ÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜ ÜÜ ÜÜÜ ÜÜÜÜÜ ÜÜÜÜÜÜÜ ÜÜÜÜÜ Û±±Û Û±±±±±±±Û Û±±Û Û±±±±±Û Û±±Û Û±±Û Û±±Û Û±±±±Û Û±±±±±±Û Û±±±±Û Û±±Û ßßßßßßßß Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û Û±±Û ßßßÛ±±Û ßßßÛ±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û ÜÜÜÛ±±Û Û±±Û Û±±Û Û±±Û Û±±±±±Û ßß Û±±Û Û±±Û Û±±±±Û Û±±Û Û±±Û Û±±Û ßßßßÛ±±Û Û±±Û Û±±Û ßßßßß Û±±Û Û±±Û ÜÜÜÜÜÜÜÜ Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±±±±±±Û Û±±Û Û±±Û Û±±Û Û±±Û Û±±Û ßßß ßßßßßßßß ßßß ßß ßß ßßß ßß NEWSLETTER NUMBER 10 ********************************************************************** Another festive, info-glutted, tongue-in-cheek training manual provided solely for the entertainment of the virus programmer, security specialist, casual bystander or PC hobbyist interested in the particulars - technical or otherwise - of cybernetic data replication and/or mutilation. EDITED BY URNST KOUCH, early December 1992 ********************************************************************** TOP QUOTE: "From Hell's heart, I stab at thee!" --Captain Ahab in Melville's "Moby Dick" (or Khan, from a Star Trek movie, if you're a Philistine) IN THIS ISSUE: A virus ate my lunch money: South American drug lord served by computer mishap . . . A virus ate my lunch money, part II: Crypt newsletter and the PROTO-T hoax revisited, Jeezus H. Christ . . . Consumer report: Trend Micro Devices' PC-Rx anti-virus software . . . GOBBLER II test drive . . . AMBULANCE CAR virus . . . The first annual Crypt Virus/Anti-virus Awards . . . In the READING ROOM: Bruce Sterling's "The Hacker Crackdown" . . . Pallbearer's AT THE MOVIES: raiding BlockBuster Video over "Sneakers", the movie . . . Thom Media cracks jokes . . . URNST'S SCAREWARE TOOLS . . . stupid humor and more . . . **************************************************************** A VIRUS ATE MY LUNCH MONEY: COLOMBIAN POLITICIANS AND PABLO ESCOBAR SERVED BY "Ghost of La Catedral" VIRUS **************************************************************** Reuters news service reports that on Nov. 13, Colombian officials announced from Bogota that a computer virus had nuked a report containing critical comments on government ministers involved in the muffed prison transfer of drug lord Pablo Escobar. Escobar and a number of accomplices escaped during the June transfer and a national scandal erupted, resulting in a formal investigation of government officials involved in orchestrating the event. The virus allegedly eliminated the investigation's conclusions mere hours before they were to be publicly presented. The virus was called "Ghost of La Page 1 Catedral," in reference to the prison from which Escobar escaped. Reuters was one of the first international news agencies to hype the threat of Michelangelo virus. ***************************************************************** A VIRUS ATE MY LUNCH MONEY, PART II: CRYPT NEWSLETTER AND THE PROTO-T HOAX REVISITED ***************************************************************** In an odd case of art imitating life and life coming back to bite it in the caboose, the "PROTO-T" virus from Crypt Newsletter #9 has taken on a strange will of its own. Alert Crypt readers will remember the editor ridiculing bogus FidoNet alerts warning of the threat posed by a new virus, PROTO-T, which could hide in COM port buffers, video memory, etc. Further, readers with reading comprehension well above the level of cabbage should recall the generic, memory resident infector supplied with Newsletter #9. This virus, clearly labeled as a program NAMED "in honor" of "the anonymous electronic quacks" who LAUNCHED the PROTO-T HOAX in no way constituted prima facie evidence that PROTO-T, as described on the networks and elsewhere, existed. Nevertheless, many readers missed this fine distinction, prefering to believe that the Crypt newsletter had, indeed, supplied them with a pure sample of the REAL THING: PROTO-T in all its horror. Readers and virus collectors surfaced on the WWIVnet, and even on PRODIGY, in the next few days, INSISTING that PROTO-T was real and that they had the source code and DEBUG scripts, supplied by the newsletter, to prove it. Some even went as far to execute PROTO-T on their machines, but more on that later. Well, PROTO-T most certainly DIDN'T exist prior to our covering the hoax. There was no evidence that any viral or Trojan code was in the hack PKZip 3.0., the alleged "carrier" of PROTO-T. The claims that PROTO-T could hide in a COM port buffer were patent bullshit. (Not our bullshit mind you, but still bullshit.) However, for all intents and purposes, PROTO-T now exists even though OUR "symbolic gesture" is nothing close to the shambling monster confabulated by the original hoaxsters. In short, IT WAS SUPPOSED TO BE A JOKE. So, now you have PROTO-T and you don't recall its features because you were so excited you messed yourself and forgot to read issue #9 closely. Listen up, then! PROTO-T, the demo virus supplied by Crypt newsletter, is a simple, memory resident .COM infector which hooks interrupt 21 and monitors the DOS "execute" function, contaminating files just before they run. It reduces the apparent amount of memory by approximately 1 kilobyte, a phenomenon which can be observed by recording the amount of available memory from a MEM /C command before and after the virus is installed on a machine. PROTO-T is not stealthy; it is not encrypted. It will not trash your drive although IT WILL irreversibly