[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CB1F49F2B508604292985807CF68F5F505953818@csexchange.cs.state.ny.us>
From: JMC13 at mail3.cs.state.ny.us (Clairmont, Jan)
Subject: Culprit Bio: Short course on BIOS vulnerabi
lity.
Let's go into basic security, forth and assembler tsr(terminate stay
resident programs).
1. Internet Protocols exits to tranfer data with very little
code they involve services such as SMTP(HELO), tftp boot, and others,
telent, etc. They require very little knowledge and since I teach network
security, an unsecured service is hackable and cooptable to the extreme.
Courses on this are available and every Security Person should at least
take one course on basic hacking unsecured services and security. Even
secure services are
hackable with the right training and persistence.
2. Bios, DOS have assembler calls, especially using int 21, 20, that access
devices, open files in a raw character mode that needs no
other introduction. I have done this writing in C++, C and assembler
to open ethernet in promiscuous mode or video, or memory. No device is
unavailable to DOS or these same exploits work for the most part on UNIX.
3. It is very easy to scan in Promiscuous Mode for Ports, strings with
out regard to CRC, short packets or anything else locally. Truncated
packets are normally dropped they don't have to be if you are in promiscuous
mode. Everything on the internet is open for inspection and transmission.
3. MAC address, IP and anything else can be spoofed with a sniffer, windump
or tcpdump replayer and sent on any Port. This is no problem either on
ethernet. I have done this to reverse engineer protocols for legitimate
reasons, companies who lost the protocol specs. and need to port a protocol
to another system. I have done this many times.
4. BIOS and reprogrammable eeproms have been around since the late 70's
early 80's. They have a low addressability and again code and data are
easily stored in them.
5. Forth well, in the old days, has a 50 line assembler interpreter, 50
lines
translates to maybe 150 bytes of code more or less, depending on how tight
it was written. An interpreter that small can be hidden in the cracks on
an unused track on a harddisk, in flash memory in a stored email message,
whatever. The Forth code is then small enough to open in promiscuous mode
the default NIC card of any system and blast or receive away. Bios on Intel
machines have all the drivers and calls necessary for forth, assembler or C
to call.
6. A TSR(Terminate Stay Resident) program is a little program that exists in
memory awaiting a key stroke sequence(cntrl alt F12) or a date, or a string
of data on a NIC card open in promiscuous mode. This can be teeny tiny,
a few line of assembler tucked away in a non-obvious TSR. How to program
them is on-line and again anybody savvy can do it.
7. The question is not so much how to do it as why? What is the motive?
Who would do it? Why SCO? Why now?
We can all be forensic Computer Pathologists here. The challenge isn't so
much the expertise of the hacker but finding them and shutting it down.
Why,
because the Internet is a democratic Highway for Change and Ideas. Maybe
the last one on earth and if we want that last bastion of democracy taken
away, then let this hacker, like others get away with it and then like the
Borg menace, we will be assimulated. The internet will be clamped down.
You won't be able to send an e-mail to Aunt Helen w/o out an RSA card and an
eye scan.
That would really burn us all, we must self-police. Or we will be policed
brutally. It may happen anyway but this kind of stuff will surely shut it
down more quickly.
Again now upping the Ante is Billy Boy(The Gates of the New World Order are
upon US - You will be Assimulated)
offering another 250,000.
Get down off soap box Jan, and let's have some fun:
Watson, the Games A Foot, Maybe today Is a Good Day to Die, Cry Havoc! and
unleash the Dogs of War! Whatever your favorite Sherlock Holmes, Star Trek
or
Shakespeare Psuedo Quote is, go get 'em Tiger.
-----Original Message-----
From: Helmut Hauser [mailto:helmut_hauser@...mail.com]
Sent: Friday, January 30, 2004 4:07 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Culprit Bio: Perfect Storm Averted or Just
It seems that the virus writer put his anagramm into his creation. If you
view the malware with a hexeditor you can read the letters AU at the end of
the file (beginning at 00007F20 end at 00007F70)
according to my disassembling the virus writer used c++ with assembler
includes and he has average skills, he used timers and sleep functions to
conceal the presence of the active virus.
Helmut
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists