continue following
the Crypt Newsletter for timely news coverage.
FYI: The ICSA was created at around the time of the Michelangelo
"hype," February thru early March, 1992.
Page 5
******************************************************************
****************************************************************
GOBBLER II - COMRAC's FREEWARE ANTI-VIRUS SCANNER: A SHORT
REPORT
****************************************************************
GOBBLER II, an anti-virus scanning suite provided by a Dutch
programmer, aims at the ground somewhere between Skulason's
F-PROT and Thunderbyte's TBScan. Its creator brags that it
is blazingly fast and, indeed, this is so. (Stupid technical
stats: Like TBScan, GOBBLER covers a 30 Meg hard file full of
executables in approximately 30 seconds on a 80286 PC.)
The scanner is menu-driven and allows the user to customize
his alarm messages and switch between idiot-proof scanning
and scanning augmented by some "heuristic" features.
As a "heuristic" scanner, GOBBLER II fails. If used, the
"heuristic" mode flags every file with internal overlays, meaning
it will raise a false alarm for almost every complex program on
your machine. This is a useless, laughable feature. GOBBLER II
users will wish to always rely on its idiot-proof signature
scanning.
GOBBLER II is effective at detecting Mutation Engine-based viruses,
screening every one (GROOVE, POGUE, CRYPTLAB, MtE SPAWN, and
ENCROACHER) we threw at it and any reasonable number of variants
generated by these viruses. In its documentation, GOBBLER II claims
disinfection for all Mutation Engine virus-contaminated programs.
In practice, GOBBLER II failed in attempts to clean CRYPTLAB
and ENCROACHER from infected files.
Like any signature-based scanner, GOBBLER II ran up a checkered
report card against "common" file and boot viruses. It detected
STONED, MICHELANGELO, RED CROSS and JERUSALEM variants with ease
and performed accurately against JOSHI, DEN ZUK, ITALIAN, PRINT
SCREEN, ALAMEDA, BRAIN and AZUSA contaminated diskettes.
It completely missed an oddball like the South African VOID POEM
and a number of LITTLE BROTHER variants, although its virus-list
indicated recognition of the latter.
It was not effective against any VCL 1.0 or Phalcon/SKISM Mass
Produced Code (PS-MPC) generator samples, understandable in
light of the fact that the program hasn't been updated since
July (a bad sign) when both virus tools were still relatively new.
In any case, the discerning reader should recognize that most
scanners vary widely in their performance, depending upon the
virus collections tested, particular strains chosen for scan testing,
how often they're updated and a host of other factors which
average users won't give a rat's ass about. GOBBLER II is no
exception. Does GOBBLER II detect your garden-variety, COMMON
infectors reliably? We think so.
COMRAC's program comes with a memory installable utility which
intercepts virus-contaminated files by signature. It takes
Page 6
up a mere 6k in RAM due to clever disk-swapping. The utility,
known as CATCHER, easily caught Mutation Engine-based
viruses, supplying cryptic "access denied" messages with
a ray-gun warning noise.
GOBBLER II has no useful on-line virus database and it
does not operate under NDOS or 4DOS, although this isn't
mentioned in the measly documentation.
GOBBLER II appears to be a product still in beta-testing, subject
to those limitations and the question of whether it will
receive continued support. Under these conditions, it is free.
As such, it is good value - still far superior to freeware
scanners supplied by SYMANTEC and CENTRAL POINT SOFTWARE, offering
better detection, ease of use and some features - limited
disinfection and memory resident barriers to virus infection -
not offered by larger retail companies.
This is more proof that only fools patronize Symantec and
Central Point Software.
To sum up, those extremely strapped for cash, unable to find
F-PROT (or wishing to augment that program) AND plagued
by guilty conscience when using unregistered shareware could
benefit from GOBBLER II.
------------------------------------------------------------------
HUMOR BREAK: THREAT OR MENACE?
There's a really cool virus out there. It's called the Secretary 1.0.
What it does is stick a 5.25" disk into a 3.5" drive and ruin the
floppy heads.
