STOP NATO: �NO PASARAN! - HTTP://WWW.STOPNATO.ORG.UK
--------------------------- ListBot Sponsor --------------------------
Start Your Own FREE Email List at http://www.listbot.com/links/joinlb
----------------------------------------------------------------------
7 June 2001 Updated: 20:43 GMT
<http://www.theregister.co.uk/>
<http://www.theregister.co.uk/content/31/17656.html>
Reg duped by crime-busting D.I.R.T Trojan
By Thomas C Greene in Washington <mailto:[EMAIL PROTECTED]>
Posted: 06/06/2001 at 00:04 GMT My recent article,
<http://www.theregister.co.uk/content/6/19404.html> on the D.I.R.T. (Data
Interception by Remote Transmission) Trojan, with which law-enforcement
agents can secretly monitor a suspect's computer and which is marketed by
surveillance outfit Codex Data Systems
<http://www.codexdatasystems.com/menu.html>, contained several inaccuracies,
all of which can be attributed solely to my own lapse in the skepticism for
which The Reg in general, and I personally, are known.
The full story, as it happens, is immensely more twisted than I imagined
when I wrote my original item. Clearly, The Register's readers deserve
better -- and here it is:
S.C.A.M. Thanks to several e-mailed hints from readers, I continued doing
background research and have now confirmed that the CEO of Codex Data
Systems is one Francis Edward "Frank" Jones, a convicted felon currently on
probation for illegal possession of surveillance devices. He was charged
with trafficking and conspiracy to traffic in them, but in an agreement he
pleaded guilty to simple possession, and the US Government dropped the other
two charges.
He was sentenced to three-hundred hours' community service and five years'
probation with no jail time, on the strength of his argument to the court
that he was not responsible for his illegal acts by reason of mental defect.
He has also been required to participate in a mental-health program, which,
judging by some of his recent behavior, appears to be less than a screaming
success.
Jones is widely regarded as a scam artist with a long history of
security/surveillance snake-oil sales. He has, for example, sold
bug-detection services, which we're told are completely fraudulent,
involving detection apparatus easily cobbled together from the inventory of
Radio Shack. He's reported to have planted a bug which he subsequently
'found' during one such charade.
A Legend in His Own Mind He's also a shameless, Boswellian self-promoter
with a Web site <http://www.spyking.com/spyking.html> devoted to himself in
his on-line incarnation, "SpyKing."
Here we're told that SpyKing/Jones is "formerly in military and law
enforcement service," and "a popular talk show guest with 15 appearances on
national & regional programming and news specials."
As for his law-enforcement experience, we've since learned that he managed
to get himself fired from the New York City Police Department in 1975,
according to a letter by Association of Counter-Intelligence Professionals
(ACIP) Executive Director Michael Richardson.
But the PR beat goes on: "Jones has lectured at M.I.T. (Massachussetts [sic]
Institute of Technology) on TEMPEST computer eavesdropping techniques," his
Web site claims. Indeed, "No other speaker has their thumb on the pulse of
changing world trends in immerging [sic] surveillance technologies."
Our illiterate subject has conned such publications as PC World,
E-BusinessWorld, TechWeek, the Wall Street Journal, and, thanks to my
carelessness, The Register as well.
The D.I.R.T. on the Trojan The truly inexcusable element of my first story
was my failure challenge rigorously Codex's claims regarding the amazing
power of its D.I.R.T. Trojan.
Had I taken the time to learn that SpyKing/Jones was behind this, I would
have immediately suspected that it's a lot more talk than technology. But I
ran with the piece out of eagerness to work my own agenda, motivated by
personal outrage that anyone would be so irresponsible as to sell a Trojan
to law-enforcement and governments as a surveillance device.
And the reason for that outrage survives even now; D.I.R.T. unquestionably
permits police to upload bogus evidence to a suspect's machine and offers no
auditing controls by which they might be caught, which was the focus of my
original report.
That much hasn't changed; D.I.R.T. is absolutely ripe for abuse without
accountability, and Jones is utterly damnable for trying to sell it to
governments and police organizations.
But I was on very shaky ground in reporting its true capabilities. My
subsequent investigation indicates that Codex's claim that D.I.R.T. can
defeat all known PC firewalls is, quite simply, false.
