CRYPT NEWSLETTER 35 January-February 1996 Editor: Urnst Kouch (George Smith, Ph.D.) Media Critic: Mr. Badger (Andy Lopez) INTERNET: 70743.1711@compuserve.com Urnst.Kouch@comsec.org crypt@sun.soci.niu.edu COMPUSERVE: 70743,1711 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Contents: Crypt Newsletter #35 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ THIS ISSUE MEDIA Bill Gates as Citizen Kane BOOKS "Virus Detection and Elimination" by Rune Skardhamar Shimomura's "Takedown" v. Littman's "The Fugitive Game" "Data Security" by Janet Endrijonas NEWS Comments from Norton Anti-virus employee _re_ Central Point Anti-virus FIDO/Internet mail gateway closed by hacker stunts I put a spell on you: Cursing a hard disk under Microsoft DOS Grab bag: Boza - an alcoholic beverage or just another press release computer virus; Ludwig virus CD-ROM sales top 1400, second edition planned; Virus-writer Chris Pile gets 18 months hard time SOFTWARE ARF anti-virus wins the Crypt News unique name trophy MISCELLANY Letters page Crypt Newsletter Hypertext Crypt Masthead Info Credits/Acknowledgment BILL GATES: A NINETIES CITIZEN KANE IN SEARCH OF HIS ORSON WELLES AND HERMAN MANKIEWICZ While reading William "Randolph" Gates' "The Road Ahead," Crypt was struck by Microsoft chairman's crying need, a seeming unconscious urge, to be seen as this age's Charles Foster Kane. On and on Bill went about his Xanadu, the mega-gajillion Gates electro-fortress being built as a small republic outside Seattle. Like William Randolph Hearst, whom Orson Welles and Hollywood screen-writer Herman Mankiewicz pilloried as Charles Foster Kane, Gates appears obsessed about the collection of art treasures hoarded within his home. Visitors to Gatesadu, like party-goers at Hearst's Rhode Island-sized estate in San Simeon, will be able to call up portraits of "presidents, pictures of sunsets," planes, rare stamps, the Beatles, and reproductions of paintings from the Renaissance. Like Hearst, who essentially looted everything he saw that he liked around the world and had it crated and shipped to San Simeon, Charles Foster Gates has done the same for the digital era. Unlike Hearst, Gates hasn't run into an equivalent of the Great Depression and Franklin D. Roosevelt. However, there is something that every cyber-citizen can encourage. Bill Gates needs a movie like "Citizen Kane" to balance his life. You should support this idea. Hearst was damn near the richest man in the world when Orson Welles - then in his twenties - collaborated with Herman Mankiewicz on "Citizen Kane." Mankiewicz was a colorful drunk and writer who'd been to many, many Hearst parties at San Simeon. As an insider, he knew enough to make his screenplay hurt. According to the story, Welles and Mankiewicz ran the script for "Kane" by studio lawyers and then laughed and joked about how they would stick it to Hearst while working the phrase "Rosebud" into the movie as Charles Foster Kane's dying word. In reality, "Rosebud" was supposed to be a cruel jibe: a Mankiewicz play on the alleged secret name Hearst used when referring to his mistress', Marion Davies, private parts. Weird and humorless, Gates is a natural for "Citizen Kaning." In "The Road Ahead" he takes a paragraph to describe what he thinks the average person carries every day: a tangle of credit cards, keys, cameras, a tape recorder, a cell phone, a pager, a few more electronic gadgets, notepads and last - a whistle to aid in summoning help. In the bleak world of "The Road Ahead" Gates gives the reader the impression that he looks forward to a life where everyone's waking moments are recorded by video cameras, electronic sensors, and PC's. It might be "a little chilling" but the benefits outweigh the negatives. If you think this is awful, what did you expect when the only offerings written about Gates that make it to mass market are controlled autobiography and hagiography by flacks from the computer industry? Gates has already acquired his version of "Kane's" Jedediah Leland, the ex-Ivy Leaguer liberal puppet and drama critic Charles Foster Kane hired to write for his newspapers. It's Michael Kinsley. Is there a Marion Davies in the life of Bill Gates? Who cares? Write a script about it, anyway. Make someone up for the role. Ann Winblad, a one-time Gates paramour, as a screechy, crossword puzzle-playing no-talent locked away in the brightly lit labyrinth of Gatesadu, is one possibility. Welles admitted portraying Hearst's real mistress, Marion Davies, as a shrill alcoholic opera-singer was a dirty trick, nowhere close to the truth -- designed merely to antagonize an old rich man. The circle will close when our Orson Welles nears release of "Citizen Gates." Enraged by the calumny in it, William Foster Kane vows from Redmond that it will never see the light of day. He's on the phone to future president Al Gore, urging the leader to jawbone the FBI into opening an investigation into un-American activities inspired by the director of "Citizen Gates." NBC and Microsoft-NBC start running news clips attacking the producer as a pervert and philanderer. Gates threatens to not allow any advertising for the movie or future movies produced by Hollywood on the Microsoft Network if the industry doesn't bury "Gates." Michael Kinsley writes a review after seeing a pre-screening and, in a paroxysm of self-loathing and guilt over his end as an instrument of the ultimate computer nerd, declares it brilliant. He then passes out hunched over his word processor. Charles Foster Gates fires Kinsley the next day with a severance check for $250,000. Then, just as it looks like "Citizen Gates" is about to go into massive distribution worldwide, the software magnate really starts putting on the pressure. Gates instructs his army of lawyers to begin a $2-billion dollar SLAPP civil suit against the studio and producer of the movie. The campaign is a partial success. Release of "Gates" is restricted to art houses. It receives rave reviews but dies on the vine. The producer moves to Europe to escape Gates' bully-boys. The only work the famous director can get as he nears the end of his life five decades later is as a pitchman for lousy wine. Finally, at age 93, William Gates dies. A recluse in his monster techno-home for years, Gates fell off the national podium when the glistening world he predicted in "The Road Ahead" became the cruel cement of reality. Unfortunately, the Middle Class buying power that financed Gates' empire in the 80's and 90's was also put out of work, obsolete, in his version of the future. Unemployed or underemployed, it could no longer afford the computing machinery needed to run and enjoy the software of Charles Foster Gates and with that, the Microsoft magnate's world collapsed quietly and without ceremony. A butler and a nurse reported the last word of Charles Foster Gates, in bed, as a gray plastic mouse slipped from his cold grip to break silently on the floor. "Windows." PERILS OF WISDOM: DANISH VIRUS WRITER'S BOOK ON VIRUS DETECTION SURE TO BE COLLECTOR'S ITEM Faithful readers of Crypt Newsletter know that when they see the tired hacker bromide "Information wants to be free!" it's time to grasp the wallet firmly because a ripoff is in the making. Danish programmer Rune Skardhamar's computer virus book for Academic Press ($35 cash money) drop-kicks the reader with cliches like "Information [on computer viruses] needs to be free" in the introduction and goes steadily downhill with a collection of humorous errors, non-working computer virus samples pulled from virus exchange BBSes and rudimentary anti-virus programs which, if assembled, either corrupt computer files or pronounce virus-infected programs clean. Skardhamar cites Fred Cohen in his reference list but amusingly goofs up the name of the Lehigh virus and the university - he calls them "Leigh" - where Cohen spent time prior to the outbreak of the former. This is an interesting error because the Lehigh virus also led to the formation of the Usenet's comp.virus newsgroup, another citation in Skardhamar's bibliography. The last time Crypt checked, both Fred Cohen and Virus-L/comp.virus seemed to know how to spell Lehigh. Anyway, another source for the book is phalcon/SKISM's 40Hex magazine which Skardhamar calls possessed of a "propagandist" view of computer viruses. Paradoxically, one of the viruses included in the book is a direct action .COM-infector produced by the earliest version of the phalcon/SKISM MPC virus-maker software which, as published, does not work. Skardhamar's PS-MPC virus sample contains a small error in one of its DOS function calls that ensures its code cannot be written to host files and while it's an easy correction for most people familiar with computer viruses, it's probably beyond the ability of the audience of beginners at which the book is aimed. Purely by serendipity, this is to Skardhamar's advantage. Here's why: "Virus Detection and Elimination" also comes with a companion diskette containing some TASM-compatible assembly language programs written by the author for the purpose of detecting and disinfecting the viruses included in the book. The "disinfector" for the PS-MPC virus is quite novel in approach: It cleans the virus by truncating infected programs by the virus's length and then overwriting the remainder of the program with garbage from memory, totally corrupting the file. This appears to be another laughable gaffe which most readers won't run across simply because the virus the book's "cleaner" is paired with isn't contagious. Another interesting example of Skardhamar's approach to virus detection is the scanning program designed for a companion virus included in the book. The virus, written by "Wonko the Sane" and dubbed "The slightly orange avenger" works if you detect the typo in the code and add a space. (Even for those who don't recognize it, the error is so small that running the instructions for the virus through any assembler will flag it and prevent compilation until a correction is made.) However, the scanner for "Wonko the Sane's" companion virus doesn't work, instead inspecting infected files, the binary images of the virus, and gaily announcing to the user "OK"! Other virus programs included in the book are a variant of the Trivial family of overwriting viruses, a DOS .EXE-program infector and a Stoned derivative with a program launcher for infecting diskettes with it. Although not all of the programs on Skardhamar's diskette were tested, the reader might approach the code (particularly the detection and disinfection routines) slowly, given the performance of other examples offered upon it. Indeed, disclaimers peppered liberally across the diskette balefully proclaim: "No responsibility whatsoever will be taken for any damage incidential [sic] or otherwise resulting from the use or misuse of this program. Neither will responsibility be taken for omissions or errors in the code, comments etc. You are now resonsibly [sic] for your own actions." This type of indirect warning that the reader is about to suffer a computer hotfoot is paraphrased straight from the computer virus underground. The point to be made here, and which I suspect was a bit beyond the technical editors at Academic Press when they went over the manuscript - is "Virus Detection and Elimination" is in many ways, simply the product of trolling virus exchange BBSes and refitting the subject matter recovered in a more expensive-looking suit. It's fair to say that lay readers will find portions of "Virus Detection and Elimination" extremely fascinating but it would have been easier on consumers to give it a title like "What I Found After a Few Months of Visiting Virus Exchanges on BBSes and the Internet" since there is nothing in the book's enclosed programing that is of much practical use in "detection and elimination." Of course, a good editor could shorten the new title to something a bit more zippy and saleable. Additionally, "Virus Detection and Elimination" covers technique, also apparently lifted from 40Hex and other files from the computer underground, on making viruses refractory to trivial attempts at analysis. In its computer virus history portion, retold again is the legend of Bulgaria as computer virus factory for the world. The story has been repeated and exaggerated so often for magazines and newspapers it's now an inescapable tenet of computer virus lore. An enterprising individual in search of a few quick bucks would be smart to consider printing up some black T-shirt's, perhaps emblazoned with "I survived the Bulgarian computer virus factory!" and setting up a kiosk at hacker conventions in 1996. Dave Hannon, an editorial staffer at Academic Press, commented to Crypt that English was Skardhamar's second language. For readers of "Virus Detection and Elimination," it's, uh, noticeable. As for the faults in the anti-virus programs and viruses included with the book, Hannon also conceded appraising the material and code included in the book was beyond the technical ability of its American publisher and it fell to the author to look over his own material for mistakes of this nature prior to publication. "Please do not use the information carried in this book to wreck havoc," Skardhamar writes near the end of his book. He means "wreak havoc." Further, he writes, "Any stupid fool can make a virus; the genius is the one who will put the coding techniques to some creative use." In view of the "code" included with "Virus Detection and Elimination," this statement - as Skardhamar's parting shot - is a bone-crusher. His bones, though, not yours, making the book a solid collector's item amid the increasing "lore" devoted to the world of computer viruses. SEX, LIES & COMPUTER TAPE: ON THE TRAIL OF KEVIN MITNICK IN TSUTOMU SHIMOMURA'S PAEAN TO HIMSELF AND JON LITTMAN'S "THE FUGITIVE GAME" At least two volumes will catch your eye this month as US publishers gear up for the Kevin Mitnick-money chase: Tsutomu Shimomura's "Takedown," an auto-hagiography of the author that only incidentally deals with the dark-side hacker, and writer John Littman's "The Fugitive Game" which holds up much better than "Takedown" in terms of human interest, computer shenanigans and controversy. "Takedown" (Hyperion) is an unpleasant, tedious read revolving around the reality that while Shimomura may have been able to track Kevin Mitnick, he can barely write an interesting story even with New York Times reporter John Markoff to prop him up. "Takedown's" turgid quality is magnified by Shimomura's intent to sing a paean to himself and his computer feats. He's so hell-bent on it, in fact, he comes off unselfconsciously repellent. In "Takedown," everyone but Shimomura and his cohort, John Markoff, are criminal worms, in the way, or country bumpkins and dolts. The reader will feel particularly sorry for the FBI's Levord Burns. As written up in "Takedown," Burns is a fossilized piece of wood, intermittently described as either always home in bed fast asleep when the game's afoot, baffled to the point of silence by the technical nature of the pursuit of Mitnick, or falling into a doze on the telephone while being badgered to perform some minor duty connected with the chase. The Computer Emergency Response Team is a vague, inefficient, slow-moving bureaucracy. The NSA is another big, dumb government institution to Shimomura, even though he's trying to squeeze funding from it at the beginning of the tale. Andrew Gross, Shimomura's Renfield, is always screwing things up, tampering with files, messing up evidence or being a stumblebum for our cyber-Poirot. Julia Menapace, the girlfriend, is a co-dependent who can't decide to throw over her ex-paramour - John Gilmore of Sun Microsystems - fast enough for our hacker tracker, even while Shimomura's being a cad with her in Gilmore's home. At least fifty percent of the book is devoted to Shimomura explaining his life of privilege in the same detail he uses to describe the names of his computers. Eventually, the battle is joined and our cyber-sleuth and his entourage light out on the trail of Mitnick, blamed for invading Shimomura's computer over Christmas. It would be exaggerating to say this is interesting. The details of the Mitnick-hysteria and Shimomura chase have been repeated so often in the media already none of the story is fresh except for parts near the end where Shimomura grudgingly admits that it might not have been Mitnick who was into his computers in the first place, but an unknown collaborator who finally panicked and begged him off the chase in a message on his answering service after Mitnick was in custody. Yes, but Mitnick and his collaborator called Shimomura names and made dirty jokes about our hero on an Internet talk channel, dammnit!! That made it personal! Nyahh, nyahh, nyahh! And Mitnick was reading other people's mail on the Well and into Netcom! Of course, Kevin Mitnick is no hero but Shimomura's a thin, thin choice for a celebrity cybersavior. Ultimately, "Takedown" is completely lacking in the kind of humanity, self-effacing wit and style of Cliff Stoll's "The Cuckoo's Egg," a prior classic on hacker takedown, mostly because its author can't help being a boor. However, there is a choice on bookshelves. Jonathan Littman's "The Fugitive Game" (Little, Brown) is better. For reasons probably having to do with the general knowledge that Littman was writing a book about hackers, Mitnick started calling the reporter regularly during the same period of time Shimomura was on his case. And unless Littman's making everything up, the result makes Shimomura and John Markoff look like turds. Littman's book bolsters the idea that it wasn't Mitnick who was into Shimomura's system and that what the San Diego scientist did wasn't particularly special -- a Seattle man, Todd Young, had tracked and spotted the hacker in that city long before Shimomura came along but allowed him to escape through a combination of ignorance, bad luck and disinterest in the gravity of Mitnick's alleged criminal doings. In "The Fugitive Game," Littman accuses Markoff and Shimomura of a cozy relationship stemming from an old article in WIRED magazine on cellular phone crime. Markoff's original article anonymized the identities of the cell phone hackers because they were playing around with illegality. Littman insists they were Shimomura and Mark Lottor, an acquaintance of the author and hacker Kevin Poulsen. The story goes that Shimomura reverse-engineered code designed to program an Oki cellular phone for the purpose of reprogramming it into a transmission snooper, or something like that. When Shimomura's computer was broken into, the material was copied off it. Littman draws the conclusion in "The Fugitive Game" that Shimomura, in addition to being fired up over the invasion of his system, was also embarrassed by the loss of this software, software he engineered, the author implies, under quasi-legal circumstances. Indirectly, "Takedown" supports this argument. Shimomura obsesses over the loss of a file which a reader of both books might guess contained the Oki software. Throughout "The Fugitive Game," for the first time in book, Mitnick is portrayed as a real human being, not a caricature. He has a sense of humor, regrets, weaknesses, and a pack of serious neuroses stemming from his jail-time and uncontrollable cyber-fame. But the author isn't easy on him: Mitnick also comes off as a hardened con-man who relishes snooping other people's privates, cruel treachery, and duping the unwitting into compromising themselves or their places of employment. At one point Mitnick indicates something very interesting about users of Pretty Good Privacy. Some users of it on the 'Net, particularly those running services hooked directly to it, keep their PGP software on the public host. Mitnick laughs at the lapse - he implies it's been a simple matter for him to put a backdoor into the PGP source which deliver the keys and passphrase of the user to another spot on the host he's invaded, compile it and replace the original host copies. From here, it's simple, he maintains, to read their encrypted mail -- this in a conversation on Mark Lottor in which the hacker says he's read Lottor's electronic correspondence. If there's a need for a bona fide, hiss-able villain in "The Fugitive Game," Littman produces one: Justin Petersen. Petersen aka Agent Steal, is a