--Thom Media, Phalcon/SKISM
Communications, Nov. 1992
------------------------------------------------------------------
******************************************************************
TREND MICRO DEVICE's PC-Rx & "RULES-BASED" GENERIC VIRUS
PROTECTION: EH, MAYBE.
******************************************************************
The basis for Steve Chang's PC-Rx v. 2.0 is its "rules-based"
generic virus detection utility, a buzz term that far too many
corporate retailers abuse in an attempt to fluster consumers.
How good is this stuff? Is it worth your cash money? Let's take a
look and see.
Trend's PC-Rx comes with its own dumb "install" program which
can coach even the mentally enfeebled through rudimentary
disinfection of his system, configuration of the software and
creation of "rescue" images which allow PC-Rx to retrieve
the master boot record and partitions of the hard file should
they be lightly damaged by a virus. Good features!
The central part of PC-Rx is the PCRXVT utility which
is inserted into the AUTOEXEC.BAT and uses a set of
Page 7
"rules" to monitor the machine's performance. This translates
to activity equated with viruses, i.e., writes/changes
to the boot record, creation of new memory control blocks
(a feature found in many memory resident viruses), file
opens which remove and restore attributes and date/time
stamps and calls to interrupts 13 and 25/26.
Because PCRXVT makes no attempt to scan for virus signatures,
it is smaller than most competitor programs and does not
sigificantly slow a machine down during standard computing.
It also does not generate many false alarms. From this stand-point,
it is elegant and user-friendly.
However, PCRXVT will only detect "average" viruses reliably.
For example, PROTO-T, which creates a new memory control block -
average memory resident virus behavior, is immediately captured
by PCRXVT. However, VOTE (L. BROTHER) - a companion infector
which becomes resident by copying itself to a rarely used portion
of memory, is not. Viruses like VOTE, and there are a number, can
operate with impunity on machines protected in this manner. PCRXVT
also does not pay attention to programs which redirect segments of
the interrupt vector table, a feature present in other programs
of this variety.
PCRXVT WILL reliably detect most direct-action viruses. It will
NOT trap much of their destructive behavior, however. This is a
glaring fault. For example, any direct action virus which deletes,
renames or otherwise corrupts other executables not directly
involved in its chain of infection is not trapped. What this means
is that if a virus does any of these things BEFORE it infects
another file, the computer is left wide open to attack by PC-Rx.
And it is this hole which demonstrates the trade-off anti-virus
developers must make between utility and full protection. Make
your program air tight and it will drive users nuts with alarms
during every day tasks. Make it more "user-friendly" and it
becomes prey to the new class of viruses created by the Virus
Creation Laboratory and similar tools.
PC-Rx is also vulnerable to "companion" infections.
While this may seem trivial to some because "companion"
viruses do not directly alter their infection targets, consider
that the "companion" virus DOES take low-level control of the
machine every time it executes. Would you want a software that
lets a virus take control just because it's not directly
manipulating a target? Yeah, sure, and you enjoy hitting myself
on the head with a hammer because it feels so good when you
stop, too.
The upshot? Novice users or other computerists using isolated
systems or PC's in low-threat environments (i.e., household
computers where family members aren't engaged in obsessive/
compulsive software piracy) may wish to inspect Trend Micro
Devices' PC-Rx. Others will pass.
(PCRx retails for approximately $70 cash money and includes
a brute-force virus signature scanner in addition to resident
virus barriers.)
******************************************************************
Page 8
******************************************************************
PALLBEARER'S KONSUMER KORNER - A CRYPT EVENING AT THE MOVIES!!!
>>>>>----------------->>>>> SNEAKERS <<<<<---------------<<<<<
******************************************************************
After hearing all the hype about a "Movie about the Computer
Underground," I, the mighty PALLBEARER, couldn't resist an
opportunity to check it out. As a result, I went
to see "SNEAKERS" in one of those $1 movie theaters (because I am
too cheap to see anything when it first comes out).
