==Phrack Inc.== Volume Three, Issue 29, File #11 of 12 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN P h r a c k W o r l d N e w s PWN PWN ~~~~~~~~~~~ ~~~~~~~~~ ~~~~~~~ PWN PWN Issue XXIX/Part 2 PWN PWN PWN PWN November 17, 1989 PWN PWN PWN PWN Created, Written, and Edited PWN PWN by Knight Lightning PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Offensive Message Flashes At Busy City Corner October 25, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Linda Wheeler (Washington Post) An offensive message that mystified the owners of an electronic information board was flashed Monday, October 23 at Connecticut Avenue and L Street NW, one of the city's (Washington DC) busiest intersections. A Georgetown University law student, Craig Dean, said he saw the message; "HELP STAMP OUT A.I.D.S. NOW: KILL ALL QUEERS AND JUNKIES" It flashed five times in 25 minutes. Minutes after seeing the message, he called the city Human Rights Office and the Washington Blade, a gay community newspaper. Doug Hinckle, a staff photographer for the Blade, saw the message flash once and photographed it. Judith Miller, president of Miller Companies, which own the building at 1101 Connecticut Avenue NW and the message board, said she did not know how the statement got onto the board. She refused to believe it had appeared until she was shown of the photographs. Her company has complete control of the board and does not accept any paid messages or advertisements, Miller said. "I would never do anything like that," she said. "There is no way I would allow such a statement to appear." Yesterday, Keller, a five-year employee of the Miller Companies, said he did not write the statement and does now know how it became part of the normal flow of headline news. Miller said she believes her computer system may have a "virus" and will have experts search to find where the unauthorized statement originated. "How absolutely awful," she said of the message. _______________________________________________________________________________ "WANK" Worm On SPAN Network October 17, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From The Computer Emergency Response Team On October 16, the CERT received word from SPAN network control that a worm was attacking SPAN VAX/VMS systems. This worm affects only DEC VMS systems and is propagated via DECnet protocols, not TCP/IP protocols. If a VMS system had other network connections, the worm was not programmed to take advantage of those connections. The worm is very similar to last year's HI.COM (or Father Christmas) worm. This is NOT A PRANK. Serious security holes are left open by this worm. The worm takes advantage of poor password management, modifies .com files, creates a new account, and spreads to other systems via DECnet. It is also important to understand that someone in the future could launch this worm on any DECnet based network. Many copies of the virus have been mailed around. Anyone running a DECnet network should be warned. R. Kevin Oberman from Lawrence Livermore National Labs reports: "This is a mean bug to kill and could have done a lot of damage. Since it notifies (by mail) someone of each successful penetration and leaves a trapdoor (the FIELD account), just killing the bug is not adequate. You must go in an make sure all accounts have passwords and that the passwords are not the same as the account name." The CERT/CC also suggests checking every .com file on the system. The worm appends code to .com files which will reopen a security hole everytime the program is executed. An analysis of the worm appears below and is provided by R. Kevin Oberman of Lawrence Livermore National Laboratory. Included with the analysis is a DCL program that will block the current version of the worm. At least two versions of this worm exist and more may be created. This program should give you enough time to close up obvious security holes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Report on the W.COM worm. R. Kevin Oberman Engineering Department Lawrence Livermore National Laboratory October 16, 1989 The following describes the action of the W.COM worm (currently based on the examination of the first two incarnations). The replication technique causes the code to be modified slightly which indicates the source of the attack and learned information. All analysis was done with more haste than I care for, but I believe I have all of the basic facts correct. Here is a description of the program: 1. The program assures that it is working in a directory to which the owner (itself) has full access (Read, Write,Execute, and Delete). 2. The program checks to see if another copy is still running. It looks for a process with the first 5 characters of "NETW_". If such is found, it deletes itself (the file) and stops its process. Note: A quick check for infection is to look for a process name starting with "NETW_". This may be done with a SHOW PROCESS command. 3. The program then changes the default DECNET account password to a random string of at least 12 characters. 4. Information on the password used to access the system is mailed to the user GEMPAK on SPAN node 6.59. Some versions may have a different address. 5. The process changes its name to "NETW_" followed by a random number. 6. It then checks to see if it has SYSNAM priv. If so, it defines the system announcement message to be the banner in the program: W O R M S A G A I N S T N U C L E A R K I L L E R S _______________________________________________________________ \__ ____________ _____ ________ ____ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/ \___________________________________________________/ \ / \ Your System Has Been Officically WANKed / \_____________________________________________/ You talk of times of peace for all, and then prepare for war. 7. If it has SYSPRV, it disables mail to the SYSTEM account. 