Thief is a TSR (Terminate and Stay Resident) utility written in 8086 assembly
language that attempts to steal Novell passwords.  It originates from a site
with consummate hackers and a long, colorful history of mischief: George
Washington High School in Denver, Colorado.

The school is well endowed with a large variety of IBM microcomputers.  Five
rooms of about 30 computers each are all tied together on a Novell network.
Four of the five rooms solely use boot proms for initializing the
workstations.*  However, the fifth houses IBM PS/2 model 80s with hard drives.
The power users tend to congregate in this area, including the "administrators"
with Supervisor equivalence.  These machines do not use boot proms.

So it was on one of these computers where the "thief" was first discovered,
because it takes advantage of weaknesses in the security at the boot phase.
Into the regular flow of action in the AUTOEXEC.BAT file, the creator inserted
a line that executes the (hidden) program copied onto the boot disk.  The TSR
remains in the background and the process continues.  Visual signs of the
break-in are imperceptable.

Then, as soon as a program named LOGIN is executed, the thief springs to life
and records all the keystroke action into a hidden file on the boot disk.  The
human thief may then later return to the computer and see what the trap caught.

Before a more detailed description of the "metabolism" of the thief, consider
now the weaknesses that led to the breach:

o  a localized boot process, or at least one that is corruptable.
o  _physical_ access (by the thief) to a sensitive computer.

Both are controllable, of course.  The boot prom is a solution for the former,
and lock and key (on the computer or a room that surrounds it) is for the
latter.


Now return to the "metabolism".  Surprisingly, THIEF uses the same "hook" that
the Novell shell does!  That is, it captures the centralized portal to DOS,
interrupt 21h.*  Then, it intercepts all function calls.  Specifically, it
checks for the EXECute file function call and the "terminate" interrupt.
Whenever an EXEC call is made with a filename LOGIN, THIEF springs to life and
records keystrokes until the program terminates.  This is somewhat
sophisticated; however, an even more effective method could be realized: it
could simply wait for the specialized Novell function call to log in, and
record the calling parameters.  Note that the above technique requires the
program be loaded _subsequent_ to the Netware shell.


By no means are these types of programs new; they have been around as long as
password-based program security.  Here, however, is an example that is
tangible and immediate.  Study of it is beneficial because knowledge of
Netware security is one thing; knowledge of how to _defeat_ it is quite
another!  The latter demands cutting-edge sophistication and comprehension.

The future will certainly see improved identification techniques, and timeless,
devious ingenuity will be there to greet them.


Note: THIEF was formerly named GETIT by its creator, who was careless and cocky
enough to leave the source code.


*"Boot proms", for those not familiar, are accessory chips that reside on
network interface cards; they redirect local drive activity to the server
during the boot process, thus allowing a workstation to initialize without a
(boot) disk.

*Interrupt 21h is that used by any program when requesting a DOS function.
The Netware shell, of course, intercepts this regular flow.  It may pass the
information directly along to DOS, or process the call itself.