On the way there, was I excited! I couldn't wait - a movie
about a couple of cyberpunks evading the Secret Service, rooms full
of boxes of every color of the rainbow, viral programming, and the
like! So I sat down with a big tub of popcorn and counted the
seconds until they stopped playing the elevator music and started
with an hour's worth of trailers. I fidgeted through those, my
excitement growing . . . and, finally, "Sneakers" started! Two guys,
obviously the fathers of hacking as we know it today, in a computer
lab hacking people's bank accounts . . . I said to myself, "OK,
it'll get better, don't pop a nut."
But no! Later, we see one of these hackers as he really is - a
very old and leathery looking Robert Redford! No, haha, just
joking. Actually, we think he is a common criminal, but then we
realize that he is employed to break into corporations. Exactly
how exciting is that??? Interesting if that's your line of
work, but definitely not something to make a movie of.
Thankfully, there was one moment here that kept my eyes glued
to the screen: the NSA appeared with dossiers on the main characters.
We see that the hackers must be prominent in cyberspace, since why
else would the NSA know of them and their aliases? Anyhow, the
"hackers" are commissioned by the NSA to steal a universal decryptor
from a famous mathematician. They do it to keep their leader
from a trip to the Federal lumber yard in Taladega, GA, when the
NSA threatens to turn over his rap sheet to the FBI. Extortion by
the NSA as a motivational tool - what a good plan! (Obviously, the
screen writer never familiarized himself with Jim Bamford's "The
Puzzle Palace." Yes, I know, too many three syllable words.) The
plot goes downhill from there. And I shall not bother telling you
the rest.
"Sneakers" was also chock-full of technically inaccurate and/or
impossible computer feats. Many of the monitors shown were
nothing more than DEBUG screens or .GIFs. Almost everything
was done under MS-Windows (I will get back to this later). And
Dan Aykroyd was greasy and swollen beyond good sense.
Overall, there were two MAJOR technical faux pas that
annoyed me so much I shrieked aloud, startling the moviegoers
in front of me. The first was "enhancement of computer images"
where a picture was imported into a computer (possible, especially
with a "computer camera" in the best multimedia systems), zoomed
Page 9
in on (you know what a .GIF looks like when you zoom in 50 or 100
times - just big blocks of color), and then magically focused in on
the image with a turn of a dial. Now, this may be possible with a
old mainframe or supercomputer, but instantly, on a PC, under
MS-Windows? Hahahahaha. (I told you I would get back to Windows.)
My other beef concerns a room in the NSA that housed what looked
to be a Cray-MP.
Well, the Cray's monitor was turned on, and what was it running? You
got it! WINDOWS! A Cray-MP running WINDOWS. In the words of
Wayne, "T'shya. Right. As if." I'm sorry, but there's a better
chance of ME joining INC and calling myself PaLLBeaReR than there
is of a Cray-MP running Windows.
As you may have guessed, I don't quite suggest that you run
out and see this movie. Actually, the further away from it you
stay, the better. I assume that it fascinates those who know nothing
of computers (the producers and "technical advisers" belong in this
group), but I was unimpressed. After all the hype (and I did hear
a lot about it from computer illiterates), I have decided to dub
SNEAKERS "The PROTO-T of the Big Screen." On a scale of 1 to 10,
where 10 is a pile of gold bullion 6 feet high and 1 is a carbuncle
on the back of your neck, I give "Sneakers" a -2.
Look for my next KONSUMER KORNER whenever I feel like writing
it!
Pallbearer [CryPt]
>>> I now return you to your regularly scheduled newsletter.<<<
*****************************************************************
***************************************************************************
IN THE READING ROOM: BRUCE STERLING's "THE HACKER CRACKDOWN: LAW AND
DISORDER ON THE ELECTRONIC FRONTIER" (BANTAM HARDCOVER, $23.00)
***************************************************************************
". . . we are in a war and we are losing - badly."
-Invalid Media, from log-in message on
Unphamiliar Territory BBS, in the wake of
a series of Phalcon/SKISM busts at
PumpCon '92
Still scraping yourself off the floor at the news of Secret
Service harrassment of readers of 2600 Magazine in northern
Virginia? Find yourself rifling through local bulletin boards for
the latest issue of Computer Underground Digest, terrified about
what you might read next?
Then "The Hacker Crackdown" couldn't arrive in your library
at a better time.