8. If it has SYSPRV, it modifies the system login command procedure to APPEAR to delete all of a user's file. (It really does nothing.) 9. The program then scans the accounts logical name table for command procedures and tries to modify the FIELD account to a known password with login form any source and all privs. This is a primitive virus, but very effective IF it should get into a privileged account. 10. It proceeds to attempt to access other systems by picking node numbers at random. It then used PHONE to get a list of active users on the remote system. It proceeds to irritate them by using PHONE to ring them. 11. The program then tries to access the RIGHTSLIST file and attempts to access some remote system using the users found and a list of "standard" users included with the worm. It looks for passwords which are the same as that of the account or are blank. It records all such accounts. 12. It looks for an account that has access to SYSUAF.DAT. 13. If a priv. account is found, the program is copied to that account and started. If no priv account was found, it is copied to other accounts found on the random system. 14. As soon as it finishes with a system, it picks another random system and repeats (forever). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Network At NASA Attacked By Rogue Program October 18, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by John Markoff (New York Times) A rogue computer program attacked a worldwide network of the National Aeronautics and Space Administration on Monday, October 16, inflicting no damage but forcing officials to disconnect the network from sensitive military and space systems. Security experts speculated that the program was written by someone who opposed Tuesday's (October 17) scheduled launching of the space shuttle Atlantis, which was to carry a nuclear-powered satellite into orbit. The launching was postponed because of bad weather. NASA officials said the rogue program attacked an academic and research network, the Space Physics Analysis Network, which is not used for space shuttle mission control. But a NASA official said the agency felt compelled to disconnect several links between the network and an operational space shuttle network as a precaution. Computer security experts at several national laboratories said the Department of Defense had also severed the connection between commercial and research networks and nonclassified network that connects United States military installations and contractors around the world. The program was designed to copy itself secretly and send unwanted, sometimes vulgar messages to users of the NASA network. It also tricks users into thinking that data have been destroyed, although no data are damaged. Like similar programs that have been sent into computer networks by pranksters and saboteurs, it exploited a flaw in the security system designed to protect the computers on the network. Computer security experts said Tuesday that they knew of about 60 computers that had been affected by the program. A NASA spokesman said the program was still spreading. While the network is widely available to academic researchers with personal computers, the rogue program was designed to attack only 6,000 computers manufactured by the Digital Equipment Corporation. The flaw in the security of the Digital Equipment computers had been widely publicized over a year ago even before a similar rogue program jammed a group of interconnected international networks known as the Internet. NASA officials said the program was only able to attack computers in which the necessary steps had not been taken to correct the flaw. Among the messages the program displayed on all infected computers was one that read: "Worms Against Nuclear Killers. You talk of times of peace for all, and then prepare for war." Computer scientists call this kind of program a worm, a reference to a program first described in the novel "Shockwave Rider" by a science fiction writer, John Brunner. _______________________________________________________________________________ Virus Controversies Again October 6, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~ by John Markoff (New York Times) "The issue has also sparked interest among computer scientists." Harold Highland, editor of Computers & Security, a professional journal, said he had received two research papers describing how to create such anti-virus programs. He has not decided whether to publish them. "No one has raised the obvious ethical questions," he added. "I would hate to see a virus released to fight viruses. Until it's tested you don't know whether it's going to do more damage than the program it is designed to fight." A number of these programs have already been written, computer researchers said. The one that destroyed the data on business and governmental personal computers in the United States was reportedly designed by a Venezuelan programmer. How many computers were affected and where they were is unclear. That program is called Den Zuk, or Search. It was intended to attack a destructive program known as the Brain Virus that was distributed in 1986 by two brothers who owned a small computer store in Pakistan. Errors in the design of the program illustrate the potential danger of such viruses, critics say. Fridrik Skulason, a microcomputer specialist at the University of Iceland in Reykjavik, who has disassembled the program, said the author of Den Zuk had failed to take into account the different capacities of disks available for IBM and IBM-compatible machines. Because of that simple error, when the program infects a higher-capacity disk it destroys data. "They probably wrote with good intention," he said. "The only problem is that the programmers were not able to do their job correctly." At least two other anti-viral viruses have already been devised, said Russell Brand, a computer security researcher at