side-plot in the book: a pathological liar, car thief, and con-man who portrays himself as a combination cyberpunk/heavy metal rock 'n' roller. Fond of artificially busty stripper/hookers from the sleazy end of Sunset in Hollywood, Littman paints Petersen as the maximum disinformer and criminal -- a squealer for the FBI who embarrassed the agency by embezzling Social Security funds and then going on the lam when lawmen tried to reel him in. "The Fugitive Game" has him bargaining with the FBI for tidbits on Mitnick's whereabouts. Littman wraps up "The Fugitive Game" with broadsides at Shimomura and Markoff. With Markoff playing Mitnick as the enemy of all computerized civilization on the front page of the New York Times, the stage was set to ensure maximum hysteria and the subsequent introduction of the reporter's friend, Tsutomu Shimomura, into a carefully arranged media spotlight. Behind the scenes, Markoff's agent was negotiating a big money deal - approximately $2 million, says Littman - for the reporter and Shimomura, three days _before_ Markoff put the physicist on the front page of the New York Times. Ironically, the increasing cynicism which is the natural crop sown and cultivated by this type of media rigging for the benefit of men of privilege is a tale of treachery and contempt, too, but one that goes well beyond hacker Kevin Mitnick. Additional notes: (From July - August - October 1995) Both the government and Kevin Mitnick's attorneys appeared to be working privately to settle the case against him without a trial in late 1995. In August, Mitnick appeared in court dressed in a conservative suit and tie for arraignment on a 1989 probation violation. Mitnick was on probation for an earlier hacking case when he fled California in November, 1992. Although no one was talking, it was believed Mitnick's representation and authorities "were trying to reach an agreement under which Mitnick would plead guilty to a number of charges in order to avoid going to trial in all the jurisdictions across the country where he may [or may not] have committed electronic crimes during his flight." "We're looking for him to take responsibility for the entirety of his conduct," said Assistant U.S. Atty. David Schindler. At the time, Schindler would not say what type of sentence he was driving for. In various articles printed throughout the news media, Mitnick was reported able to plea-bargain his infamous early-1995 cross-country hacking and media jaunt into a sentence that commits him to about eight months in prison, according to John Yzurdiaga, his attorney. Mitnick, for part of the plea, will concede guilt in possession of stolen cellular phone numbers, one of twenty three federal charges - all concerning cellular phone fraud - against him. JANET ENDRIJONAS' "DATA SECURITY," A CLEARLY WRITTEN INTRODUCTORY BOOK ON COMPUTER SECURITY CONCERNS "Data Security" (Prima, $34.95), although slightly overpriced, is a clearly written introduction to computer security for laymen. While not going over the book point-by-point, one of the more interesting sections is devoted to computer viruses and what Rob Rosenberger, a contributor to the section, dubs "false authority" syndrome. The condition, as Rosenberger describes it, has contributed to the body of disinformation bandied about in public on the subject of computer viruses. It addresses the same topic Crypt Newsletter has touched upon for the past two years: the unreliability of sources in the mainstream general news media and computer industry and the lack of proper skepticism leveled at them. It's a ring-around-the-rosy phenomenon in which "experts" cited in one news piece become the same experts used by other reporters and editors jumping on a story as it bumps over the wires. The result: the same names appear again and again in multiple places with no question of their credentials as "experts," simply because they appeared in a primary newspiece. The logical drawback of this is that if the "expert" is someone who has no idea what he's talking about but happened to be in the right place at the right time when a reporter needed a source, the phlogiston he's peddling becomes magnified over and over until it becomes the accepted version, even if it's incompetent or utterly self-serving. Information and history on computer viruses has always been plagued by the phenomenon, the best example being the hysteria surrounding the Michelangelo virus non-crisis of 1992. Pointedly, Rosenberger writes while skewering editor Jeff Duntemann of PC Techniques magazine: "Jeff Duntemann . . . editor of PC Techniques, has seen this trend and likens it to what he calls the 'Green Paint Factor.' If you want to extol the virtues of a can of green paint, and the best you can say is that it's _green_, well -- it's probably not good paint." Rosenberger interjects: "If you want to quote somebody about computer viruses, and the best you can say is that he edits a computer magazine . . . " Ouch. "Data Security" is a good, non-patronizing read for the average PC jockey and is especially user-friendly to those just stepping off into cyberspace. SYMANTEC SUPPORT OF CENTRAL POINT ANTI-VIRUS: OBLIGATED BUT RELUCTANT Crypt Newsletter often sees on-line users inquiring about support for Central Point Anti-virus. Although the company was gobbled up by Symantec some time ago, the Norton Anti-virus effort continues to pass on updates to the program, some of which produce hangs and errors in the software, often further cruelly confounding the helpless. The newsletter has also noticed Symantec employees have little enthusiasm for supporting Central Point Anti-virus. The issue is of some interest due to Central Point Software's nettlesomely large consumer base. If Symantec is not enthusiastic about supporting Central Point licensed software, even to the point of rubbishing it in public comment, why support Central Point Anti-virus and its offshoots at all? Crypt posed this question to Michael Messuri, a Norton Anti-virus research specialist, in the National Computer Security Association's InfoSec forum on Compuserve. His comment: "Symantec is obligated to provide support for [Central Point Anti-virus]. (I am not aware of the wording of these obligations). However, it is my opinion that users should be aware of the limitations of [Central Point Anti-virus] so that they may make the best choice possible for their antivirus protection policy. While I will provide the best support possible for [Central Point Anti-virus], I will also inform the user of the problems of using [Central Point Anti-virus]. Further, Crypt asked, why not just send flyers to the Central Point Anti-virus user base saying: "The product's not supported, we liquidated the licensing company, we think it stinks from a technical standpoint and we're dropping it from our on-line libraries. As a substitute, buy Norton Anti-virus." Messuri replied, "On a personal level, I would love to make these kind of decisions but, sadly, I am only a common worker in the bigger picture of things and thus am not aware of the many decisions behind these types of actions." Crypt appreciates Michael Messuri's candor and hopes the recirculation of it doesn't result in an unwanted seminar at Symantec corporate. SONGS OF THE CYBER-DOOMED, II: THE TERMINATOR TERMINATES THE FIDONET'S INTERNET E-MAIL GATEWAY Earlier this year, Burt Juda, an administrator for the FIDOnet's Internet mail gateway announced the network would lose the gateway as a consequence of a denial-of-service attack on his system carried out by a couple of the network's ex-sysops, one of whom - The Terminator - is familiar to Crypt Newsletter followers of the FIDOnet "cyber-doomed" news stories (Crypt 27 - 28). Juda commented recently in a post widely distributed by various on-line networks: "Effective March 1, 1996, the Internet Gateway at 1:1/31 will be shutting down. At that point, there will be NO MORE 'default' gateway for electronic mail inbound from the Internet for [the US]. "The reasons for this termination of service are numerous . . . "Most recently, an excommunicated SysOp has gone on a rampage of forging subscription messages to subscribe numerous FidoNet addresses to . . . unwanted Internet mailing-lists in a deliberate attempt to 'break' [FidoNet] routing . . . and the gateway structure." Further, Juda writes, "I can no longer deal with the voluminous netmail being received from [people] querying what has happened to their inbound [electronic mail] coming [through the affected gateway]. Juda added he no longer had the time to support the service when cyber-denizens "continue[d] to break the rules of its use and bypass . . . controls." The Fidonet Internet-netmail junction, which provides service to the community of amateur, pro and semi-pro BBS sysops and callers who use the FIDOnet nationwide, was brought to the point of collapse as a result of mass electronic mail forgery by The Terminator and another collaborator. In late 1995, The Terminator and a partner spent an evening ramming the Fidonet-Internet gateway in Piscataway, New Jersey, with posts forged to look like they originated from as many FIDO-sysop network e-mail accounts as could be gathered. This is quite a few -- thousands -- as it turns out. Many, many of these posts were simply subscription requests to Internet mailing lists. Subsequently, the Fidonet/Internet junction was overwhelmed with the volume of nuisance mail and hung. The Terminator had been involved in disruption of the FIDO Virus Information echo and others throughout 1994 and 1995 with re-directed spam-mail. The mail-bombs, rammed through unsecured FIDOnet mail links from Europe, Israel and the United States, consisted of virus source code interspersed with a great deal of text hardcore filth dealing with transvestism and scatological material fabricated for the occasion and/or cross-posted from an adult-oriented network. One example of such mail: "Are there any persons out there that get off by watching a woman pee? There is just something about seeing and hearing a woman pee. Not sure if I am into getting peed upon, but I am always open to new adventures." Because of the level of trust in the inherently