Page 10
Bruce Sterling has spun together the warp and the woof of the
computer underground better than anyone to date, transforming
the infinite roar of the network and the deeds of some of its more
famous citizens into a tale even the terminally (heh) computer-phobic
can grasp. "The Hacker Crackdown" is about action and spasm in
"cyberspace," a zone where there's no master plan but plenty of
cause and effect.
The book begins in 1990. The telco's are reeling from a series of
embarrassing technical setbacks. And John Q. Public has gotten
the idea that it's his civic duty to rip off the nearest faceless
bureaucracy. The phone companies are big, easy targets. Or so "they,"
faceless leaders at Bell South and a variety of nationwide law
enforcement offices, think.
You see, corporate embarrassment creates a crying need for
scapegoats, criminals to seize and punish in a cathartic ritual of
purifying judicial flame. Hence, "hackers" - young, fast and
scientific scofflaws with no decent respect for propriety
and '50's America - will do. Only it's not so cut and dried in
real life. The laws were (and are) squishy and ill-defined, the
enforcers unsure and careless, the chosen victims unpredictable.
Nevertheless, under the scrutiny of the Feds, "cyberpunks" went down
like 10-pins in 1990, according to "The Hacker Crackdown." It
was only when Knight Lightning, the editor of PHRACK magazine,
was dragged into court and wouldn't roll over, that the Feds' ball
of wax began to melt. For those who don't recall, PHRACK published an
internal Bell South memo - "the Document" Sterling calls it -
dubbed proprietary and secret by its makers. Law enforcement
officials bought this claim.
In fact, the document was a manual so caked with
jargon and stupefyingly dull telco-speak that it was
of use only if one was interested in learning the language of
Bell South as if it were a foreign country. It didn't help that Bell
also sold the substance of it for $20 to any takers, effectively
wrecking claims that it contained any secret or particularly damaging
information. PHRACK's defense threw this into the faces of
its enemies and the prosecution collapsed. Justice, in this case,
prevailed.
Or did it? "Hackers" and their computers are still being hauled
away on a monthly basis. And jaundiced observers might be
justified in saying that on the electronic frontier, this is the way
things will be from now on.
However, "The Hacker Crackdown" shies away from making
stupid predictions about the future of cyberspace, prefering
to point the way into the ambiguous dark, describing all the
archetypes found the length of the matrix.
You know these characters well - the popinjay phone phreaks and
fraud artists; the obsessive/compulsive software pirates, the
"wacko" underground journalists, the few computer savvy
Feds (some not so different than their chosen enemies)
and the ocean of establishment citizens in which they all swim; a
group still as uncomprehending about the the computers in their
Page 11
lives as ambulatory bags of dirt.
Yup, refuse to part with your holiday season gift money for
Bruce Sterling's "The Hacker Crackdown" at your peril. The
Crypt Newsletter gives it a solid thumbs up!
-------------------------------------------------------------
RELATED NEWS: AUTHORITIES CHARGE MICHIGAN LEGION OF DOOM
WANNABE, "NATION OF THIEVES" LEADER WITH FRAUD
-------------------------------------------------------------
Michael Shutes, a 24-year old Farmington Hills, Mich. man, who says
he started the underground group known as the "Nation of Thieves"
has rolled over on colleagues and pleaded guilty to a fraud charge,
according to a United Press International (UPI) news story
published at the end of November.
The prosecution of Shutes is part an on-going investigation
into the "Nation of Thieves," a group which emulated the reputation
of the Legion of Doom and, according to authorities, misused
credit card numbers and phone access codes nationwide.
Assistant Washtenaw County Prosecutor Kirk Tabbey, who
coordinates the Michigan Computer Crime Task Force, told United
Press International that Shutes squealed on his peers, resulting
in pending charges against two associates and the continued
investigation of six other "hackers."
UPI reported that local police were tipped off about the
"Nation of Thieves" in February when a Utah retailer asked
them to investigate nearly $4,000 in fraudulent charges for
computer equipment shipped to an apartment complex in Michigan.
Ten thousand dollars of computer equipment was confiscated
from Shutes.
