FC: DIRT surveillance software is a "fraud," says U.K. Register

From: Declan McCullagh (declanat_private)
Date: Thu Jun 07 2001 - 06:40:03 PDT

  • Next message: Declan McCullagh: "FC: Politech debate on filtering between EFF, NLC, X-Stop, N2H2"

    The D.I.R.T. program has been around for a while and pops up every now and 
    then at hacker/security conventions:
    http://www.vialls.homestead.com/computer1.html
    http://csf.colorado.edu/mail/bioregional/dec98/0026.html
    
    ********
    
    From: "Thomas C. Greene" <tcgreeneat_private>
    To: <declanat_private>
    Subject: Crime-busting Trojan D.I.R.T. is a fraud
    Date: Tue, 5 Jun 2001 22:50:00 -0700
    
    Declan, please send this out to your Politech list.  Frank Jones of Codex
    Data Systems is selling a Trojan to law-enforcement (chiefly overseas) as a
    surveillance device.  It enables cops to upload bogus evidence to a victim's
    machine with no auditing mechanism to ensure accountability.  Unfortunately,
    i did a story on Sunday which contained some incomplete and inaccurate
    information, and i really need to set the record straight.
    
    thanks,
    tom
    
    http://www.theregister.co.uk/content/4/19480.html
    
    My recent article on the D.I.R.T. (Data Interception by Remote Transmission)
    Trojan, with which law-enforcement agents can secretly monitor a suspect's
    computer and which is marketed by surveillance outfit Codex Data Systems,
    contained several inaccuracies, all of which can be attributed solely to my
    own lapse in the skepticism for which The Reg in general, and I personally,
    are known.
    
    The full story, as it happens, is immensely more twisted than I imagined
    when I wrote my original item. Clearly, The Register's readers deserve
    better -- and here it is:
    
    S.C.A.M.
    Thanks to several e-mailed hints from readers, I continued doing background
    research and have now confirmed that the CEO of Codex Data Systems is one
    Francis Edward "Frank" Jones, a convicted felon currently on probation for
    illegal possession of surveillance devices. He was charged with trafficking
    and conspiracy to traffic in them, but in an agreement he pleaded guilty to
    simple possession, and the US Government dropped the other two charges.
    
    He was sentenced to three-hundred hours' community service and five years'
    probation with no jail time, on the strength of his argument to the court
    that he was not responsible for his illegal acts by reason of mental defect.
    He has also been required to participate in a mental-health program, which,
    judging by some of his recent behavior, appears to be less than a screaming
    success.
    
    Jones is widely regarded as a scam artist with a long history of
    security/surveillance snake-oil sales. He has, for example, sold
    bug-detection services, which we're told are completely fraudulent,
    involving detection apparatus easily cobbled together from the inventory of
    Radio Shack. He's reported to have planted a bug which he subsequently
    'found' during one such charade.
    
    A Legend in His Own Mind
    He's also a shameless, Boswellian self-promoter with a Web site devoted to
    himself in his on-line incarnation, "SpyKing."
    
    Here we're told that SpyKing/Jones is "formerly in military and law
    enforcement service," and "a popular talk show guest with 15 appearances on
    national & regional programming and news specials."
    
    As for his law-enforcement experience, we've since learned that he managed
    to get himself fired from the New York City Police Department in 1975,
    according to a letter by Association of Counter-Intelligence Professionals
    (ACIP) Executive Director Michael Richardson.
    
    But the PR beat goes on: "Jones has lectured at M.I.T. (Massachussetts [sic]
    Institute of Technology) on TEMPEST computer eavesdropping techniques," his
    Web site claims. Indeed, "No other speaker has their thumb on the pulse of
    changing world trends in immerging [sic] surveillance technologies."
    
    The security 'experts' our illiterate subject has conned include hacker
    trivia master Winn Schwartau and AntiOnline's "JP" John Vranesevich (no
    surprises there), and such publications as PC World, E-BusinessWorld,
    TechWeek, the Wall Street Journal, and, thanks to my carelessness, The
    Register as well.
    