infect programs, making them difficult to use. The virus contains the ASCII string, "This program Page 2 is sick. [PROTO-T by Dumbco, INC.]" Now, if you temporarily lost your sanity and ran PROTO-T before reading the documentation, here is a clip-list of "Common PROTO-T trouble-shooting questions and answers." -=Cut here and save=- -------------------------------------------------------------- URNST'S QUICK TIPS ON REMOVING PROTO-T FROM A CARELESSLY INFECTED IBM PC ______________________________________________________________ Q. I stupidly ran PROTO-T and promptly forgot about it. How do I find the virus on my system? A. If you have NORTON UTILITIES or any reasonable facsimile, use its text searching capability to look for strings like "PROTO-T" or "Dumbco, INC." Delete the files that turn up, they contain the virus. Q. My computer makes a strange quacking noise on boot, then the drive light comes on, stays on and the machine appears to hang. What's up? A. PROTO-T has infected your COMMAND.COM and it's after 4:00 in the afternoon. Either wait until morning, or boot with a CLEAN diskette from the A: drive and delete the infected command processor. Restore the deleted processor from your DOS backup disk. Q. Ever since I foolishly ran PROTO-T without knowing what I was doing, my machine is plagued by intermittent quacking noises, hangs and unexpected, furious activity on the C: drive. Now my hair is turning prematurely gray. What can I do? A. A number of your programs have been contaminated with PROTO-T. Either delete all the files found in question #1, or use this "trial and error" method: Boot from a clean DOS diskette and set your system's time to 4:00 pm. Begin executing all the .COM programs on your disk. Those that make the PC quack, hang or indulge in furious disk activity are infected with PROTO-T. Delete them and restore from your original backup or distribution disks. Presently, PROTO-T cannot be removed from infected files. These programs are ruined unless you wish to keep your system clock reset to BEFORE 4:00 pm, permanently. Alternatively, you can wait until an antivirus developer equips its software to "clean" PROTO-T. Q. I used a hex editor to rip the ASCII string out of PROTO-T because I wanted to "rename" it as mine and upload it to a virus exchange BBS for credit. Then I foolishly lost my usually sound judgment and allowed the virus to escape on my system. Is there any hope? A. Use the method described above to find the PROTO-T infected files, then delete them. Q. I used a hex editor to, well, you know - AND my machine is an XT with NO internal clock. I lost my head and allowed the virus to escape on my system. Am I screwed? Page 3 A. Could be. Q. I don't have a "clean" DOS boot disk and I don't keep back-ups. I infected my system with PROTO-T anyway, because I'm so far off my rocker my parents don't even trust me with a box of pumpkin-colored plastic leaf bags. How do I recover? A. Why are you fooling around with viruses? Seek psychological counseling, you have a profound death wish. Dealing with death wishes is beyond the scope of the Crypt Newsletter. *************************************************************** -*- *************************************************************** WESTERN DIGITAL ANNOUNCES HARDWARE & SOFTWARE-BASED ANTI- VIRUS MEASURES INCLUDED IN ITS CLASS OF 386/486 MICROPROCESSORS. YOGI BERRA COMMENTS, "I'LL BELIEVE IT WHEN I BELIEVE IT!" *************************************************************** "Without some form of generic virus detection methodolgy, the industry cannot hope to keep up with the growing epidemic of more than 1000 known virus strains, much less the dozens of unidentified and mutated strains that are introduced into the community each month," said Charles Haggerty, Western Digital's president. Western Digital's generic anti-virus technology will be served through a combination of proprietary control logic and associated software shipped with the company's WD8755 system logic controllers. Initial customers will be the company's PC manufacturing clients. The anti-virus measures are designed to cover IDE-type hard files equipped with DOS or Windows. Impenetrable jargon supplied by press release. As to the effectivess of "generic" virus detection, see report on PC-Rx's "rules-based" generic protection later in this issue. **************************************************************** -*- **************************************************************** MO' NEWS, BY WAY OF Compute Magazine, December 1992 - REMOTE POSSIBILITY OF VIRUS WRITING BEING DECLARED OUTLAWRY REARS ITS HEAD . . . AGAIN **************************************************************** In a short story called "Controlling The Infectious:", the December issue of COMPUTE magazine reported that the International Computer Security Association (ICSA), a Washington-based spin-off group of the Carlisle, PA-based National Computer Security Association, is attempting to call for legislation which would felonize virus authors, their software and publications. To quote briefly from that piece: Page 4 "Last July, a hacker calling himself Nowhere Man released version 1.00 of Virus Construction [sic] Laboratory, a slick, professional product intended to write a variety of viruses that resist debuggers and can contain up to 10 of 24 programmed effects such as clear the screen, cold reboot, corrupt file(s), lock up the computer, drop to ROM basic, trash a disk, and warm