wide-open, difficult to secure FIDO technology network, FIDO administrators and sysops were never able to completely plug the system breaches exploited by The Terminator, leading more recently to the collapse of its Internet gateway when expanded attacks overpowered the message handling capacity of the junction and the patience of its administrator. At the time of the original nuisance mail rammings in the FIDO Virus Information message base, some BBS operators monitored their systems more closely for obviously fake mail; others attempted to secure their automated mailer software with mixed success. Still others took the expedient cure. They simply dropped service on the special interest groups affected, the same answer given to the problem by the FIDO/Internet electronic mail gateway administrator. Shortly after the initial failure of the FIDO/Internet mail gateway, The Terminator contacted Crypt Newsletter from Moberly, Missouri, to point out the interruption in service brought about by the attack. "The FIDO/Internet gateway is crashed," he said. The start of attacks on FIDOnet computer virus information message feeds in 1993 were attributed to Paskell "Geno" Paris of Oklahoma City, a FIDO sysop and self-styled "technopath" who waged a guerilla war for control of a small section of cyberspace moderated by Ed Cleton, a European host of virus information topics on the FIDOnet. Paris was later indicted and convicted on fraud charges, crimes unrelated to his activity on the FIDOnet. As a consequence, Paris served time in state and federal prison. The Terminator carried on Paris' mail war with Virus Information moderators Jeff Cook, a representative of Thunderbyte Anti-virus, and his successor, Allen Taylor. During the period and as a result of repeated mail bombing runs, The Terminator was banned from the message base. Nuisance mail-rammings of virus source code and forged messages, however, continued to plague the FIDOnet echo. I PUT A SPELL ON YOU: THE CURSED HARD DISK PHENOMENON UNDER MS-DOS Crypt Newsletter recently ran into an old, obscure fault in Microsoft's DOS operating system. Referred to as the "cursed hard disk" by researchers in IBM's anti-virus software development group, it's a real eye-opener. When the cursed disk fault is created on a machine running versions of MS-DOS from 4.00 onward, the system runs aground in an unproductive loop while parsing the system file IO.SYS. The real crusher occurs when the nonchalant user tries to start the machine from his fall-back position, the trusty A: drive. In goes the boot diskette. The machine is restarted smartly and it . . . hangs. Oops! Must have not seated the diskette correctly. Restart . . . and the machine . . . hangs. Curses, still some lint on the platter! Reboot again and the machine . . . hangs. Your neck suddenly breaks out in a cold sweat. From the standpoint of current PC users, the problem is remarkably ancient - dating to 1992 when Mike Lambert, a computer security professional, stumbled across it and wrote extensively on it in an interesting paper entitled "When the magic floppy won't boot." "The hard disk access light remains on," during the fault, Lambert writes. However, because the machine can't be started even when using the diskette drive, "A technician is likely to diagnose a [hard disk] problem because of . . . the disk's access light being on. The technician will probably use component replacement techniques to verify [his] suspicion. When the PC boots properly from a new [hard disk] . . . this will tend to confirm the diagnosis that the [disk] has failed. "The result is a perfectly good disk classified as failed . . . The user is forced to recover from any backups available." The error isn't hardware-based although it often stuns those who run across it into thinking so the first time they experience it. Instead, it lies within the operating system's handling of data written in the partition table. Lambert and his colleague, Charles Moore, dubbed this the "circular extended partition" fault which is - technically - a good description for it, since the problem involves a futile, circular processing within the operating system. For those who encounter the problem, Lambert's paper indicates it's difficult, without understanding what is transpiring, to get in front of the fault before it runs the PC aground. The error lies in the system program IO.SYS, where it evaluates the partition table data for the purpose of mounting file system volumes attached to the PC. If the error is present, IO.SYS loops fruitlessly on the partition table, which is altered in "cursed disk" syndrome to point to itself as the beginning of the booting volume, and the machine cannot be started. One logical place to intervene is with code loaded from the boot sector on the booting diskette. A fix circulated with Lambert's paper did just that: It provided the user with a custom-made diskette with code written into the diskette boot sector to read the partition table data for evidence of the "cursed disk" corruption, which is found in the MS-DOS description for what are known as "extended partitions." If found, it writes a temporary fix - simply altering the byte which tells DOS to support "extended partitions" within the partition table data, so the machine can be started normally. The error can then be cleaned up completely and the system restored to proper working order with standard partition table editing software. Once one understands the nature of the fault, this cure almost sounds easy to do. And, in fact, it is. Keep in mind, however, that the great majority of current diagnostic disk management and security/anti-virus software programs provide no help for this problem unless it's picked up before the machine is restarted and the changes take effect. Fortunately, the "cursed disk" phenomenon has remained quite rare since 1992. More interestingly, the September issue of Virus Bulletin contained comment on a multi-partite virus that introduces the fault to make itself difficult to remove from hard disks infected by it. The virus, called Rainbow, infects .COM and .EXE programs as well the master boot record (MBR) of hard disks, inserting a 25-byte change in the target at physical sector 0,0,1 pointing to the rest of its code copied to space assumed to be unused on track 0 of the hard disk and spanning physical sectors 0,0,2 - 0,0,5. An uninfected copy of the original MBR is copied to 0,0,6. Rainbow introduces the "cursed disk" fault to make itself difficult to remove if the machine is started cleanly from the A: drive. In this case, the idea the virus writer had in mind was to make the machine appear frozen. When the machine is started from the Rainbow infected hard disk, the virus loads first and produces the original uncorrupted partition sector at 0,0,6 for the machine, masking the problem. Bill Arnold, a researcher in the anti-virus software development group at IBM's T.J. Watson installation commented Rainbow was not considered a threat in the wild. In interview, Mike Lambert said he first noticed the fault in 1992 when asked to troubleshoot a disk security program that had been installed on a PC, one that was proving difficult to remove. The program used the "cursed disk" error to secure the machine, making it impossible to bypass by booting from the standard bootable floppy. This led to Lambert writing the "When the magic floppy won't boot" paper with collaborator Charles Moore. The use of the "cursed disk" fault as a basis for a disk security program, while unusual, is not without precedent. Patrick Toulme, the programmer of Virus-90 and Virus-101 and a number of powerful systems level software utilities, has fielded a disk securing program utilizing the error to halt the machine when starting from a diskette. More recently, Crypt Newsletter recovered a software boobytrap written by Stefan Kurtzhals, a German programmer who associates himself with an organization called Virus Help Munich and dabbles in the writing of anti-virus software. Kurtzhals wrote this software bomb, called Megatest, in an attempt to trick a more successful competitor with the "cursed disk" effect. In electronic mail obtained by Crypt, Kurtzhals said, "I have quite good [connections] to both AV companies and virus coders, but it's not perfect yet. I need more connections and information. Hmmm, quite funny. I get both AV software and new viruses for beta testing." Kurtzhals added the "cursed disk" fault used in his boobytrap "is also known to almost every better virus coder. It will be mentioned in [the Australian virus-writing magazine] VLAD#6, too. I've seen a preview of some it's [sic] parts." Kurtzhals anti-virus software (not the "cursed disk" boobytrap), called Suspicious, is available from the Munich, Germany, Web-site WWW.LEO.ORG. Lambert said to Crypt Newsletter he has been informally notifying the various developers of DOS of the "cursed disk" fault since 1992. Bill Arnold of IBM said current versions of PC-DOS are no longer vulnerable to "cursed disk" syndrome. Lambert added Novell DOS has also been cured of the problem. MS-DOS versions 4.0 to current still carry the bug, a not insubstantial user base. Additional notes: 1. This bares mentioning one more time in case readers have decided the sky is falling because of MS-DOS and the "cursed disk" phenomenon. Time and the inexorable march of technology are slowly eroding the annoyance of the fault. It is quite rare. And current versions of PC-DOS and DR-DOS eliminate the problem. Therefore, booting from any current DOS other than Microsoft's flavor will unlock the "cursed disk," and enable remedy of the problem. A Rand Corporation scientist in Santa Monica was recently overheard muttering something that sounded like "Microsoft" and "suckware" under his breath. ---Other fixes for a "cursed disk" are contained in Lambert & Moore's original paper, "When the magic floppy won't boot" from the Web site: http://www.frontiernet.net/~mlambert The ARF anti-virus software, reviewed later in this issue, creates a rescue system disk invulnerable to the "cursed hard disk" fault. It is similar to the Lambert/Moore fix in that it allows a user to get in front of the problem by putting a jack-handle for system restoration directly into the code loaded from the boot sector of a rescue diskette. Another option is to start the machine with an alternative to Microsoft-DOS and use a program with the functionality of Netz Computing's Invircible ResQPro/ResQDisk that can automatically correct corrupted partition table data snarled in this manner. 