******************************************************************
SAVING THE BEST FOR LAST: THE CRYPT NEWSLETTER'S VIRUS/ANTI-VIRUS
AWARDS
******************************************************************
And now [drum roll, puh-leez], our subjective choices in a number
of categories of interest to the virus/anti-virus community.
Award winners were picked, loosely based on amount of bribe money,
profile in mainstream and underground media outlets, performance
and personality. Without further ado:
MOST VALUABLE PLAYER: NOWHERE MAN. Illinois' favorite-son
virus author sprang from obscurity in 1992 with the historic
Virus Creation Laboratory 1.0, a tool which puts the ability
to create dangerous code into the hands of meddling schnooks
everywhere. Taking the idea of mass-produced user-customized
viruses from the one-virus German Virus Construction Set,
Nowhere Man fashioned a garish and glitzy menu-driven program
which created a cottage industry of its own: weirdly written
press releases and baleful warnings from computer security
professionals, rival products from other virus-enabling groups
and way too much fan mail on the nets for any sane person to
handle. In a stroke, the VCL 1.0 illustrated the obsolescence
Page 12
of scanning technology without idiot mathematical formulae
or long and windy discussions in VIRUS L-Digest. And the software
was free! If anyone tells you that Nowhere Man didn't have lasting
impact on the industry in 1992, they're just jealous.
MOST INTERESTING VIRUS: MICHELANGELO. Hands down winner! No other
virus ever created the stink this one-sector boot-block infector
generated in the first three months of 1992. And because of it,
none will probably ever gain such distinction again. Add
John McAfee; gullible, image-hungry journalists and a public
as dense as lead ingots and that's a recipe for success, er,
fame, er, infame, er . . . something.
BEST ANTI-VIRUS SOFTWARE: SKULASON'S F-PROT. Nothing comes close
to its ease of use, reliability, durability and price. Single-
handedly "invented" heuristic scanning. Even its detractors tend
to model their software after it. Since it's free for home use,
perhaps it is time to examine what the civilians are breathing
and drinking in Iceland.
BEST COMPREHENSIVE RETAIL ANTI-VIRUS SOFTWARE: SOLOMON's ANTI-VIRUS
TOOLKIT. Close to F-PROT in performance, but it'll cost ya. In
addition, the company tosses in integrity checking, a few hard disk
utilities and other bells and whistles that fans of shrink-wrap
deem necessary. We still think it's over-priced, but what do we
know?
NATIONAL DUMMKOPF: MICHAEL CALLAHAN, editor of SHAREWARE Magazine.
Callahan spent two issues interviewing John McAfee in the late
summer and still managed to come away thinking that viruses can
damage hard disks irreparably. And just think, Callahan writes
computer books for the masses for a living. Certainly, we're
all doomed.
BEST PUBLICATION: For reason's outlined in this issue, Bruce
Sterling's "The Hacker Crackdown: Law and Disorder on the
Electronic Frontier." Honorable mention to Dark Angel for
his "Phunky/Crispy/SomethingorOther Viral Writing Guides"
(samizdat) and Mark Ludwig for "The Little Book of Computer
Viruses" (American Eagle Publishing, Tucson, AZ).
WORST PUBLICATION: VIRUS L-Digest - the definitive forum
for stream-of-consciousness, hair-splitting, turgid
arguments between obscure, fossilized academics. Hey, you think
not? I was reading back issues of Virus-L and in February
there was some nut going on ad nauseum about viruses viably
infecting text files.
BEST PEN PAL: SARA GORDON, 'nuff said.
WORST ANTI-VIRUS SOFTWARE: Far too many to choose from.
BBS's TO VISIT AND STAY AWHILE: THE HELL PIT
(Sysops Kato and Hades), RIPCO ][, AIS (Sysop Kim Clancy),
UNPHAMILIAR TERRITORY (Sysop Invalid Media), THE VIRUS (Sysop
Aristotle), CYBERNETIC VIOLENCE (Sysops Pure Energy and
Rock Steady).
Page 13
MISSING IN ACTION: GARY WATSON.