reboot. According to the [ICSA], most of the viruses are undetectable by today's anti-virus products. Creating a new virus takes just a few minutes with a virus construction kit. David Stang, Director of Research at the ICSA, says such products are destined to make today's virus problems look like 'the good ol' days.'" Because of this, the ICSA is moving to strengthen current computer crime law with regards to virus writing and/or enabling. It seems clear that "publicly," software like the VCL 1.0 (and its Holiday Season-timed update, VCL 2.0), Phalcon/SKISM's [viral] code generators, the publication of Mark Ludwig's "Little Black Books of Computer Viruses" (Volume 2 tentatively scheduled for release early in 1993) and "Computer Virus Developments Quarterly," underground publications like 40HEX, Dark Angel's Phunky/Crunchy/Crispy Virus Writing Guides and the Crypt Newsletter (not to mention the dozens of "research" viruses which just 'happen' to end up in the wild - man, this is running on ;-]) have alarmed segments of the anti-virus community enough so that they feel there is a need for new law. At present, existing law DOES NOT dub the publication or writing of hazardous, replicative code a crime. Alert Crypt newsletter readers may recall a similar move proposed by U.S. Senator Patrick Leahy. Although Crypt newsletter no longer retains the particulars, Leahy's legislation would have provided legal ground for the prosecution of programmers whose creations directly damaged public computer systems regardless of who planted or spread the code. This legislation failed. Anyone who follows mainstream computer news is also aware of how "threat descriptions" of software like VCL 1.0 are played up in the world of gleaming white-shirt/corporate-toady computer publications. For example, the Mutation Engine was blown out of proportion in places like Newsweek, mainly because its technology writers seem to lack even the most basic understanding of computer programming. Privately, anyone who frequents the networks knows that the same anti-virus community commentators supplying the "expert" opinion for such high-impact stories openly downplay the complexity and practicality of software like VCL 1.0 in copious, fleering public e-mail transmissions. There is a lesson to be learned from this in public relations and political persuasion 101 which should not be lost on any card-carrying members of "the computer underground." The editors leave it to you to dope out the nut of it, or continue following the Crypt Newsletter for timely news coverage. FYI: The ICSA was created at around the time of the Michelangelo "hype," February thru early March, 1992. Page 5 ****************************************************************** **************************************************************** GOBBLER II - COMRAC's FREEWARE ANTI-VIRUS SCANNER: A SHORT REPORT **************************************************************** GOBBLER II, an anti-virus scanning suite provided by a Dutch programmer, aims at the ground somewhere between Skulason's F-PROT and Thunderbyte's TBScan. Its creator brags that it is blazingly fast and, indeed, this is so. (Stupid technical stats: Like TBScan, GOBBLER covers a 30 Meg hard file full of executables in approximately 30 seconds on a 80286 PC.) The scanner is menu-driven and allows the user to customize his alarm messages and switch between idiot-proof scanning and scanning augmented by some "heuristic" features. As a "heuristic" scanner, GOBBLER II fails. If used, the "heuristic" mode flags every file with internal overlays, meaning it will raise a false alarm for almost every complex program on your machine. This is a useless, laughable feature. GOBBLER II users will wish to always rely on its idiot-proof signature scanning. GOBBLER II is effective at detecting Mutation Engine-based viruses, screening every one (GROOVE, POGUE, CRYPTLAB, MtE SPAWN, and ENCROACHER) we threw at it and any reasonable number of variants generated by these viruses. In its documentation, GOBBLER II claims disinfection for all Mutation Engine virus-contaminated programs. In practice, GOBBLER II failed in attempts to clean CRYPTLAB and ENCROACHER from infected files. Like any signature-based scanner, GOBBLER II ran up a checkered report card against "common" file and boot viruses. It detected STONED, MICHELANGELO, RED CROSS and JERUSALEM variants with ease and performed accurately against JOSHI, DEN ZUK, ITALIAN, PRINT SCREEN, ALAMEDA, BRAIN and AZUSA contaminated diskettes. It completely missed an oddball like the South African VOID POEM and a number of LITTLE BROTHER variants, although its virus-list indicated recognition of the latter. It was not effective against any VCL 1.0 or Phalcon/SKISM Mass Produced Code (PS-MPC) generator samples, understandable in light of the fact that the program hasn't been updated since July (a bad sign) when both virus tools were still relatively new. In any case, the discerning reader should recognize that most scanners vary widely in their performance, depending upon the virus collections tested, particular strains chosen for scan testing, how often they're updated and a host of other factors which average users won't give a rat's ass about. GOBBLER II is no exception. Does GOBBLER II detect your garden-variety, COMMON infectors reliably? We think so. COMRAC's program comes with a memory installable utility which intercepts virus-contaminated files by signature. It takes