2. Patrick Toulme's Virus-90 and Virus-101 were demonstration file-infecting viruses that confined themselves to operation on floppies in the A: or B: drives. Virus-90 contained the name and address of its author, Virus-101 was encrypted, packed a video display and an activation that overwrote non-system floppy boot sectors with a message that is was a "safe, educational virus utility," furnished to/for John McAfee. GRAB BAG: BOZA - THE PAUSE THAT REFRESHES -or- ANOTHER KNEE-JERK PRESS RELEASE COMPUTER VIRUS STORY As Crypt Newsletter went to press, the Associated Press triggered another round of ridiculous computer virus alarms with a story on the Boza computer virus, an admittedly barely infectious parasite on Win95 executables. Attributed to the VLAD Australian virus-writing group due to the equivalent of a computer underground press release embedded in the virus extolling VLAD members and their technical virtuosity vis-a-vis computer viruses, Associated Press reporter Sue Leeman issued a news brief and it echoed internationally. In a pattern of action and reaction that has become standard for most computer virus stories reported in the mainstream press, the Boza piece generated countless questions from on-line users who thought they were in danger from it, although realistically they were statistically more likely to be hit by an automobile than the virus in their lifetime. The original Associated Press attributed Sophos' Paul Ducklin saying the Boza virus wasn't on the loose, but most subsequent news stories and fragments derived from it, including copycat press releases from other vendors, stripped this from the original. The results were predictably confusing. Some PC users who did not even have Windows 95 installed on machines concluded they might have been exposed to Boza. From the Associated Press: "Analysts [meaning anti-virus software developers at Sophos, a United Kingdom-based company] have named the virus Boza after a Bulgarian liquor 'so powerful that just looking at it will give you a headache,' [Paul] Ducklin said." It was a colorful, ingenious turn of phrase which had nothing to do with computer viruses per se but which made for a more interesting line of discussion. It being cyberspace, of course, opinions tended to differ. In the National Computer Security Association's Anti-virus forum on Compuserve, Zvi Netiv, author of the Invircible anti-virus added, "I had Boza quite a few times with my [Bulgarian] in-laws. Boza is a home-made beverage, prepared from ground barley, left fermenting in water for a few days. It's milder than beer, looks like thin oat porridge and smells like . . . well, if you once visited a beer brewery, then you know what [it smells like] -- Quite far from what you would call liquor and as strong as camel's milk." Netiv added worrying about the Boza virus was absurd. The Boza mini-panic illustrated the need for more and more media criticism, particularly when it comes to technology stories. A few rules of thumb to keep in mind when dealing with this type of thing are: 1. Computer virus stories are the best vehicle in which software developers selling cures can pimp for their products. Even if the virus is shown to be pathetic as a public menace, interest in those cited peaks transiently during the run of the story. This amounts to cash money in software sales and on-line time spent through commercial services offering information or software fixes through download, even if it's relatively unnecessary. 2. Being the first vendor mentioned in a story like Boza throws competitors immediately on the defensive, scrambling to recover and fueling the story in the process. Even though competing companies may have known of a virus weeks previously and quietly written cures into software as the usual course of business, the average PC user - after reading this type of story - will be given the impression everyone else was asleep at the wheel. This sets off a chain reaction in which competitors quickly release copycat press releases which drive developments and strip more information from the primary seed in an effort to maximize individual product exposure. Those vendors who don't do this often face tons of witless questions from those needlessly frightened by the news in on-line computer help forums. They also face a transient image that they've been caught flat-footed, and being called the equivalent of cyber-chumps by vendors more successful at generating press. From a consumer standpoint, this leads to counter-productive behavior in which vendors burned by the lack of exposure gear up to generate even more press releases on potential future threats _before_ they materialize. 3. It encourages some vendors to increase their contact with known active virus-writers and their groupies so that they will be the first to receive new viruses which, may or may not (more often "not"), work. This is a nasty spiral which tends to encourage virus-writers to produce even more than they usually would for their "audience." A central point that should not be missed is that stories like "Boza" are symptoms of a kind of contempt in which the computer industry holds consumers. In this case, the contempt is shown in the use of virus-writers and computer viruses as sales and marketing tools, magnified by the exploitation of the relative ignorance and ease of manipulation of the news media and average PC user. In a more general sense, the computer industry, as a whole, has always shoveled a great deal of marketing effort into generating well-publicized "problems" for which it conveniently provides the snake-oil. Boza was another in this tradition. VIRUS CD-ROM SALES TOP 1400 Mark Ludwig, author of "The Black Book" series on computer viruses and the publisher of a widely distributed CD-ROM of the programs and related material commented to Crypt that sales of the compact disc had topped 1400. The disc sells for $100 cash money/copy which grosses to $140,000 collected in sales of bulk computer viruses through American Eagle, Ludwig's parent Arizona-based company. Ludwig added that a second edition of the virus CD-ROM was envisioned containing about twice the data volume of the original in computer viruses. REALLY BLEW'D, SCREWED & TATTOO'D: BLACK BARON GETS 18 MONTHS IN GAOL In mid-November 1995, the English trial of virus-writer Chris Pile finally ended with an 18-month prison sentence for the author of the SMEG computer viruses. The English newspaper The Independent referred to Pile as a "'mad and reclusive boffin' who wreaked havoc on computer systems by spreading [viruses] . . . across the world . . ." [Webster's New World Dictionary informs readers "mad boffin" is Brit slang for "mad scientist."] "'I dare say you were looking forward to reading in the computer press about the exploits of the Black Baron,' said [judge Jeremy Griggs] to the defendant before sending Pile to the bighouse for 18 months. "'Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment.'" In America, Dr. Alan Solomon - developer of the UK-based Solomon Anti-virus Toolkit (S&S International), worked the news into a presentation given by his firm at the Fall ComDex in Las Vegas, Nevada. The following week, Graham Cluley - a colleague and employee of Solomon at S&S, privately remarked on the Compuserve on-line service that the severity of Pile's sentence surprised him. The treatment of Pile, a 26-year old unemployed programmer, by the English press was slightly reminiscent of the US media's portrayal of Kevin Mitnick. In America, Mitnick was attributed with almost superhuman malevolence, dangerous enough to bring down the Internet or break into military computers controlling NORAD. For The Independent Pile was the "most famous" of virus-writers and the "most dangerous" of a small band of them working in England. The Independent exaggerated when adding further that Pile's SMEG virus programs were "the two most sophisticated ever written." This was probably surprising news even to the anti-virus software developers interviewed for the Black Baron stories. Pile's viruses had reached "criminal elements" working in Northern Ireland, the US, and Germany, according to the Independent. The future damage, "inevitable" and "incalculable." The demonization and denunciation of Pile was unusually harsh in light of the fact that prosecution witness Jim Bates commented to Crypt Newsletter that UK authorities were uninterested in sending officials to collect evidence on the SMEG viruses in the United States because a guilty verdict had been arrived at by mid-1995 (Crypt Newsletters 32 - 33). The Times echoed The Independent's hyperbole, maintaining Pile had written a "training manual" for virus-writers found "in America and Northern Ireland where it was being used by criminals." Ali Rafati, as part of Pile's legal defense, said his client was a "sad recluse." The real Pile is difficult to describe in any detail even though an excessively overwrought and lugubrious "Biography of a virus-writer" was written about him and circulated widely in the computer virus underground. As bombastic and pompous as anything written by The Independent, Black Baron's biography begins: "In 1969 Neil Armstrong stepped onto the moon. It was a momentous year for the world. But no-one [sic] at the time paid much attention to a baby boy being born in a town in southern England. This baby boy was destined to grow into one of the most infamous computer virus writers of all time. In 1969 The Black Baron was born!" Curiously, almost 80 percent of the Black Baron's "biography" is a reprint of material written by Ross M. Greenberg, a semi-retired programmer who wrote the Flu_Shot and VirexPC sets of anti-virus software. The reprint dates from 1988 and contains rather standard anti-virus rant and rave, calling virus-writers "worms." This, if the Black