*****************************************************************
BITS AND PIECES I: FRANS HAGELAARS STEPS DOWN AS FIDONET VIRUS
ECHO MODERATOR, NAMES EDWIN CLETON AS REPLACEMENT. CLETON
VOWS STRICT ADHERENCE TO RULES, OR IT'S THE HIGHWAY FOR ALL
THOSE CRUMMY, GRAND-STANDING FIDO-FLAMERS. AS FIRST ACT, CLETON
SHUSHES A USER FOR EXTRACTING A COUPLE LINES FROM THE VSUM
DATABASE WITHOUT NEGOTIATING A LICENSING AGREEMENT WITH PATRICIA
HOFFMAN. 'THAT'LL SHOW 'EM I MEAN BUSINESS,' HE SEZ.
*****************************************************************
BITS AND PIECES II:
We grabbed this advert of interest off the wires. Now, mebbe
we'll be able to bring you a product run through for the next
issue.
-*-
AVLab v1.0, the antiviral researcher's toolkit from Cairo Research
Labs, is now available!
* Extensive Virus Signature Database System capable of handling
multiple databases
* Ability to search across the signature database
* Generate custom virus signature datafiles from your database
* Ability to read VIRSCAN.DAT style signature files and add them
to the database!
* Create detailed reports to the screen, printer, or a file
* Implement a very detailed virus scanner testbed!
* Much more!
AVLAB or AVLAB*.* from: Under the Nile! 9600v.32 1:3613/12
120K in size Backwoods BBS 9600USR-DS 1:3613/10
-------------------------------------------------------------------
Scott Burkett & Christopher Brown,
Cairo Research Labs
-*-
------------------------------------------------------------------
BITS & PIECES III:
Steve Rosenthal, a Macintosh product reviewer published by Prodigy
spent a recent weekly column shilling for Symantec's SAM.
Rosenthal openly griped about the current state-of-
affairs which has set up a market where large retail
software developers charge $60-$100 for anti-virus measures
which can be had for free or almost so as shareware. His
case in point was Symantec's SAM versus "Disinfectant", a
freeware program developed by a Northwestern University
researcher. In the article, Rosenthal added he was miffed
that software developers could profit from the computer virus
phenomenon, although he saw no evidence that any programmers of
such things had ever written viruses. An interesting, naive
oversight: In the IBM world, names like Ralph Burger and Mark
Washburn - with viruses named after both - immediately come to
mind.
-------------------------------------------------------------------
Page 14
URNST'S SCAREWARE TOOLS: CLASSIC VIRUS DEMOS ADD LIFE TO ANY PARTY
******************************************************************
Part of this issue's software packet are DEBUG scripts which will
allow you to create demonstrations of the "classic" (sort of like
"classic" rock, y'know, from David Stang's 'good 'ol days')
viruses: PingPong, Den Zuko, Jerusalem and Cascade.
We call them "scareware" because they've been optimized for
convincing "real-life" testing or demonstration. Unlike many
virus demo programs which are either scanning viral fragments
or cumbersome command-line driven tools which loudly advertise
their presence on any system, Urnst's Scareware Tools are
completely silent. All are invoked simply by typing the name
of the program. In addition, they do not scan. Although not
infectious, all the programs will install themselves into memory
and continue generating specific symptoms until a warm reboot is
initiated.
These programs are not self-aware. That is, they will not complain
and refuse to function if modified, like many performance crippled
virus-dummy simulator/generators. This has advantages and drawbacks,
depending upon what use one decides to make of Urnst's Scareware
Tools.
The features of Urnst's Scareware Tools are as follows:
*DENSCARE.COM - upon invocation, DenZukoScare (tm)
immediately displays the popular DEN ZUK virus
graphic effect and exits.
*JERSCARE.COM - upon invocation, JerusalemScare
(tm) becomes resident. After a short period of
time - about a minute on most systems - Jerusa-
lemScare will effect the characteristic Jerusalem
virus system slowdown and scrolling black window
display on the left side of the monitor.
*PPSCARE.COM - upon invocation, PingPongScare (tm)
will become resident and clutter the screen with
the characteristic "bouncing ball" of the PingPong
boot block infector. Computing can continue while
PingPongScare is in effect. [Warning: The Surgeon
General has determined that daily computing while
PingPongScare (tm) is in effect can result in eye
strain and, possibly, headaches.]
