From: ichudov@algebra.com (Igor Chudov @ home)
Date: Thu, 8 May 1997 08:57:53 +0800
To: devnull@manifold.algebra.com
Subject: Re: Igor's Diabolical Mind
In-Reply-To: <199705072327.QAA09304@fat.doobie.com>
Message-ID: <199705080036.TAA00617@manifold.algebra.com>
MIME-Version: 1.0
Content-Type: text


Huge Cajones Remailer wrote:
> 
> Igor Chudov @ home wrote: 
> > some of the best hacks that I heard was to install a trojan
> > instead of, say, cat, that would randomly change one byte in
> > a randomly chosen file.
> 
>   I am currently monitoring a friend's system in order to analyze
> the source and methodologies of various attacks on it and I spend my
> spare time reading his email, databases, private diaries, etc.

These are not exactly private diaries, Prof. TruthMonger.

These are private diaries _intended for public consumption_, so that 
susceptible and romantic wanderers in cyberspace like yourself would
be deceived by their seemingly secret (and presumably sincere) content.

But they are still rather useful, if you know what you are looking for.

>   (I am blessed with breasts which allow me to set a man's car on
> fire and know he will just smile, and say, "That's OK, I'll get
> another one.")

How about the pizda...

>   His comments regarding "Igor" imply that you have a diabolical
> mind and a good nose for nasty business.
>   I can tell from your comments above that he judged you fairly well.

See, Prof. TruthMonger, the fact that I like to publically contemplate
about nasty business does not mean that everything that drives "normal"
people insane (a frequent occasion in certain newsgroups) is done by me.

Far from it.

Anyway, did your friend give you any specifics?

>   Most hackers tend to be one-time Charlie's who pop into a low
> security system to mark their territory by pissing on a directory
> tree, so to speak, or adding their own personal form of graffiti
> and then returning home to pat themselves on the back for their 
> great genius.

But this is what they are looking for.

>   The system intruder I am currently dealing with has a long
> history of success in his nefarious activities and one of the
> main reasons for this is his patience and his subtlety.

You hit the exact point on this one, TM. Patience is the asset
that hackers, moderators, and many others need the most.

>   Once he gains entry to a system he generally sets up an
> obscure back door for himself, pulls a directory tree, finds 
> out the backup schedule, and then exits.

See, a prudent sysadmin/user should do several things: 

1. Keep the oldest backup at least several months old
2. Use encrypted filesystems that are mounted only when needed.
3. Disable all internet services.
4. Treat email as if it was certainly being read by your friends.

That does not make the computer secure, by any means (a bug in elm
or tin that causes them to coredump can be exploited without using any
internet services), but at least makes the threat of intrusion somewhat
less dire.

>   He then lays out a plan of attack which is geared toward
> allowing him to roam the system at will without being observed.
> Usually, he will start by replacing such things as the system 
> 'ps' command with one that keeps certain processes hidden from
> the prying eyes of sysadmins. He also substitutes his own
> programs for system files which are rarely installed and/or
> used.

See, time is money. The stuff above requires a lot of it, so I 
wonder if your friend has a life.

>   Once an intruder has his handiwork on the previous few months
> of system backups, then you might say that he has become a 
> "tenured" member of your organization.

You do not want to reinstall the system from backups...

>   I have had previous experience with the individual involved
> in the compromise of my friend's system (and ISP) and I am well
> aware of the fact that much of his power comes from the fact
> that he tends not to interfere with the functioning of one's
> system unless he is attacked.

>   His current work-in-progress is a Trojan which is frightening
> in its scope if it turns out to operate in the manner that I
> and others now suspect. It may represent a quantum leap in Trojan
> Horse technology (kind of an Equestrian Trojan Horse).
>   {Its existence was "discovered" by a cypherpunk, by the way.}

Interesting.

>   While I am not at liberty to reveal the as yet sketchy details
> of how the Trojan operates, I can give you a small glimpse into
> the the mind of its creator by providing an example of another
> Trojan that was previously discovered with his signature on it.
> 
>   The Trojan works through a word processor's spell checking and 
> automatic correction system.
>   Nonsensical character sequences are added to the spell checker,
> in the form of 'xytrz-->delete', 'xribpt-->format', etc. A .doc 
> file is placed on the system which, when spell-corrected, will
> then become "format c:" or whatever its creator desires.
>   A variety of triggers were discovered for the Trojan, and they
> encompassed a variety of approaches. (The triggers were indicative
> of a benign series of probing experiments designed to lead to a
> finished product versatile enough to bypass any attempt to guard
> against the Trojan's execution.)

>   A simple trigger would run a .bat file which loaded the file into
> the word processor, auto-corrected the spelling, saved the file as 
> a .exe file of the creator's choosing, then exited.
>   More complicated triggers involved such things as (in Win 95)
> giving the file a unique extension (such as .xyz), using the
> "open with" option to point to a hidden copy of a word processor
> executable which has no macro-virus protection, etc., and which
> will run the macros in place in the file when it is opened.

Windoze is never secure. The only advantage of using Windoze is that the
hackers think that all windoze users are very stupid, have nothing
useful, and hacking them is like breaking into outhouses -- not the
wisest way to spend time.

>   As you pointed out, Igor, the more subtle a program's operation
> and effects, the longer it can work undiscovered and the greater
> the range of the time/space continuim it can encompass.

> > basically, install lots of backdoors and then play with their minds.
> 
>   Actually, Igor, I'm beginning to wonder if perhaps you are the
> hacker I've been trying to ferret out? I think I'll keep an eye
> on you.

Don't remember sending you any flowers...

I am not a hacker at all, Prof. TruthMonger. (although I believe that 
outsider hacking ought to be legalized) I was merely discussing 
issues.

> > some ppl would steal CC# of their customers and publish them, but I would
> > not do it.
> 
>   The hacker I've been discussing has infiltrated a variety of
> Pac Bell sites, and the like, over the years.
>   A regional administrator, upon being informed of the presence
> of an intruder on the system, immediately called in a team of
> Bay Area security consultants to deal with the problem. By the
> time they arrived the hacker had sent a small mountain of email
> to various management personnel which contained precious company
> secrets and had Pac Bell's competition listed as a cc: (in the
> body of the message, as a warning).
>   When the group from Berkeley arrived they consulted with the
> admin about the potential seriousness of the veiled threat, did
> a quick check of the system, realized who the hacker was that
> they were dealing with, shrugged, and said, "He's on our system
> too. We'd advise just leaving him alone."
>   When the administrator questioned the wisdom of their suggestion
> the consultants advised him that they would be more than happy to
> proceed as long as the overuling of their opinion was put in 
> writing. The admin agreed, whereupon he was presented with the
> consultants' standard "reality check" authorization form, whose
> letterhead reads:
> AUTHORIZATION TO PROCEED CONTRARY TO 
>    ADVISED COURSE OF PROCEDURE
> "Last One Seen Fixing It Gets The Blame"
> 
>   The administrator decided in favor of job-security, and the 
> security consultants were paid generously to provide a generic 
> report for his superiors which indicated that the admin's prompt 
> action resulted in the problem coming to a quick resolution.

I think thet these ppl from Berkeley were the actual hackers... So they
bullshitted the sysadmin into submission in order to evade responsibility.

>   Personally, I've seen more than a few sysadmins who declare
> war on a minor hacker instead of just fixing the problem so
> that it won't occur again and moving on. (Much like some of the
> hilarious posts in the cypherpunks archives in which a list
> member responds to a Vulis post by saying, "Just ignore him
> and he'll go away." and then proceed to take two or three
> pot-shots at him.)

Yeah, an interesting observation.

	- Igor.