Page 6 up a mere 6k in RAM due to clever disk-swapping. The utility, known as CATCHER, easily caught Mutation Engine-based viruses, supplying cryptic "access denied" messages with a ray-gun warning noise. GOBBLER II has no useful on-line virus database and it does not operate under NDOS or 4DOS, although this isn't mentioned in the measly documentation. GOBBLER II appears to be a product still in beta-testing, subject to those limitations and the question of whether it will receive continued support. Under these conditions, it is free. As such, it is good value - still far superior to freeware scanners supplied by SYMANTEC and CENTRAL POINT SOFTWARE, offering better detection, ease of use and some features - limited disinfection and memory resident barriers to virus infection - not offered by larger retail companies. This is more proof that only fools patronize Symantec and Central Point Software. To sum up, those extremely strapped for cash, unable to find F-PROT (or wishing to augment that program) AND plagued by guilty conscience when using unregistered shareware could benefit from GOBBLER II. ------------------------------------------------------------------ HUMOR BREAK: THREAT OR MENACE? There's a really cool virus out there. It's called the Secretary 1.0. What it does is stick a 5.25" disk into a 3.5" drive and ruin the floppy heads. --Thom Media, Phalcon/SKISM Communications, Nov. 1992 ------------------------------------------------------------------ ****************************************************************** TREND MICRO DEVICE's PC-Rx & "RULES-BASED" GENERIC VIRUS PROTECTION: EH, MAYBE. ****************************************************************** The basis for Steve Chang's PC-Rx v. 2.0 is its "rules-based" generic virus detection utility, a buzz term that far too many corporate retailers abuse in an attempt to fluster consumers. How good is this stuff? Is it worth your cash money? Let's take a look and see. Trend's PC-Rx comes with its own dumb "install" program which can coach even the mentally enfeebled through rudimentary disinfection of his system, configuration of the software and creation of "rescue" images which allow PC-Rx to retrieve the master boot record and partitions of the hard file should they be lightly damaged by a virus. Good features! The central part of PC-Rx is the PCRXVT utility which is inserted into the AUTOEXEC.BAT and uses a set of Page 7 "rules" to monitor the machine's performance. This translates to activity equated with viruses, i.e., writes/changes to the boot record, creation of new memory control blocks (a feature found in many memory resident viruses), file opens which remove and restore attributes and date/time stamps and calls to interrupts 13 and 25/26. Because PCRXVT makes no attempt to scan for virus signatures, it is smaller than most competitor programs and does not sigificantly slow a machine down during standard computing. It also does not generate many false alarms. From this stand-point, it is elegant and user-friendly. However, PCRXVT will only detect "average" viruses reliably. For example, PROTO-T, which creates a new memory control block - average memory resident virus behavior, is immediately captured by PCRXVT. However, VOTE (L. BROTHER) - a companion infector which becomes resident by copying itself to a rarely used portion of memory, is not. Viruses like VOTE, and there are a number, can operate with impunity on machines protected in this manner. PCRXVT also does not pay attention to programs which redirect segments of the interrupt vector table, a feature present in other programs of this variety. PCRXVT WILL reliably detect most direct-action viruses. It will NOT trap much of their destructive behavior, however. This is a glaring fault. For example, any direct action virus which deletes, renames or otherwise corrupts other executables not directly involved in its chain of infection is not trapped. What this means is that if a virus does any of these things BEFORE it infects another file, the computer is left wide open to attack by PC-Rx. And it is this hole which demonstrates the trade-off anti-virus developers must make between utility and full protection. Make your program air tight and it will drive users nuts with alarms during every day tasks. Make it more "user-friendly" and it becomes prey to the new class of viruses created by the Virus Creation Laboratory and similar tools. PC-Rx is also vulnerable to "companion" infections. While this may seem trivial to some because "companion" viruses do not directly alter their infection targets, consider that the "companion" virus DOES take low-level control of the machine every time it executes. Would you want a software that lets a virus take control just because it's not directly manipulating a target? Yeah, sure, and you enjoy hitting myself on the head with a hammer because it feels so good when you stop, too. The upshot? Novice users or other computerists using isolated systems or PC's in low-threat environments (i.e., household computers where family members aren't engaged in obsessive/ compulsive software piracy) may wish to inspect Trend Micro Devices' PC-Rx. Others will pass. (PCRx retails for approximately $70 cash money and includes a brute-force virus signature scanner in addition to resident virus barriers.) ****************************************************************** Page 8 ****************************************************************** PALLBEARER'S