Baron's biography is taken at face value, formed the basis of Pile's desire to write viruses and impress people with them. Black Baron's biography reads (errors reprinted), ". . . when computers stop attracting social inadequates, but whom I am refering to the arrogant members of the anti-virus lobby as well as the nefarious virus authors. But what of the Black Baron? What is he? Is he a malicious criminal? A computer terrorist? A social inadequate trying to reassure himself of his own inadequacies through destroying computer data? I don't [believe] so. I have spoken to Black Baron on a number of occassions. He is happy to discuss his work, and, at my request, he has even released a document detailing the design of SMEG. He doesn't feed on the panic and fear that SMEG viruses such as Pathogen and Queeg cause. Rather he revels in the embarrasement and panic which his software causes the arrogant anti-virus writers." At the time, Pile was unemployed. The "biography" concludes: "After talking with him, I understand the Black Baron. I feel sorry for him as well. He is a highly gifted individual who has not been given a chance by computer society. So he has made his own chance. We all need recognition. Mainly through employment, but we as thinking machines must receive recognition for our abilities. Otherwise we sink into melancholy and paranoida. Black Baron has received his recognition. We, the computer society are responsible for the creation of Pathogen, Queeg, SMEG and all the other computer viruses. We have no one to blame but ourselves. It is our desire to keep the computer fraternity a closed club which has alienated so many of our colleagues. By rubbing their noses in it, so to speak, we have begged for trouble, and like the inhabitants of Troy, we have received it." In retrospect, the underground remains of Chris Pile's cyberpersona have become an even more cryptic, sad counterpoint to his stay in an English gaol. Pile's representation was contacted repeatedly by Crypt Newsletter but, surprisingly, lacked e-mail addresses and could not be reached for concluding opinion. ARF ANTI-VIRUS: THE SYSTEM SHIELD THAT IS NOT A DOG The ARF anti-virus program is a set of software shields designed to block virus infection and enable easy recovery of executable program and system area code on a disk beset by computer virus. Its linchpin is a module called ARFMAIN which is a memory resident behavior blocker. Virus activity blockers aren't new. ARF's authors, Stephen Poole and Leonard Gragson - a team in Kansas and North Carolina linked by the nature of cyberspace, admit this and state they've gone to some length to minimize the knocks leveled against this type of protection: prone to false alarms, not air-tight, saps system resources. The pro's and con's of the approach of fine-tuning virus blocking software until the drawbacks don't exist have been trotted out and argued repetitively over the years by the multitude of software vendors. Central Point/Microsoft Anti-virus's VSAFE, for instance, was elementary to use and install but so porous it was very little insurance against computer viruses. Robert Hoerner's Nemesis, a German product, was so paranoid and restrictive no virus could operate against it. Indeed, some virus writers, most notably Germans who envisioned their creations running into Nemesis, wrote their programs to test for the presence of the software and just quit if it was around. However, Nemesis also tended to be rather airtight to normal use of the PC. The ARF virus blocker is one of the best behaved device drivers of this nature Crypt has worked with. Purely incidentally, it is similar in look and feel to Trend Microdevice's PCRx so users familiar with that software will be comfortable with it. Alone, the ARF driver makes it impossible for most types of viruses to act on a system without generating numerous trapping and warning messages which allow the user to get in front of infections. The warnings are delivered with varying amounts of information and a suggested response dependent upon the severity of the problem. As implied, its false alarm rate is minimal and when acting as a safety-net in the background its presence is largely imperceptible. One of the ARF driver's best selling points is its efficient disposal of partition sector and boot-sector infecting computer viruses. The ARF driver knows the ROM address of the Interrupt 13h hard disk for a secured machine and, as a consequence, can easily remove these types of viruses in most instances even when they taken control long before the ARF driver. This means that if the PC is booted from an infected diskette and the partition of the hard disk contaminated, the ARF driver will load on restart, warn the user the disk has been infected and offer to restore the system. Viruses like Monkey, AntiEXE, Russian Flag, Urkel, Stealth Boot C, Stoned variants, Sampo and Leandro & Kelly could all be removed with a keystroke on testing. The machine is halted when the virus is purged. Alert readers may remember a recent Crypt Newsletter article that out-lined some weird gymnastics Quantum and Symantec were going through to come up with a hardware and software-based anti-virus solution that did just this very thing, only badly. Programs like ARF show the discerning that large companies with extensive R&D budgets are not necessarily immune to stupidity in design and that smaller firms often can and do figure out superior solutions. The ARF driver is also compatible with anti-virus scanning software. Crypt Newsletter knows how to select weird computer viruses under extreme conditions to poke holes in just about any anti-virus software and ARF is no exception, however, without going into a lot of needless detail it's accurate to say the software is extremely robust against the vast majority of computer viruses in circulation. ARF trips up most viruses that do fancy things in memory by being acutely sensitive to attempts to trace or exploit unusual or poorly documented aspects of the operating system kernel, aspects often used by computer viruses. In most cases, such viruses produce immediate warnings or simply result in the ARF driver hanging the system. Nightfall, a subtly transparent .COM/.EXE infector that does some slippery things in computer memory, was one exception. A virus written precisely like Nightfall could, theoretically, execute directly past the ARF driver, infect the command shell and run without generating a peep from the software. It should be noted that Nightfall can do this with almost every other anti-virus software on the market, too, if not detected by scanning. Paradoxically, Nightfall is one of the German computer viruses that simply surrenders and goes dormant against the Nemesis virus blocker. The ARF driver is meant to run in conjunction with a PC treated by an ARF utility, called INJECT, which encapsulates executable programs in a code fragment that confers self-recognition and auto-restoration capability to protected programs. Many anti-virus software developers consider this heresy but the ARF authors have gone their own way and generated something which works quite well, anyway. ARF-protected programs will restore themselves after most virus infections. The protection is much stronger when the ARF driver is present although still quite functional when forced to stand alone. There are a couple caveats: A virus exactly like Nightfall can infect ARF-protected programs without generating alarms since the virus, from the standpoint of the INJECT-ed program is invisible, effacing itself from the executable prior to self-check and re-infecting the target on exit. Quite a number of "stealth viruses" try to do this type of thing and are prevented from being successful against an ARF-protected machine by the presence of the device driver virus block. Simply, they just can't get going enough to infect any meaningful number of programs before the software halts the system. ARF-encapsulated programs are not proof against overwriting viruses or simple software boobytraps that totally corrupt programs or the disk. Nothing is. However, if the ARF suite is installed properly - not piecemeal - none of these types of computer hotfoots can execute even once without being trapped unless they're quite sophisticated or write to the hardware directly. This would be extremely unusual. Since the ARF INJECT utility modifies executable code on your disk, using it in a test run or full installation will cause other anti-virus programs that analyze your PC for changes to programs to pop a nut. This is another good example of why it's excessively dumb to mix and match anti-virus programs willy-nilly if you have no idea what you're doing. The ARF anti-virus programs also create a "magic diskette" for when the machine won't boot from the hard disk or if the device driver needs a helping hand. The diskette is assembled so it contains vital data on the system area of the machine and a unique identifier for the PC it was made from. The ARF software renders it unreadable by DOS as insurance against intemperate meddling. The ARF rescue disk is made so its restore feature is loaded directly from the diskette's boot sector. This means it will get a head start on just about anything save a complete hardware meltdown on a disabled PC. The ARF disk offers a number of options including restoration of the hard disk's damaged or corrupted partition sector and is absolute insurance against the "cursed disk" fault mentioned previously in this issue. This ARF utility also offers an option to create a special partition sector for a secured machine but the protection is not critical for the overall performance of the software. Those users yearning for anti-virus scanning software to wave obsessively like a magic wand at suspicious programs and diskettes could be uncomfortable with the ARF programs. ARF is also potentially troubling to users whose level of expertise is exceeded by anything beyond the stabbing of the America On-Line button. Anyone else will get excellent service and would be well-advised to give ARF a look. Contacts: ARF Enterprises Leonard J. Gragson ®¯ ®¯ ®¯ ®¯ Stephen M. Poole, CET 1405 Sheridan Bridge