*CASCARE.COM - upon invocation, CascadeScare (tm)
will become resident. After a brief pause, the
characteristic rat-a-tat sound of the Cascade
virus and its nifty falling letters effect will
be seen. This will continue intermittently, for as
long as CascadeScare is resident. If the computer is
in graphics mode, only the rat-a-tat sound effect
will be noticed.
Besides demonstration, there are many other uses for Urnst's
Scareware Tools. Some examples: April Fool's jokes, parlor
Page 15
trickery, devilment of bosses & administrators, entertainment,
aahhhh, you get the idea.
An URNST tip! Tie DenZukoScare (tm) into your AUTOEXEC.BAT.
Then everyday, as you start computing you'll be greeted by the
cheerful DEN ZUKO display. Kooky!
******************************************************************
AMBULANCE CAR VIRUS [STRAIN B]
******************************************************************
Supplied in this issue of the letter as a DEBUG script and
recompilable disassembly, AMBULANCE CAR is a simple, path-searching
direct-action infector with a gaudy display. By paying close
attention to the technical notes in the virus's disassembly, you
should be able to run it on your system enough times to see
its trademark "ambulance" effect.
My tip of the hat to an early issue of 40Hex which included this
interesting virus as a DEBUG script, too. (I think).
*******************************************************************
ADDITIONAL KUDOS: THANKS AND A TIP O' THE HAT TO CRYPT READER
CAPTAIN AEROSMITH WHO PROVIDED THE GOBBLER II AND PCRx SOFTWARE
FOR TEST-DRIVES.
*******************************************************************
MAKING USE OF THE CRYPT NEWSLETTER SOFTWARE:
To produce the software included in this issue, place
the included MAKE.BAT file, the MS-DOS program
DEBUG.EXE and the included *.SCR files in the
current directory. (Or ensure that DEBUG is in the
system path.)
Type "MAKE" and DEBUG will assemble the SCRiptfiles into
working copies of URNST's SCAREWARE TOOLS and
AMBULANCE CAR virus. Alternatively, you can do it
manually by assembling Ambulance from the supplied
source listing. To do that, you'll need the TASM
assembler and its associated linker.
Remember, software included in the Crypt newsletter can
fold, spindle and mutilate the precious valuables on
any IBM-compatible PC. In the hands of incompetents,
this is very likely, in fact.
**********************************************************************
This issue of the Crypt Newsletter should contain the
following files:
CRPTLT.R10 - this electronic document
JERSCARE.SCR - scriptfile for JerusalemScare (tm)
PPSCARE.SCR - scriptfile for PingPongScare (tm)
DENSCARE.SCR - scriptfile for DenZukoScare (tm)
CASCARE.SCR - scriptfile for CascadeScare (tm)
AMBUL.SCR - scriptfile for AMBULANCE CAR virus
AMBUL.ASM - TASM source listing for AMBULANCE CAR virus
MAKE.BAT - Makefile which, when used with the MS-DOS
Page 16
program DEBUG.EXE, will produce working copies of
Urnst's Scareware Tools and Ambulance Car virus from the
included scriptfiles.
You can pick up the Crypt Newsletter at these fine BBS's, along with
many other nifty, unique things.
DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate
THE HELL PIT 1-708-459-7267
DRAGON'S DEN 1-215-882-1415
FATHER & SON 1-215-439-1509
RIPCO ][ 1-312-528-5020
AIS 1-304-420-6083
CYBERNETIC VIOLENCE 1-514-425-4540
THE VIRUS 1-804-599-4152
NUCLEAR WINTER 1-215-882-9122
UNPHAMILIAR TERRITORY 1-602-PRI-VATE
THE OTHER SIDE 1-512-618-0154
MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564
If you have contributions, mail or just wish to be listed as above,
contact Urnst Kouch at Dark Coffin BBS, the FidoNet Virus
echo or VxNet matrix.
And we'll see YOU around New Year or thereabouts!
-*-
Page 17