KONSUMER KORNER - A CRYPT EVENING AT THE MOVIES!!! >>>>>----------------->>>>> SNEAKERS <<<<<---------------<<<<< ****************************************************************** After hearing all the hype about a "Movie about the Computer Underground," I, the mighty PALLBEARER, couldn't resist an opportunity to check it out. As a result, I went to see "SNEAKERS" in one of those $1 movie theaters (because I am too cheap to see anything when it first comes out). On the way there, was I excited! I couldn't wait - a movie about a couple of cyberpunks evading the Secret Service, rooms full of boxes of every color of the rainbow, viral programming, and the like! So I sat down with a big tub of popcorn and counted the seconds until they stopped playing the elevator music and started with an hour's worth of trailers. I fidgeted through those, my excitement growing . . . and, finally, "Sneakers" started! Two guys, obviously the fathers of hacking as we know it today, in a computer lab hacking people's bank accounts . . . I said to myself, "OK, it'll get better, don't pop a nut." But no! Later, we see one of these hackers as he really is - a very old and leathery looking Robert Redford! No, haha, just joking. Actually, we think he is a common criminal, but then we realize that he is employed to break into corporations. Exactly how exciting is that??? Interesting if that's your line of work, but definitely not something to make a movie of. Thankfully, there was one moment here that kept my eyes glued to the screen: the NSA appeared with dossiers on the main characters. We see that the hackers must be prominent in cyberspace, since why else would the NSA know of them and their aliases? Anyhow, the "hackers" are commissioned by the NSA to steal a universal decryptor from a famous mathematician. They do it to keep their leader from a trip to the Federal lumber yard in Taladega, GA, when the NSA threatens to turn over his rap sheet to the FBI. Extortion by the NSA as a motivational tool - what a good plan! (Obviously, the screen writer never familiarized himself with Jim Bamford's "The Puzzle Palace." Yes, I know, too many three syllable words.) The plot goes downhill from there. And I shall not bother telling you the rest. "Sneakers" was also chock-full of technically inaccurate and/or impossible computer feats. Many of the monitors shown were nothing more than DEBUG screens or .GIFs. Almost everything was done under MS-Windows (I will get back to this later). And Dan Aykroyd was greasy and swollen beyond good sense. Overall, there were two MAJOR technical faux pas that annoyed me so much I shrieked aloud, startling the moviegoers in front of me. The first was "enhancement of computer images" where a picture was imported into a computer (possible, especially with a "computer camera" in the best multimedia systems), zoomed Page 9 in on (you know what a .GIF looks like when you zoom in 50 or 100 times - just big blocks of color), and then magically focused in on the image with a turn of a dial. Now, this may be possible with a old mainframe or supercomputer, but instantly, on a PC, under MS-Windows? Hahahahaha. (I told you I would get back to Windows.) My other beef concerns a room in the NSA that housed what looked to be a Cray-MP. Well, the Cray's monitor was turned on, and what was it running? You got it! WINDOWS! A Cray-MP running WINDOWS. In the words of Wayne, "T'shya. Right. As if." I'm sorry, but there's a better chance of ME joining INC and calling myself PaLLBeaReR than there is of a Cray-MP running Windows. As you may have guessed, I don't quite suggest that you run out and see this movie. Actually, the further away from it you stay, the better. I assume that it fascinates those who know nothing of computers (the producers and "technical advisers" belong in this group), but I was unimpressed. After all the hype (and I did hear a lot about it from computer illiterates), I have decided to dub SNEAKERS "The PROTO-T of the Big Screen." On a scale of 1 to 10, where 10 is a pile of gold bullion 6 feet high and 1 is a carbuncle on the back of your neck, I give "Sneakers" a -2. Look for my next KONSUMER KORNER whenever I feel like writing it! Pallbearer [CryPt] >>> I now return you to your regularly scheduled newsletter.<<< ***************************************************************** *************************************************************************** IN THE READING ROOM: BRUCE STERLING's "THE HACKER CRACKDOWN: LAW AND DISORDER ON THE ELECTRONIC FRONTIER" (BANTAM HARDCOVER, $23.00) *************************************************************************** ". . . we are in a war and we are losing - badly." -Invalid Media, from log-in message on Unphamiliar Territory BBS, in the wake of a series of Phalcon/SKISM busts at PumpCon '92 Still scraping yourself off the floor at the news of Secret Service harrassment of readers of 2600 Magazine in northern Virginia? Find yourself rifling through local bulletin boards for the latest issue of Computer Underground Digest, terrified about what you might read next? Then "The Hacker Crackdown" couldn't arrive in your library at a better time. Page 10 Bruce Sterling has spun together the warp and the woof of the computer underground better than anyone to date, transforming the infinite roar of the network and the deeds of some of its more famous citizens into a tale even the terminally (heh) computer-phobic can grasp. "The Hacker