Lane 122 N Main Street Olathe, Kansas 66062 Raeford, NC 28376 (913) 764-9091 (910) 875-3571 CompuServe 73131,1034 71234,3263 AOL ARFMAN2 SMPoole Internet lgragson@fileshop.com SMPoole@aol.com THE LETTERS PAGE: SPAM MAIL FROM JOHN PERRY BARLOW-CORN, ANKLE-BITERS, THE LONELY GUY FROM SINGAPORE, MIXED-UP EURO-COLLEGIANS AND A JOURNALIST -or- A DIVERSE GROUP OF ASSORTED RUPERT PUPKINS FROM THE GREAT CYBER-FUNNYFARM RAISE YOUR CYBERFIST AND YELL WHILE I'M SKIING WITH ARNO PENZIAS AND LOUIS, SEZ JOHN PERRY BARLOW SPAM ================================================================= From: John Perry Barlow Subject: A Cyberspace Independence Declaration Yesterday, that great invertebrate in the White House signed into the law the Telecom "Reform" Act of 1996 . . . [edited for clarity]. I had also been asked to participate in the creation of [a] book by writing something appropriate to the moment. Given the atrocity that this legislation would seek to inflict on the Net, I decided it was as good a time as any to dump some tea in the virtual harbor. [More edited for brevity.] I have written something (with characteristic grandiosity) that I hope will become one of many means to this end. If you find it useful, I hope you will pass it on as widely as possible . . . John Perry Barlow, Cognitive Dissident Davos, Switzerland [Crypt replies: Hold it right there, pardner. Please remove Crypt's name from the John Perry Barlow spam-mailer. Crypt Newsletter drily notes, too, that for a guy supposedly for the commoner - every man jack of us - it's rather novel to spam from the redoubt of the rich, famous cognitive elite at Davos in der Schweiz.] ANKLE-BITERS, PART I ==================== Hi: I've heard that if you have a fake account on America On-line or something else there is no way that _they_ can trace you. Is that true? Because I don't want to get into any major trouble, like getting arrested. I know it's illegal and everything but it's so much FUN!!! Thanks a lot. Mr. Ankle-biter: CIS [Crypt replies: Watch out. Tsutomu Shimomura has your name and he's running a trap-n-trace.] Hey! I need a virus or more for a Novell Netware network. Is there such a thing? I guess I just want a virus that will spread quickly over my school's computers because someone there pissed me off. Sincerely, Lord Ankle-Biter [Crypt replies: Crypt News has stripped the ID from your request and remailed it to New York Times computer crime journalist John Markoff. The ball's in your hands and you won't want to fumble now that you're close, so use an anonymous remailer to forward the New York Times a .GIF portrait suitable for publication. If you're lucky, in 1996 Mr. Markoff could make you CyberPublic Enemy Number 1 and get Tsutomu Shimomura or Dan Farmer on your trail. You'll be caught, but after the initial discomfort of the strip search and one night with a 260-lb. mesomorph cellmate named Cheech, the movie deals will roll in and your school colleagues will die of envy. It will be the best possible revenge.] LONELY SINGAPORE NATIVE LOOKS FOR SIGNS OF LIFE =============================================== Dear Crypt: Can you please tell me where to get the Biological Warfare computer virus creation kit? I am a curious thrill-seeker who is still a student. The information from Biological Warfare will help me do a program I am researching. My plan is to make a program that will encrypt and add polymorphic power to a normal .EXE or .COM-file in order to prevent hackers from getting into it. Anyway, I like viruses, because I think they are "cute" in the sense that they seem so much like little animals. They reproduce, they "eat" and sometimes destroy. In fact, if you imagine the computer as a "desert," viruses can be wild animals while anti-virus programs could be hunters. Squane in Singapore [Crypt replies: Dear Squane, you can't get this kind of information from Bio Warfare. It's a virus-making kit, not an artificial life generator or a Philosopher's Stone. As for encrypting programs as a barrier to reverse-engineering, you might consider digging up for examination some programs that already offer this service: Jeremy Lilley's Protexcm and Tranzoa's TinyProg come to mind. Crypt Newsletter 19 also included a couple of simple, easily used examples that performed roughly the same thing. They were not foolproof, state-of-the-art or impenetrable, but they were easily understandable. You should recognize that polymorphic encryption as practiced by virus writers isn't tough to crack from the standpoint of a cryptographer or a software disassembler. It's only utility is that it renders brute force simple bitstream scanning of computer viruses encrypted in this manner impractical to impossible. From a cryptologic standpoint, however, I would think polymorphism is uninteresting. Keep in mind there are also a number of people who've made it their business to program reverse protection software utilities solely to peel off the types of code armoring you're interested in. And it seems to Crypt they have the edge. As for viruses being "cute," for God's sake, man, get a grip on yourself before it's too late! Thrust yourself away from the PC for a minute and pour yourself a stiff drink. Out of concern for your mental health, Crypt has forwarded your message to the Singapore Department of Corrections and Caning. I know they'll put you in good hands.] Ree-raw! Ree-raw! Ree-raw! ÜÜÜÜÜÜÜÜÛÜÜÜ ------ ÛCaning &Û \ --- ÛCorrectionsÛÛÛ ßß OO ßßßßß O ß MORE ANKLE-BITING ================= To Whom It May Concern: I recently downloaded the Virus Creation Laboratory from the Usenet. I already have the virus making kit, the NuKE Randomic Life Generator, but decided I would give VCL a shot, too. Actually, I'm pretty sick of typing out all the assembly code for viruses myself. I don't see why I should spend a week or two working on a new computer virus when I could create one much easier with VCL! What's technology for, anyway? However, when I tried installing it I came across a problem. The software unzipped from its archive OK but when I tried running the program it issued an error message that VCL could only be used on the original computer it was installed upon. This was the first time I executed VCL so how can it not be the original? Is this archive simply a repackaged copy from a prior installation or something? Jeezus. Thankx. Alfred E. Ankle-biter: CIS [Crypt replies: Dear Alfred - by Jove, I think you've got it!] STRAGGLER ANKLE-BITERS ====================== Dear Crypt: Send me the files ASM.BAT and MAKE.BAT. I kant [sic] find them anywhere on-line. Dark Ankle-Biter, Netcom [Crypt replies: ______ / \ ³ O O ³ ÂÄÂÄÂÄÂÄÂÄÂÄWWÂÁÂÄ ÂÄÅÄWWÂÄÂÄÂÄÂÄÂÄÂÄ ÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÂÁÂÁÂÁÂÁ DOH! Too many .BATs in ÂÁÂÁÂÁÂÁ ÁÂÁÂÁÂÁ the Belfry!! ÁÂÁÂÁÂÁÂÁ ÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ Dear Crypt: Hmmm, it's occurred to me that I might be asking a dumb question. Well, here it is, anyway. I need virus source code BIG TIME. Can you somehow give me a list of cheap, dependable sources of computer virus source code? I would DEEPLY appreciate it. Thank you. Mike Bleiweiss, Awaiter BBS/Netcom [Crypt replies: ______ / \ ³ O O ³ ÂÄÂÄÂÄÂÄÂÄÂÄWWÂÁÂÄ ÂÄÅÄWWÂÄÂÄÂÄÂÄÂÄÂÄ ÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ ÂÁÂÁÂÁÂÁ DOH! Reading comprehensionÁÂÁÂÁ ÁÂÁÂÁÂÁ courses are not part of theÁÂÁÂÁ ÂÁÂÁÂÁÂÁÂÁCrypt Newsletter charter!ÁÂÁÂÁ ÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁÂÁ A PUZZLED JOURNALIST REQUESTS RESEARCH ASSISTANCE, ANSWERS TO BURNING QUESTIONS ===================================================================== Hello Crypt Newsletter: I am working on an report concerning the dangers of electronic database crossovers and the security implications for each of us. I am looking for some ideas to present hacking as a way to create an opposite, balancing power to the "masters of the electronic world," sort of like Sandra Bullock in the movie, "The Net." Thierry Maillet: CIS [Crypt replies: Before we get started on this I want to bring something to your attention that, perhaps, has a more local angle for you. I was just exchanging mail with a fellow by the name of JeanBernard Condat in response to a small that appeared in Crypt Newsletter 34. JeanBernard, whose reputation is that of one of the most famous French hackers, was apparently an agent of a French surveillance agency. It's my understanding he was turned while a student, was pressed into service as a front and report writer on hacker activities, and eventually broke away after a number of years of this type of thing. Now while my grasp of the events are very incomplete, it seems to me that it immediately throws into serious question whether hackers can monolithically be presented in the way you're aiming. If you grab a copy of the Jonathan Littman's book, "The Fugitive Game," you'll quickly read that "hacker" Justin Petersen (better known as Agent Steal) while an FBI informant, was a pure-and-simple menace to the privacy, bank accounts and mental health of just about everyone and anyone he could screw: other hackers, girlfriends, complete strangers, his law enforcement handlers. Obviously, if you're going to bother to take the time to do a comprehensive report, you will have to look at these issues in a discerning manner. Some of the best examples I can give you, and I'll make this brief, are in my book, "The Virus Creation Labs." There are many instances of hacker profiles in it and the picture that emerges is complex, not at all like a Hollywood fantasy in which rebel computer gurus act as counterbalances to corporate and institutionalized power.] EURO COLLEGE STUDENT ASPIRES TO WRITE BOOK ON COMPUTER VIRUSES ============================================================== Dear Crypt: Why doesn't the Crypt Newsletter deal with virus-programming techniques anymore? I'm planning to write a book about virus-programming technics [sic]. That's why I am looking for virus source codes. I'm attending the Eotvos Lorand University of Science in Budapest, Hungary. Szabin Szoke, Budapest [Crypt replies: That's t-e-c-h-n-i-q-u-e-s, Szabin, not "technics." Writing a book, eh? If Crypt received one thin dime for