From: nobody@huge.cajones.com (Huge Cajones Remailer)
To: cypherpunks@toad.com
Message Hash: 348fac68d26668f64873ff4040675a42e54d3f6c9a5131f9087c1c65c7b01341
Message ID: <199705072327.QAA09304@fat.doobie.com>
Reply To: N/A
UTC Datetime: 1997-05-07 23:52:23 UTC
Raw Date: Thu, 8 May 1997 07:52:23 +0800
From: nobody@huge.cajones.com (Huge Cajones Remailer)
Date: Thu, 8 May 1997 07:52:23 +0800
To: cypherpunks@toad.com
Subject: Igor's Diabolical Mind
Message-ID: <199705072327.QAA09304@fat.doobie.com>
MIME-Version: 1.0
Content-Type: text/plain
Igor Chudov @ home wrote:
> some of the best hacks that I heard was to install a trojan
> instead of, say, cat, that would randomly change one byte in
> a randomly chosen file.
Igor,
I am currently monitoring a friend's system in order to analyze
the source and methodologies of various attacks on it and I spend my
spare time reading his email, databases, private diaries, etc.
(I am blessed with breasts which allow me to set a man's car on
fire and know he will just smile, and say, "That's OK, I'll get
another one.")
His comments regarding "Igor" imply that you have a diabolical
mind and a good nose for nasty business.
I can tell from your comments above that he judged you fairly well.
Most hackers tend to be one-time Charlie's who pop into a low
security system to mark their territory by pissing on a directory
tree, so to speak, or adding their own personal form of graffiti
and then returning home to pat themselves on the back for their
great genius.
In many cases the admin of a good system will have everything
back to normal before the hacker has finished congratulating
himself.
The system intruder I am currently dealing with has a long
history of success in his nefarious activities and one of the
main reasons for this is his patience and his subtlety.
Once he gains entry to a system he generally sets up an
obscure back door for himself, pulls a directory tree, finds
out the backup schedule, and then exits.
He then lays out a plan of attack which is geared toward
allowing him to roam the system at will without being observed.
Usually, he will start by replacing such things as the system
'ps' command with one that keeps certain processes hidden from
the prying eyes of sysadmins. He also substitutes his own
programs for system files which are rarely installed and/or
used.
He is one of a rare breed of pure hackers whose main focus is
system penetration and information access, with control issues
being secondary. This requires a level of patience that allows
him to observe the system for months, if necessary, before
moving to secure his long-term ability to penetrate the system
and roam at will.
Once an intruder has his handiwork on the previous few months
of system backups, then you might say that he has become a
"tenured" member of your organization.
I have had previous experience with the individual involved
in the compromise of my friend's system (and ISP) and I am well
aware of the fact that much of his power comes from the fact
that he tends not to interfere with the functioning of one's
system unless he is attacked. (In which case he generally fires
a shot over the sysadmin's bow, indicating that the choices are
"peaceful coexistence" or "explaining to management that their
system is 'toast' because you chose to cop an attitude.")
The only way, to my knowledge, that anyone has ever forced his
exit from a system he has penetrated has been by ferreting out
enough of the substructure of his intrusion that he fears his
latest methodologies being discovered and exposed to scrutiny.
{In which case he quietly packs up and leaves. {In my case,
he sent me flowers, as well.})
On rare occasions he will intervene to fix system problems
that are beyond the resident sysadmin, perhaps because the
problems are affecting his own activities.
When macro capabilities were added to spreadsheet programs,
he had a trojan written for them before the shrink-wrap on
the new release hit the floor. (He recognized macros as a
close cousin to the Unix daemons, which he considers God's
gift to pure hackers.)
He was lurking on my friend's system in Austin, at the
time, and he dropped my friend a polite note that advised him
it would be unwise to mess with the files until the hacker
had debugged them sufficiently that they would not cause
inadvertant problems.
His current work-in-progress is a Trojan which is frightening
in its scope if it turns out to operate in the manner that I
and others now suspect. It may represent a quantum leap in Trojan
Horse technology (kind of an Equestrian Trojan Horse).
{Its existence was "discovered" by a cypherpunk, by the way.}
While I am not at liberty to reveal the as yet sketchy details
of how the Trojan operates, I can give you a small glimpse into
the the mind of its creator by providing an example of another
Trojan that was previously discovered with his signature on it.