Crackdown" is about action and spasm in "cyberspace," a zone where there's no master plan but plenty of cause and effect. The book begins in 1990. The telco's are reeling from a series of embarrassing technical setbacks. And John Q. Public has gotten the idea that it's his civic duty to rip off the nearest faceless bureaucracy. The phone companies are big, easy targets. Or so "they," faceless leaders at Bell South and a variety of nationwide law enforcement offices, think. You see, corporate embarrassment creates a crying need for scapegoats, criminals to seize and punish in a cathartic ritual of purifying judicial flame. Hence, "hackers" - young, fast and scientific scofflaws with no decent respect for propriety and '50's America - will do. Only it's not so cut and dried in real life. The laws were (and are) squishy and ill-defined, the enforcers unsure and careless, the chosen victims unpredictable. Nevertheless, under the scrutiny of the Feds, "cyberpunks" went down like 10-pins in 1990, according to "The Hacker Crackdown." It was only when Knight Lightning, the editor of PHRACK magazine, was dragged into court and wouldn't roll over, that the Feds' ball of wax began to melt. For those who don't recall, PHRACK published an internal Bell South memo - "the Document" Sterling calls it - dubbed proprietary and secret by its makers. Law enforcement officials bought this claim. In fact, the document was a manual so caked with jargon and stupefyingly dull telco-speak that it was of use only if one was interested in learning the language of Bell South as if it were a foreign country. It didn't help that Bell also sold the substance of it for $20 to any takers, effectively wrecking claims that it contained any secret or particularly damaging information. PHRACK's defense threw this into the faces of its enemies and the prosecution collapsed. Justice, in this case, prevailed. Or did it? "Hackers" and their computers are still being hauled away on a monthly basis. And jaundiced observers might be justified in saying that on the electronic frontier, this is the way things will be from now on. However, "The Hacker Crackdown" shies away from making stupid predictions about the future of cyberspace, prefering to point the way into the ambiguous dark, describing all the archetypes found the length of the matrix. You know these characters well - the popinjay phone phreaks and fraud artists; the obsessive/compulsive software pirates, the "wacko" underground journalists, the few computer savvy Feds (some not so different than their chosen enemies) and the ocean of establishment citizens in which they all swim; a group still as uncomprehending about the the computers in their Page 11 lives as ambulatory bags of dirt. Yup, refuse to part with your holiday season gift money for Bruce Sterling's "The Hacker Crackdown" at your peril. The Crypt Newsletter gives it a solid thumbs up! ------------------------------------------------------------- RELATED NEWS: AUTHORITIES CHARGE MICHIGAN LEGION OF DOOM WANNABE, "NATION OF THIEVES" LEADER WITH FRAUD ------------------------------------------------------------- Michael Shutes, a 24-year old Farmington Hills, Mich. man, who says he started the underground group known as the "Nation of Thieves" has rolled over on colleagues and pleaded guilty to a fraud charge, according to a United Press International (UPI) news story published at the end of November. The prosecution of Shutes is part an on-going investigation into the "Nation of Thieves," a group which emulated the reputation of the Legion of Doom and, according to authorities, misused credit card numbers and phone access codes nationwide. Assistant Washtenaw County Prosecutor Kirk Tabbey, who coordinates the Michigan Computer Crime Task Force, told United Press International that Shutes squealed on his peers, resulting in pending charges against two associates and the continued investigation of six other "hackers." UPI reported that local police were tipped off about the "Nation of Thieves" in February when a Utah retailer asked them to investigate nearly $4,000 in fraudulent charges for computer equipment shipped to an apartment complex in Michigan. Ten thousand dollars of computer equipment was confiscated from Shutes. ****************************************************************** SAVING THE BEST FOR LAST: THE CRYPT NEWSLETTER'S VIRUS/ANTI-VIRUS AWARDS ****************************************************************** And now [drum roll, puh-leez], our subjective choices in a number of categories of interest to the virus/anti-virus community. Award winners were picked, loosely based on amount of bribe money, profile in mainstream and underground media outlets, performance and personality. Without further ado: MOST VALUABLE PLAYER: NOWHERE MAN. Illinois' favorite-son virus author sprang from obscurity in 1992 with the historic Virus Creation Laboratory 1.0, a tool which puts the ability to create dangerous code into the hands of meddling schnooks everywhere. Taking the idea of mass-produced user-customized viruses from the one-virus German Virus Construction Set, Nowhere Man fashioned a garish and glitzy menu-driven program which created a cottage industry of its own: weirdly written press releases and baleful warnings from computer security professionals, rival products from other virus-enabling groups and way too much fan mail on the nets for any sane person to handle. In a stroke, the VCL 1.0 illustrated