every anonymous clown who sent this line . . . but, to your question. I haven't made any effort to make virus source code available in the last two years of issues for a number of reasons, a couple of which I'll mention. First, computer virus retrieval on the Internet is trivial business. It's easy to come by hundreds, even thousands, of the programs. And since my favorite parts of the Crypt Newsletter weren't devoted to virus source code in the first place there was little harm to my enjoyment of the magazine in ditching the material. Other e-zines on the Internet still do publish virus code and their editors are lot more enamored of the idea than I am, so they're the people to patronize. In addition, it's all been done. The technology of computer viruses for the Intel platform is extremely prosaic. If you're unfamiliar with the subject, it may seem exotic but . . . it's not. There are also some books on computer viruses one can purchase. One is reviewed in the this issue. (I admit it's pretty shabby, but it might be something that floats your boat.) Or, you can acquire virus collections, complete CD-ROMs of computer viruses. If you must have computer viruses, whether you want them as resources for a book, objects of idle curiosity, trivial start-ups to anti-virus work or quite some other thing, and you're so inhibited you can't strike out on the info highway and find some - this is one route that can be travelled. Don't be a dilettante. Computer viruses also restricted the audience of the newsletter making it _too_ much a specialty publication. Crypt News is still specialized, but anti-virus researchers and virus-writers were a very narrow demographic. As an extremely eccentric, inbred and highly secretive subculture of propeller-heads, a great many of whom you'd be embarrassed to be seen in civilized company with, they make for excellent subject material but an awful sole readership.] LONG-TIME CRYPT READER OFFENDED BY SANDRA BULLOCK AS VIRTUAL SYMBOL OF CYBERSPACE CITIZEN, AFFLICTED BY BRAIN FLUKE WHILE WATCHING EVENING NEWS, BREAKS RECORD FOR NUMBER OF HYPHENS IN LETTER TO EDITOR ============================================================ Dear Crypt: I'll get right to the point: Howdy-dooty, howya doin'???? I saw - but didn't really want to expend any of my remaining limited and non-renewable mental resources on reading - the reference to the K-HiP MoOViE "ThE NeT," starring Sandra Cyber-Bullock. I do not wish to see this flick! I doubt I could handle it, especially in my weakened condition. You see, I accidentally exposed myself - er, you know what I mean - to nearly 6.3 seconds of evening network news hosted by Tom Brokaw before I realized what was happening. In a rush to cancel the offending broadcast, I accidentally flipped over to C-SPAN and was further exposed to approximately 2.1 seconds of Dianne Feinstein blathering on about one thing or another in her New World Order Lite(tm) sterile corporate I-Know-Better-Than-You-What's-Good-For-You-And-Besides-My-[Word Effaced by Crypt Corporate Standards & Practices]-Bigger-Than-Hillary's monotone. Unfortunately, the doctors say that some of the damage is probably irreversible. Their diagnosis also told me that if I had encountered any footage of flag-and-bunting-encrusted Republicans or giant-inflexible-pompadour-sporting televangelists, I might very well not have survived. I'm not certain whether I got the good end of the bargain. Cory Tucker (NekroMantik) [Crypt replies: "Th3 nEt" has now gone to video so you may want to avoid your neighborhood Blockbuster during convalescence. Get well soon.] -=The Crypt Newsletter welcomes thoughtful mail from readers at crypt@sun.soci.niu.edu. Published letters may be edited for length and clarity or anonymized to protect the naive from themselves.=- REACHING CRYPT NEWSLETTER Send software, books, or public-relations phlogiston for review and consideration to: Crypt Newsletter 1635 Wagner St. Pasadena, CA 91106 E-mail: crypt@sun.soci.niu.edu or 70743.1711@compuserve.com CRYPT NEWSLETTER HYPERTEXT If you're reading this, you don't have it. Crypt Hypertext can be registered through Compuserve's on-line SWREG service. To purchase a copy of Crypt Hypertext through your CompuServe account simply use the GO menu and enter the keyword: SWREG. You will be presented with a menu to identify your geographic location. When prompted to search the software database enter the number: # 9228 or the name CRYPT NEWSLETTER HYPERTEXT V. 1.0 and provide the requested information. You will receive a copy of Crypt Hypertext through US Mail. Operating Systems - DOS, WINDOWS Cost: $30.00 + $4.00 shipping and handling in US, Canada and Mexico. + $8.00 shipping and handling worldwide. The database contains not only Crypt Newsletter 1992 - 95 but also a great deal of additional material and unpublished notes. Where appropriate, additions have also been made to old issues and articles to provide current perspective and background. The database also contains a keyworded glossary and extensive subject index spanning the length and breadth of the newsletter. Cut and paste any information to your customized specification. In the database you'll find comprehensive stories, tutorials and news on: --the computer virus underground and virus-writers --the anti-virus industry --on-line culture and sociology --book reviews of current titles in security --annals of computer crime & computer virus spread --virus descriptions and history --walkthrough simulations, imagery and displays - aural and visual - from computer viruses and controversial virus-making software toolkits --discussion of legal issues with regard to computer viruses and related computer crime --extensive companion material for the author's book, "The Virus Creation Labs" --review of the mainstream media: the shams and scams reported as real news. Take a skeptic's look at the information highway! The Crypt Newsletter database is also extensible. Future hypertext issues, distributed through CIS forums, can easily be copied to the database's directory on your home computer and seamlessly integrated into the collection. The complete index of topics 1992 - 96 is on the Crypt News Web page: http://www.soci.niu.edu/~crypt CRYPT ON COMPUSERVE Those readers with accounts on Compuserve can now take part in the dedicated Crypt Newsletter message base and attached file library in the National Computer Security Association special interest group. GO NCSAFORUM and look for message base #20, Crypt Newsletter. Current issues are on-line in the attached file library. CRYPT NEWSLETTER WORLD WIDE WEB HOME PAGE You can visit Crypt & The Virus Creation Labs on the World Wide Web, download back issues and sample a chapter from VCL! Set your graphical browser (Mosaic, Netscape, etc.) to: URL: http://www.soci.niu.edu/~crypt ACKNOWLEDGMENTS - In one way or another, this issue couldn't be the scintillating read it is without: Bob Casas, Ph.D., of CPC Ltd.(COMSEC), Glenview, Illinois, for hypertext & hyperlinks prodding; Roger Thompson of Thompson Network Software, Marietta, Georgia, for sundries; Steven Aftergood of the Federation of American Scientists, Washington, D.C., for keeping Urnst, the cat, in good reading material with those timely FAS reports; Dave Kennedy of NCSA for consumer alerts. ---------------------------------------------------------------- If you quite enjoy the Crypt Newsletter, editor George Smith's book, The Virus Creation Labs: A Journey Into the Underground," will really flip your wig. In it Smith unravels the intrigue behind virus writers and their scourges, the anti-virus software developers and security consultants on the information highway. What people are saying about THE VIRUS CREATION LABS: "I couldn't stop reading it . . . As hype continues to build about security on the Internet and movies like _Hackers_ ooze the real hackers into the mainstream arena, this book is definite apropos material for the time. Read it! A+" ---The Net magazine, February 1996 "[VIRUS CREATION LABS] is informative and stunningly incisive . . . " ---Secure Computing, October 1995 "George Smith . . . takes a look at the world of virus writers and anti-virus software vendors in a style similar to that of 'Cyberpunks' -- anecdotal, humorous and revealing . . . a lucid and entertaining read." ---Computer Security Journal "There are relatively few books on the 'computer underground' that provide richly descriptive commentary and analysis of personalities and culture that simultaneously grab the reader with entertaining prose. Among the classics are Cliff Stoll's 'The Cuckoo's Egg,' Katie Hafner and John Markoff's 'Cyberpunk,' and Bruce Sterling's 'The Hacker Crackdown.' Add George Smith's 'The Virus Creation Labs' to the list . . . 'Virus Creation Labs' is about viruses as M*A*S*H is about war!" ---Jim Thomas, Computer underground Digest 7.18, March 5, 1995 "THE VIRUS CREATION LABS dives into the hoopla of the Michelangelo media blitz and moves on to become an engaging, articulate, wildly angry diatribe on the world of computer virus writers . . . Expert reporting." ----McClatchy NewsWire -------------------------order form------------------------- Yes, I want my wig flipped and wish to receive a copy of George Smith's "The Virus Creation Labs: A Journey Into the Underground" (American Eagle, ISBN 0-929408-09-8). Price: $12.95/copy plus $2.50 shipping per book (add $7.50 overseas) NAME: _____________________________________________ ADDRESS: __________________________________________ CITY/STATE/ZIP: __________________________________ Payment method: ___ Master Charge ___ Money Order ___ Check ___ Visa Credit Card # ___________________________________________ Expiration date _________________________________________ Name: ____________________________ Orders can be taken by voice or fax through regular phone number and/or 1-800 number in USA. COD welcome. American Eagle: 1-800-719-4957 1-602-367-1621 POB 1507 Show Low, AZ 85901 ------------------------------------------------------------- George Smith, Ph.D., edits the Crypt Newsletter from Pasadena, CA. Media critic Andy Lopez lives in Columbia, SC. copyright 1996 Crypt Newsletter. All rights reserved.