[ISN] Register duped by crimebusting D.I.R.T. Trojan

From: InfoSec News (isnat_private)
Date: Tue Jun 05 2001 - 19:42:06 PDT

  • Next message: William Knowles: "[ISN] Break Glass, Pull Handle, Call FBI"

    http://www.theregister.co.uk/content/4/19480.html
    
    By Thomas C Greene in Washington
    Posted: 06/06/2001 at 00:04 GMT
    
    My recent article on the D.I.R.T. (Data Interception by Remote
    Transmission) Trojan, with which law-enforcement agents can secretly
    monitor a suspect's computer and which is marketed by surveillance
    outfit Codex Data Systems, contained several inaccuracies, all of
    which can be attributed solely to my own lapse in the skepticism for
    which The Reg in general, and I personally, are known.
    
    The full story, as it happens, is immensely more twisted than I
    imagined when I wrote my original item. Clearly, The Register's
    readers deserve better -- and here it is:
    
    S.C.A.M.
    
    Thanks to several e-mailed hints from readers, I continued doing
    background research and have now confirmed that the CEO of Codex Data
    Systems is one Francis Edward "Frank" Jones, a convicted felon
    currently on probation for illegal possession of surveillance devices.
    He was charged with trafficking and conspiracy to traffic in them, but
    in an agreement he pleaded guilty to simple possession, and the US
    Government dropped the other two charges.
    
    He was sentenced to three-hundred hours' community service and five
    years' probation with no jail time, on the strength of his argument to
    the court that he was not responsible for his illegal acts by reason
    of mental defect. He has also been required to participate in a
    mental-health program, which, judging by some of his recent behavior,
    appears to be less than a screaming success.
    
    Jones is widely regarded as a scam artist with a long history of
    security/surveillance snake-oil sales. He has, for example, sold
    bug-detection services, which we're told are completely fraudulent,
    involving detection apparatus easily cobbled together from the
    inventory of Radio Shack. He's reported to have planted a bug which he
    subsequently 'found' during one such charade.
    
    A Legend in His Own Mind
    
    He's also a shameless, Boswellian self-promoter with a Web site
    devoted to himself in his on-line incarnation, "SpyKing."
    
    Here we're told that SpyKing/Jones is "formerly in military and law
    enforcement service," and "a popular talk show guest with 15
    appearances on national & regional programming and news specials."
    
    As for his law-enforcement experience, we've since learned that he
    managed to get himself fired from the New York City Police Department
    in 1975, according to a letter by Association of Counter-Intelligence
    Professionals (ACIP) Executive Director Michael Richardson.
    
    But the PR beat goes on: "Jones has lectured at M.I.T. (Massachussetts
    [sic] Institute of Technology) on TEMPEST computer eavesdropping
    techniques," his Web site claims. Indeed, "No other speaker has their
    thumb on the pulse of changing world trends in immerging [sic]
    surveillance technologies."
    
    The security 'experts' our illiterate subject has conned include
    hacker trivia master Winn Schwartau and AntiOnline's "JP" John
    Vranesevich (no surprises there), and such publications as PC World,
    E-BusinessWorld, TechWeek, the Wall Street Journal, and, thanks to my
    carelessness, The Register as well.
    
    The D.I.R.T. on the Trojan
    
    The truly inexcusable element of my first story was my failure
    challenge rigorously Codex's claims regarding the amazing power of its
    D.I.R.T. Trojan.
    
    Had I taken the time to learn that SpyKing/Jones was behind this, I
    would have immediately suspected that it's a lot more talk than
    technology. But I ran with the piece out of eagerness to work my own
    agenda, motivated by personal outrage that anyone would be so
    irresponsible as to sell a Trojan to law-enforcement and governments
    as a surveillance device.
    
    And the reason for that outrage survives even now; D.I.R.T.
    unquestionably permits police to upload bogus evidence to a suspect's
    machine and offers no auditing controls by which they might be caught,
    which was the focus of my original report.
    
    That much hasn't changed; D.I.R.T. is absolutely ripe for abuse
    without accountability, and Jones is utterly damnable for trying to
    sell it to governments and police organizations.
    
    But I was on very shaky ground in reporting its true capabilities. My
    subsequent investigation indicates that Codex's claim that D.I.R.T.
    can defeat all known PC firewalls is, quite simply, false.
    
    Furthermore, their claim that "the software is completely transparent
    to the target and cannot be detected by current anti-virus software,"
    is misleading, if not completely false. There is no technology in
    D.I.R.T. responsible for this sort of stealth; the server isn't
    detected simply because no anti-virus vendor has as yet added it to
    their signatures catalog.
    
    Defeating D.I.R.T.
    
    My suggestions in the original article for defeating D.I.R.T. remain
    basically sound, if perhaps a bit over-cautious due to my mistaken
    belief that it defeats all known firewalls (though there is reason to
    believe it may defeat a few).
    
    Because it isn't presently detected by anti-virus software, one does
    have to look for evidence of it. By default, it installs two files in
    the C:\WINDOWS directory -- DESKTOP.EXE and DESKTOP.DLL. Find either
    of those files, and it's time to re-format your HDD.
    
    One can also check their Windows registry under:  
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
    HKEY_USERS\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
    HKEY_USERS\DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion for any
    references to DESKTOP.EXE or DESKTOP.DLL.
    
    For those not well acquainted with the incontinent complexities of the
    Windows Registry, it would be best simply to search the entirety for
    references to both files mentioned.
    
    Now, because those file names are defaults which can be modified by
    savvy operators, I'm not saying 'if you can't find the files, then you
    are not infected.' They could have been changed; but we can rely on
    the fact that most operators will be using D.I.R.T. in its default
    configuration -- after all, its chief selling point is that it can be
    used successfully by the technically illiterate.
    
    One last point regarding defenses against the Trojan: soon after I
    posted the first article recommending disk re-formats for those unsure
    how to attack D.I.R.T., which was mentioned and linked at
    Cryptome.org, a reader submitted the following warning:
    
    "D.I.R.T. uses 'unused' space in the file system, so high-level
    reformatting will not destroy it. (This 'unused' space is used by
    operating systems to handle classified information with data
    structures similar to that in SE_Linux). Removing D.I.R.T. requires
    wiping the disk at the device-driver level."
    
    I spoke with Eric Schneider, who wrote the program before leaving
    Codex on ethical grounds; and he told me that so far as he knows,
    "there is no technology in D.I.R.T. which comes close to surviving a
    high-level format."
    
    So there you have it. D.I.R.T. is a remote administration tool which
    functions in large part just like the free Trojans SubSeven and BO2K,
    which is being sold by a disgraced former cop and current felon and
    mental patient for thousands of dollars a pop to creepy Feds in
    countries where the sort of abuse it invites is routine and impossible
    for a victim to challenge in court.
    
    In all, a loathsome scam run by an equally loathsome con artist.
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 05:55:50 PDT