the obsolescence Page 12 of scanning technology without idiot mathematical formulae or long and windy discussions in VIRUS L-Digest. And the software was free! If anyone tells you that Nowhere Man didn't have lasting impact on the industry in 1992, they're just jealous. MOST INTERESTING VIRUS: MICHELANGELO. Hands down winner! No other virus ever created the stink this one-sector boot-block infector generated in the first three months of 1992. And because of it, none will probably ever gain such distinction again. Add John McAfee; gullible, image-hungry journalists and a public as dense as lead ingots and that's a recipe for success, er, fame, er, infame, er . . . something. BEST ANTI-VIRUS SOFTWARE: SKULASON'S F-PROT. Nothing comes close to its ease of use, reliability, durability and price. Single- handedly "invented" heuristic scanning. Even its detractors tend to model their software after it. Since it's free for home use, perhaps it is time to examine what the civilians are breathing and drinking in Iceland. BEST COMPREHENSIVE RETAIL ANTI-VIRUS SOFTWARE: SOLOMON's ANTI-VIRUS TOOLKIT. Close to F-PROT in performance, but it'll cost ya. In addition, the company tosses in integrity checking, a few hard disk utilities and other bells and whistles that fans of shrink-wrap deem necessary. We still think it's over-priced, but what do we know? NATIONAL DUMMKOPF: MICHAEL CALLAHAN, editor of SHAREWARE Magazine. Callahan spent two issues interviewing John McAfee in the late summer and still managed to come away thinking that viruses can damage hard disks irreparably. And just think, Callahan writes computer books for the masses for a living. Certainly, we're all doomed. BEST PUBLICATION: For reason's outlined in this issue, Bruce Sterling's "The Hacker Crackdown: Law and Disorder on the Electronic Frontier." Honorable mention to Dark Angel for his "Phunky/Crispy/SomethingorOther Viral Writing Guides" (samizdat) and Mark Ludwig for "The Little Book of Computer Viruses" (American Eagle Publishing, Tucson, AZ). WORST PUBLICATION: VIRUS L-Digest - the definitive forum for stream-of-consciousness, hair-splitting, turgid arguments between obscure, fossilized academics. Hey, you think not? I was reading back issues of Virus-L and in February there was some nut going on ad nauseum about viruses viably infecting text files. BEST PEN PAL: SARA GORDON, 'nuff said. WORST ANTI-VIRUS SOFTWARE: Far too many to choose from. BBS's TO VISIT AND STAY AWHILE: THE HELL PIT (Sysops Kato and Hades), RIPCO ][, AIS (Sysop Kim Clancy), UNPHAMILIAR TERRITORY (Sysop Invalid Media), THE VIRUS (Sysop Aristotle), CYBERNETIC VIOLENCE (Sysops Pure Energy and Rock Steady). Page 13 MISSING IN ACTION: GARY WATSON. ***************************************************************** BITS AND PIECES I: FRANS HAGELAARS STEPS DOWN AS FIDONET VIRUS ECHO MODERATOR, NAMES EDWIN CLETON AS REPLACEMENT. CLETON VOWS STRICT ADHERENCE TO RULES, OR IT'S THE HIGHWAY FOR ALL THOSE CRUMMY, GRAND-STANDING FIDO-FLAMERS. AS FIRST ACT, CLETON SHUSHES A USER FOR EXTRACTING A COUPLE LINES FROM THE VSUM DATABASE WITHOUT NEGOTIATING A LICENSING AGREEMENT WITH PATRICIA HOFFMAN. 'THAT'LL SHOW 'EM I MEAN BUSINESS,' HE SEZ. ***************************************************************** BITS AND PIECES II: We grabbed this advert of interest off the wires. Now, mebbe we'll be able to bring you a product run through for the next issue. -*- AVLab v1.0, the antiviral researcher's toolkit from Cairo Research Labs, is now available! * Extensive Virus Signature Database System capable of handling multiple databases * Ability to search across the signature database * Generate custom virus signature datafiles from your database * Ability to read VIRSCAN.DAT style signature files and add them to the database! * Create detailed reports to the screen, printer, or a file * Implement a very detailed virus scanner testbed! * Much more! AVLAB or AVLAB*.* from: Under the Nile! 9600v.32 1:3613/12 120K in size Backwoods BBS 9600USR-DS 1:3613/10 ------------------------------------------------------------------- Scott Burkett & Christopher Brown, Cairo Research Labs -*- ------------------------------------------------------------------ BITS & PIECES III: Steve Rosenthal, a Macintosh product reviewer published by Prodigy spent a recent weekly column shilling for Symantec's SAM. Rosenthal openly griped about the current state-of- affairs which has set up a market where large retail software developers charge $60-$100 for anti-virus measures which can be had for free or almost so as shareware. His case in point was Symantec's SAM versus "Disinfectant", a freeware program developed by a Northwestern University researcher. In the article, Rosenthal added he was miffed that software developers could profit from the computer virus phenomenon, although he saw no evidence that any programmers of such things had ever written viruses. An interesting, naive oversight: In the IBM world, names like Ralph Burger and Mark Washburn - with viruses named after both - immediately come to mind. ------------------------------------------------------------------- Page 14 URNST'S SCAREWARE TOOLS: CLASSIC VIRUS DEMOS ADD LIFE TO ANY PARTY ****************************************************************** Part of this issue's software packet are DEBUG scripts which will allow you to create demonstrations of the "classic" (sort of like "classic" rock, y'know, from David Stang's 'good 'ol days') viruses: PingPong, Den Zuko, Jerusalem and Cascade. We call them "scareware" because they've been optimized for convincing "real-life" testing or demonstration. Unlike many virus demo programs which are either scanning viral fragments or cumbersome command-line driven tools which loudly advertise their presence on any system, Urnst's Scareware Tools are completely silent. All are invoked simply by typing the name of the program. In addition, they do not scan. Although not infectious, all the programs will install themselves into memory and continue generating specific symptoms until a warm reboot is initiated. These programs are not self-aware. That is, they will not complain and refuse to function if modified, like many performance crippled virus-dummy simulator/generators. This has advantages and drawbacks, depending upon what use one decides to make of Urnst's Scareware Tools. The features of Urnst's Scareware Tools are as follows: *DENSCARE.COM - upon invocation, DenZukoScare (tm) immediately displays the popular DEN ZUK virus graphic effect and exits. *JERSCARE.COM - upon invocation, JerusalemScare (tm) becomes resident. After a short period of time - about a minute on most systems - Jerusa- lemScare will effect the characteristic Jerusalem virus system slowdown and scrolling black window display on the left side of the monitor. *PPSCARE.COM - upon invocation, PingPongScare (tm) will become resident and clutter the screen with the characteristic "bouncing ball" of the PingPong boot block infector. Computing can continue while PingPongScare is in effect. [Warning: The Surgeon General has determined that daily computing while PingPongScare (tm) is in effect can result in eye strain and, possibly, headaches.] *CASCARE.COM - upon invocation, CascadeScare (tm) will become resident. After a brief pause, the characteristic rat-a-tat sound of the Cascade virus and its nifty falling letters effect will be seen. This will continue intermittently, for as long as CascadeScare is resident. If the computer is in graphics mode, only the rat-a-tat sound effect will be noticed. Besides demonstration, there are many other uses for Urnst's Scareware Tools. Some examples: April Fool's jokes, parlor Page 15 trickery, devilment of bosses & administrators, entertainment, aahhhh, you get the idea. An URNST tip! Tie DenZukoScare (tm) into your AUTOEXEC.BAT. Then everyday, as you start computing you'll be greeted by the cheerful DEN ZUKO display. Kooky! ****************************************************************** AMBULANCE CAR VIRUS [STRAIN B] ****************************************************************** Supplied in this issue of the letter as a DEBUG script and recompilable disassembly, AMBULANCE CAR is a simple, path-searching direct-action infector with a gaudy display. By paying close attention to the technical notes in the virus's disassembly, you should be able to run it on your system enough times to see its trademark "ambulance" effect. My tip of the hat to an early issue of 40Hex which included this interesting virus as a DEBUG script, too. (I think). ******************************************************************* ADDITIONAL KUDOS: THANKS AND A TIP O' THE HAT TO CRYPT READER CAPTAIN AEROSMITH WHO PROVIDED THE GOBBLER II AND PCRx SOFTWARE FOR TEST-DRIVES. ******************************************************************* MAKING USE OF THE CRYPT NEWSLETTER SOFTWARE: To produce the software included in this issue, place the included MAKE.BAT file, the MS-DOS program DEBUG.EXE and the included *.SCR files in the current directory. (Or ensure that DEBUG is in the system path.) Type "MAKE" and DEBUG will assemble the SCRiptfiles into working copies of URNST's SCAREWARE TOOLS and AMBULANCE CAR virus. Alternatively, you can do it manually by assembling Ambulance from the supplied source listing. To do that, you'll need the TASM assembler and its associated linker. Remember, software included in the Crypt newsletter can fold, spindle and mutilate the precious valuables on any IBM-compatible PC. In the hands of incompetents, this is very likely, in fact. ********************************************************************** This issue of the Crypt Newsletter should contain the following files: CRPTLT.R10 - this electronic document JERSCARE.SCR - scriptfile for JerusalemScare (tm) PPSCARE.SCR - scriptfile for PingPongScare (tm) DENSCARE.SCR - scriptfile for DenZukoScare (tm) CASCARE.SCR - scriptfile for CascadeScare (tm) AMBUL.SCR - scriptfile for AMBULANCE CAR virus AMBUL.ASM - TASM source listing for AMBULANCE CAR virus MAKE.BAT - Makefile which, when used with the MS-DOS Page 16 program DEBUG.EXE, will produce working copies of Urnst's Scareware Tools and Ambulance Car virus from the included scriptfiles. You can pick up the Crypt Newsletter at these fine BBS's, along with many other nifty, unique things. DARK COFFIN 1-215-966-3576 Comment: Crypt Corporate THE HELL PIT 1-708-459-7267 DRAGON'S DEN 1-215-882-1415 FATHER & SON 1-215-439-1509 RIPCO ][ 1-312-528-5020 AIS 1-304-420-6083 CYBERNETIC VIOLENCE 1-514-425-4540 THE VIRUS 1-804-599-4152 NUCLEAR WINTER 1-215-882-9122 UNPHAMILIAR TERRITORY 1-602-PRI-VATE THE OTHER SIDE 1-512-618-0154 MICRO INFORMATION SYSTEMS SERVICES 1-805-251-0564 If you have contributions, mail or just wish to be listed as above, contact Urnst Kouch at Dark Coffin BBS, the FidoNet Virus echo or VxNet matrix. And we'll see YOU around New Year or thereabouts! -*- Page 17