Lawrence Livermore. He said programmers at one company, which he would not identify, had written the programs to combat the Scores virus, a program that infected Macintosh computers last year. He added that even though the programs were designed so they could not go beyond the company's own computers, there had been a heated debate over whether to deploy the programs. He said he did not know how it was decided. Brand said a group of computer researchers he works with at Lawrence Livermore had written several self-replicating programs after the appearance of the rogue program that Morris of Cornell is accused of writing. But he added that the group had never given permission to release the programs. The debate over vigilante viruses is part of a broader discussion now taking place among some computer researchers and programmers over what is being termed "forbidden knowledge." "There are ethical questions any time you send something out there that may find itself invited on to somebody else's computer," said Pamela Kane, author of a book on computer virus protection. In California this month a group of computer hackers plans to hold a forum on "forbidden knowledge in a technological society." While the role of the computer hacker has been viewed as mischievous in a negative way, hackers have consistently played a role as innovators, said Lee Felsenstein, a Berkeley, California, computer expert who designed several early personal computers. "Computer hacking was originally a response to the perception of a priesthood's control over immensely powerful technological resources," he said. "Informed individuals were able to break the power of this priesthood through gaining and spreading the body of forbidden knowledge." - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dreaded Personal Computer Virus May Be Only A Cold October 6, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Don Clark (New York Times) It won't be much of a plague. But the hysteria anticipating it has been world-class. Those observations come from computer-security experts as they await Datacrime, a virus program set to attack IBM-compatible personal computers starting Thursday, October 12, 1989. Analyses of the program, also called the Columbus Day Virus, show that it is indeed destructive. It just hasn't spread very far. "It's going to be the week of the non-event," predicted John McAfee, a Santa Clara, California, consultant who serves as chairman of the Computer Virus Industry Association. "You have more chance of being hit by a meteor than getting this virus." McAfee Associates, which acts as a clearinghouse for virus information, has received just seven confirmed reports of Datacrime in six months -- compared with three to 50 reports per day about another virus that originated in Israel in 1987. He thinks only 50 copies of Datacrime exist, and 40 of those are in the hands of researchers. "It's gotten more publicity than it deserves," agreed Russell Brand, another virus expert, who advises Lawrence Livermore National Laboratory. Brand expects to find just 20 copies among the 75,000 computers he monitors at 1,000 sites. Such projections are disputed by some. They are based on how often Datacrime has been detected by computer users using special software that scans their systems for the virus. The virus could have infected many users who have not bothered to scan their systems, McAfee concedes. Fears have been whipped up by the news media and computer managers at companies and government agencies. Companies promoting products to eradicate viruses also have played a role -- understandably. Staid IBM Corporation this week took the unusual step of offering a program that checks systems for viruses. The company hasn't detected the virus in its own operations, but concedes that many customers are worried. "They are asking us how we protect our software-development operations from viruses," said Bill Vance, who was appointed a year ago as IBM's director of secure systems. Bank of America, a huge IBM customer with 15,000 PCs, recently put out a company-wide notice advising users to make backup copies of their computer data by Wednesday, the day before the virus is programmed to strike. Three different government agencies have panicked and sent out multiple versions of incorrect advice," Brand said. Worried calls have deluged McAfee's office, which has just three lines for computer communications and three for voice. "We put the phone down and it's 30 seconds before it rings again," he said. Computer sleuths detected Datacrime -- and have detected other viruses -- by looking for changes in the size of data files and in the way programs operate. The underlying code used to write the program, once disassembled by experts, indicates when the program will activate itself. The identity of Datacrime's author isn't known, although some reports have linked the virus to an anonymous hacker in Austria. It first began showing up in March, McAfee said, and gained notoriety after it was discussed at the midsummer Galactic Hackers Conference in Amsterdam. It appears to be relatively prevalent in the Netherlands and other European countries. Dutch computer users have reportedly bought hundreds of programs that are said to detect and destroy the program. Like other viruses, Datacrime rides along with innocuous programs when they are exchanged over a computer network or computer bulletin board or through exchange of infected disks. Unlike many viruses, it has been designed to later insert itself in data files that users don't often examine. If one of the programs is executed after the target date, Datacrime proceeds with its dirty work -- destroying the directory used to keep track of files on a computer's hard disk. The crime is analogous to destroying a card file in the library. "By destroying this one table you can't find where any of your data is," said Brand. But no one should really be in a fix if he makes backup copies of data, experts say. The data, once safely stored on another disk drive or on magnetic tape, can be restored by computer professionals even if the virus has infected the backup files. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "Vaccines" To Hunt Down Rogue Programs October 6, 1989 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by John Markoff (New York Times) Ever since a rogue program created by a graduate student jammed a nationwide computer network last year, the rapid spread of such disruptive software, often known as viruses, has caused growing alarm among computer users. Now, to fight fire with fire, some companies, individuals and even a government research laboratory are crafting a new breed of what have been called anti-viruses to hunt down intruders. The trouble is, some computer security experts say, the problem of viruses may be exaggerated -- and the new crime fighter may do even more damage than the criminal. Much like an infection, a well-intended but badly designed program to stop viruses can run amok, knocking out thousands of computers or destroying vast amounts of data. Indeed, one of the anti-virus programs intended to defeat a known virus has already destroyed data on business and governmental personal computers in the United States. The issue has touched off a heated debate over whether the creation of these high-technology vigilantes is a responsible action. "The risks are just enormous," said Peter Neumann, a computer security expert at SRI International, a technology research center in Menlo Park, California. "It's an unbelievably unsafe thing to do." But Chris Traynor, a programmer at Divine Axis, a software development company in Yonkers, New York, argues that anti-virus programs can be contained so that they do not spread out of control, reaching and possibly damaging data in other computers. His company is now trying to design such a program. Computer researchers at the Lawrence Livermore Laboratory, a federal weapons center in Livermore, California, have designed similar programs that patrol computer networks in search of breaches through which viruses could enter the system. Viruses, which got their name because they mimic in the computer world the behavior of biological viruses, are programs, or sets of instructions, that can secretly be spread among computers. Viruses can travel either over a computer network or on an infected disk passed by hand between computer users. Once the infection has spread, the virus might do something as benign as displaying a simple message on a computer screen or as destructive as erasing the data on an entire disk. Computer security experts have been concerned for several years by the emergence of vandals and mischief makers who deliberately plant the destructive programs. But in recent weeks international alarm has reached new heights as rumors have spread that a virus program will destroy data on thousands of computers this month, on Friday the 13th. Computer security researchers said the virus, known as Datacrime, was one of at least three clandestine programs with internal clocks set to destroy data on that date. As is usually the case, no one knows who wrote the program, but U.S. military officials have mentioned as possible suspects a European group linked to West German terrorists and a Norwegian group displeased with the fame of Christopher Columbus, who is honored next week. Largely in response to customer concerns, IBM said on Monday that it was offering programs for its personal computers that would scan for viruses. But several computer security experts say public fears are largely exaggerated. They note that there have been fewer than a dozen reported appearances of the Datacrime virus in the United States, and contend that the whole issue is overblown. Still, in the personal computer world, where many users have little knowledge of the technical workings of their machines, concern over computer viruses has become widespread. The issue got the most attention last November, when, it is charged, Robert Morris, a graduate student at Cornell, unleashed a rogue program that because of a small programming error, ran wildly out of control, copying itself hundreds of times on thousands of computers, overloading a national network, As a result of the mounting concern, a new industry has blossomed offering users protective programs known as vaccines, or anti-viral software. These programs either alert users that a virus is attempting to tamper with their computer or scan a computer disk and erase any rogue program that is detected. These conventional programs do not automatically migrate from computer to computer, but now some experts are exploring fashioning programs that graft the powers of the vaccines onto viruses in order to pursue and stop them wherever they go. Designing and spreading such programs was proposed in August by several people attending an international gathering of computer hobbyists, or "hackers," in Amsterdam. They suggested that it was a good way for members of the computer underground to make a positive contribution. But many researchers believe the idea is dangerously flawed because of the possibility of accidentally doing great damage. Some computer security researchers worry that writing an infectious program to stop viruses may be taken as an intellectual challenge by hackers who are well meaning but do not grasp what problems they could create. "One of the questions that the hacker community is now addressing is what you do about young hackers," said Stewart Brand, a writer in Sausalito, California, who is working on a book on outlaw cultures and high technology. "They don't have a sense of responsibility; they have a sense of curiosity. These are deliciously debatable issues, and I don't see them going away." >--------=====END=====--------<