The Trojan works through a word processor's spell checking and
automatic correction system.
Nonsensical character sequences are added to the spell checker,
in the form of 'xytrz-->delete', 'xribpt-->format', etc. A .doc
file is placed on the system which, when spell-corrected, will
then become "format c:" or whatever its creator desires.
A variety of triggers were discovered for the Trojan, and they
encompassed a variety of approaches. (The triggers were indicative
of a benign series of probing experiments designed to lead to a
finished product versatile enough to bypass any attempt to guard
against the Trojan's execution.)
A simple trigger would run a .bat file which loaded the file into
the word processor, auto-corrected the spelling, saved the file as
a .exe file of the creator's choosing, then exited.
More complicated triggers involved such things as (in Win 95)
giving the file a unique extension (such as .xyz), using the
"open with" option to point to a hidden copy of a word processor
executable which has no macro-virus protection, etc., and which
will run the macros in place in the file when it is opened.
(A variation on this trigger takes advantage of the fact that
many systems keep outdated versions of word processing software
on the system in order to be able to work with older files {which
often turn to crap when loaded into the latest-greatest version,
despite manufacturer's claims of compatability}. Users and admins
generally don't stop to realize that the "protection" they install
is often applied only to the newest version of their software.)
As you pointed out, Igor, the more subtle a program's operation
and effects, the longer it can work undiscovered and the greater
the range of the time/space continuim it can encompass.
Virus/Trojan checkers generally guard only against system
damage and/or loss of data. It is infinitely more difficult
to guard against a system intruder who has other goals in mind
and has the patience to remain unobtrusive.
Even most security conscious system administrators don't take
much note of minor glitches as long as they appear to be benign
problems inherent in the implementation of the software.
The Trojan that I and others are currently working with was
only perceived as a potential problem after the person who
discovered it had spent months cursing the software manufacturer
for not including an obviously needed capability in the product.
It was a very minor but frustrating problem, leading the user
to make inquiries as to how to "work around" the product's lack
of providing this function. Upon discovery that the product was
supposed to provide the function, his research quickly indicated
that there was a "fly in the ointment."
Most users probably would have just shrugged and lived with
the problem, since it was relatively minor. Instead, he brought
the small anomalie he discovered to the attention of myself and
others and it has opened up a Pandora's box that appears to
have the potential for a new breed of Trojan Horses.
> basically, install lots of backdoors and then play with their minds.
Actually, Igor, I'm beginning to wonder if perhaps you are the
hacker I've been trying to ferret out? I think I'll keep an eye
on you.
> some ppl would steal CC# of their customers and publish them, but I would
> not do it.
The hacker I've been discussing has infiltrated a variety of
Pac Bell sites, and the like, over the years.
A regional administrator, upon being informed of the presence
of an intruder on the system, immediately called in a team of
Bay Area security consultants to deal with the problem. By the
time they arrived the hacker had sent a small mountain of email
to various management personnel which contained precious company
secrets and had Pac Bell's competition listed as a cc: (in the
body of the message, as a warning).
When the group from Berkeley arrived they consulted with the
admin about the potential seriousness of the veiled threat, did
a quick check of the system, realized who the hacker was that
they were dealing with, shrugged, and said, "He's on our system
too. We'd advise just leaving him alone."
When the administrator questioned the wisdom of their suggestion
the consultants advised him that they would be more than happy to
proceed as long as the overuling of their opinion was put in
writing. The admin agreed, whereupon he was presented with the
consultants' standard "reality check" authorization form, whose
letterhead reads:
AUTHORIZATION TO PROCEED CONTRARY TO
ADVISED COURSE OF PROCEDURE
"Last One Seen Fixing It Gets The Blame"
The administrator decided in favor of job-security, and the
security consultants were paid generously to provide a generic
report for his superiors which indicated that the admin's prompt
action resulted in the problem coming to a quick resolution.
Personally, I've seen more than a few sysadmins who declare
war on a minor hacker instead of just fixing the problem so
that it won't occur again and moving on. (Much like some of the
hilarious posts in the cypherpunks archives in which a list
member responds to a Vulis post by saying, "Just ignore him
and he'll go away." and then proceed to take two or three
pot-shots at him.)
(.)(.)Monger
Return to May 1997
Return to “nobody@huge.cajones.com (Huge Cajones Remailer)”