Furthermore, their claim that "the software is completely transparent to the
target and cannot be detected by current anti-virus software," is
misleading, if not completely false. There is no technology in D.I.R.T.
responsible for this sort of stealth; the server isn't detected simply
because no anti-virus vendor has as yet added it to their signatures
catalog.
Defeating D.I.R.T.
My suggestions in the original article for defeating D.I.R.T. remain
basically sound, if perhaps a bit over-cautious due to my mistaken belief
that it defeats all known firewalls (though there is reason to believe it
may defeat a few).
Because it isn't presently detected by anti-virus software, one does have to
look for evidence of it. By default, it installs two files in the C:\WINDOWS
directory -- DESKTOP.EXE and DESKTOP.DLL. If you find either of those files,
you need to remove them and any associated files (such as .LOG files), or
re-format your HDD to be on the safe side.
One can also check their Windows registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
HKEY_USERS\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
HKEY_USERS\DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
for any references to DESKTOP.EXE or DESKTOP.DLL.
For those not intimately acquainted with the incontinent complexities of the
Windows Registry, it would be best simply to search the entirety for
references to both files mentioned. (It's also worthwhile to check out some
of the suggestions in my previous report.)
Now, because those file names are defaults which can be modified by savvy
operators, I'm not saying, 'if you can't find the files, then you're not
infected.' The names can be changed; but we can rely on the fact that most
operators will be using D.I.R.T. in its default configuration -- after all,
its chief selling point is that it can be used successfully by the
technically illiterate.
One final point regarding defenses against the Trojan: soon after I posted
the first article recommending disk re-formats for those unsure how to
combat D.I.R.T., which was mentioned and linked at Cryptome.org
<http://cryptome.org>, a reader submitted the following warning: "D.I.R.T.
uses 'unused' space in the file system, so high-level reformatting will not
destroy it. (This 'unused' space is used by operating systems to handle
classified information with data structures similar to that in SE_Linux).
Removing D.I.R.T. requires wiping the disk at the device-driver level."
I spoke with Eric Schneider, who wrote the program before leaving Codex on
ethical grounds; and he told me that so far as he knows "there is no
technology in D.I.R.T. which comes close to surviving a high-level format."
So there you have it. Codex's D.I.R.T. is a remote administration tool that
functions in large part just like the free Trojans SubSeven and BO2K, which
is being sold by a disgraced former cop, current felon and self-confessed
lunatic for thousands of dollars a pop to creepy Feds in countries where the
sort of abuse it invites is routine and impossible for a victim to challenge
in court.
In all, a loathsome scam run by an equally loathsome con artist. �
===========================================================================
The original article mentioned above:
===========================================================================
Trojan lets cyber-cops plant bogus evidence
By Thomas C Greene in Washington <mailto:[EMAIL PROTECTED]>
Posted: 04/06/2001 at 09:36 GMT
Note: This story contains incomplete and inaccurate data. Please see my
explanation and partial retraction
<http://www.theregister.co.uk/content/4/19480.html> for the latest and most
accurate information. -- TCG
A new tool of Fascist control, with which law-enforcement agents can
secretly monitor the entire range of a suspect's computer activity, has been
developed by self-proclaimed 'computer surveillance experts' Codex Data
Systems <http://www.codexdatasystems.com/menu.html>, according to a document
sent to Cryptome.org <http://cryptome.org>.
The source here is a PowerPoint slide show, presumably by Codex PR bunnies,
boasting of D.I.R.T.'s amazing capabilities to violate in secret the last
vestiges of civil protections from state oppression.
"Imagine being able to remotely monitor any PC in the world anytime you
want," the company taunts. "Suppose you could read every keystroke... Access
and retrieve any file from the hard drive without having physical access...
No more secrets..."
The company slide show is carefully crafted to generate maximum suspense
among Feds and cops straining to find ways around such regrettable obstacles
as civil rights.
Thus a series of 'scenarios' guaranteed to get the oppressive juices
flowing:
Scenario:
You want to execute an "Electronic No-Knock Search Warrant" by stealth via
the Internet to allow surreptitious remote seizure of digital evidence.
What do you use?
Scenario:
Your undercover online investigator makes contact with a suspected pedophile
in a chat room. Suspect sends illegal image(s). You now have probable cause.
You want to remotely monitor suspect and seize additional evidence from his
computer.
What do you use?
Scenario:
Your investigation has determined that your suspects are using strong
encryption to protect themselves. You need to "crack" encrypted and/or
password protected e-mail and stored files. You don't have the time or money
for a "Brute Force attack.
What do you use?
The answer to all the above is, of course, D.I.R.T.
And just what is D.I.R.T.? Why it's a Trojan, pure and simple, which the Fed
s can feed to targets surreptitiously. It has a point-and-drool GUI and so
functions very much like SubSeven on steroids.
It doesn't crack crypto; it simply logs keystrokes, including, obviously,
the user's pass phrase. Crude, but effective.
It also defeats all known firewalls, killing the running process, replacing
the firewall icon, and allowing a stealth FTP connection.
The D.I.R.T. client can be embedded in Word documents, Excel documents,
PowerPoint presentations, RTF documents, Word Perfect documents, Autorun.bat
on CD-ROMS and floppy disks, and, coming soon in a free upgrade, Lotus
Suite, JavaScript and ActiveX.
Better yet, "D.I.R.T. is user friendly and can be operated by investigators
with minimal computer skills," we're told.
Most grotesquely, it enables the Feds to plant bogus evidence on a suspect's
computer.
"Sending hidden code to the target PC is simple using the D.I.R.T. 'Bug
Generator'. Investigators need not have special computer code writing
skills. Just point and click."
A true tool of Fascism if ever we heard of one. And get this: the company
discusses it with pride.
Getting around it
Protecting yourself from this diabolical program won't be easy. First, you
need to monitor your comp's processes. Anything persistent which you don't
recognize/can't explain should result in an immediate re-format with files
re-loaded from text-only sources.
For *nix, see this document
<http://www.linuxselfhelp.com/howtos/Process-Monitor/Process-Monitor-HOWTO-2
.html>. For Windows, see this one
<http://www.sysinternals.com/ntw2k/freeware/handleex.shtml>.
You should run Netstat
<http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/cmds/aixcmds4
/netstat.htm> regularly to monitor all of your active connections. And
again, anything persistent which you don't recognize/can't explain should
result in an immediate re-format with files re-loaded from text-only
sources.
A handy progie which will resolve strange IPs is the free version of the
Patrick Project DNS utility
<http://icq.zdnet.com/downloads/stories/info/0,,000WGG,.html>. Curious
domains can then be traced free and easily via SamSpade.org
<http://samspade.org>, which has heaps of useful CGI gateways.
9x corner
If all this strikes you as too technical, then you must be running Win9x,
and that means you'd better play it as safe as possible. This, we're sorry
to say, means re-formatting on a regular basis, like once a month. Annoying
and troublesome, we'll allow; but it's the only way for the technically
challenged to prevail against D.I.R.T.
In order to do this successfully, you should ditch every file you don't need
during each re-format. Files you do need must first be saved to removable
media in plain text with a non-formatting text editor (e.g., Windows
Notepad); and you'll need to change your PGP pass phrase (not your key) each
time as well.
Now set up your '9x box lean and mean, as if you were a gamer. Go to
C:\WINDOWS\SYSTEM\MSCONFIG.EXE and make a desktop icon for the progie.
Activate it, click on the 'STARTUP' tab, kill everything you don't need and
re-boot (do NOT kill EXPLORER or SYSTEM TRAY). This will make it easier to
keep track of what you have running, and what you should have running, which
you can occasionally check with ALT-CTRL-DEL.
Immediately after you re-format, run MSCONFIG.EXE and kill all the rot. Next
re-boot, connect to the Internet, and then go ALT-CTRL-DEL and make a note
of everything you have running. This list should remain constant. If it ever
changes unexpectedly, it's time to re-format again.
This exercise can be helpful, but it's not an authoritative inventory of
running processes; so if you're technically challenged, and have reason to
fear being infected with D.I.R.T. or some other scumbag Fed Trojan, stick to
re-formatting once a month as a precaution.
It wouldn't hurt to change ISPs from time to time as well, which is the only
non-technical way to defeat Carnivore (though you IP savants know more
convenient methods), just in case the Feds decide to double-team you with
their perverse toys. �
______________________________________________________________________
To unsubscribe, write to [EMAIL PROTECTED]