    The D.I.R.T. on the Trojan
    The truly inexcusable element of my first story was my failure challenge
    rigorously Codex's claims regarding the amazing power of its D.I.R.T.
    Trojan.
    
    Had I taken the time to learn that SpyKing/Jones was behind this, I would
    have immediately suspected that it's a lot more talk than technology. But I
    ran with the piece out of eagerness to work my own agenda, motivated by
    personal outrage that anyone would be so irresponsible as to sell a Trojan
    to law-enforcement and governments as a surveillance device.
    
    And the reason for that outrage survives even now; D.I.R.T. unquestionably
    permits police to upload bogus evidence to a suspect's machine and offers no
    auditing controls by which they might be caught, which was the focus of my
    original report.
    
    That much hasn't changed; D.I.R.T. is absolutely ripe for abuse without
    accountability, and Jones is utterly damnable for trying to sell it to
    governments and police organizations.
    
    But I was on very shaky ground in reporting its true capabilities. My
    subsequent investigation indicates that Codex's claim that D.I.R.T. can
    defeat all known PC firewalls is, quite simply, false.
    
    Furthermore, their claim that "the software is completely transparent to the
    target and cannot be detected by current anti-virus software," is
    misleading, if not completely false. There is no technology in D.I.R.T.
    responsible for this sort of stealth; the server isn't detected simply
    because no anti-virus vendor has as yet added it to their signatures
    catalog.
    
    Defeating D.I.R.T.
    My suggestions in the original article for defeating D.I.R.T. remain
    basically sound, if perhaps a bit over-cautious due to my mistaken belief
    that it defeats all known firewalls (though there is reason to believe it
    may defeat a few).
    
    Because it isn't presently detected by anti-virus software, one does have to
    look for evidence of it. By default, it installs two files in the C:\WINDOWS
    directory -- DESKTOP.EXE and DESKTOP.DLL. Find either of those files, and
    it's time to re-format your HDD.
    
    One can also check their Windows registry under:
    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
    HKEY_USERS\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
    HKEY_USERS\DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion for any
    references to DESKTOP.EXE or DESKTOP.DLL.
    
    For those not intimately acquainted with the incontinent complexities of the
    Windows Registry, it would be best simply to search the entirety for
    references to both files mentioned. (It's also worthwhile to check out some
    of the suggestions in my previous report.)
    
    Now, because those file names are defaults which can be modified by savvy
    operators, I'm not saying, 'if you can't find the files, then you're not
    infected.' The names can be changed; but we can rely on the fact that most
    operators will be using D.I.R.T. in its default configuration -- after all,
    its chief selling point is that it can be used successfully by the
    technically illiterate.
    
    One final point regarding defenses against the Trojan: soon after I posted
    the first article recommending disk re-formats for those unsure how to
    combat D.I.R.T., which was mentioned and linked at Cryptome.org, a reader
    submitted the following warning:
    
    "D.I.R.T. uses 'unused' space in the file system, so high-level reformatting
    will not destroy it. (This 'unused' space is used by operating systems to
    handle classified information with data structures similar to that in
    SE_Linux). Removing D.I.R.T. requires wiping the disk at the device-driver
    level."
    
    I spoke with Eric Schneider, who wrote the program before leaving Codex on
    ethical grounds; and he told me that so far as he knows "there is no
    technology in D.I.R.T. which comes close to surviving a high-level format."
    
    So there you have it. Codex's D.I.R.T. is a remote administration tool that
    functions in large part just like the free Trojans SubSeven and BO2K, which
    is being sold by a disgraced former cop, current felon and self-confessed
    lunatic for thousands of dollars a pop to creepy Feds in countries where the
    sort of abuse it invites is routine and impossible for a victim to challenge
    in court.
    
    In all, a loathsome scam run by an equally loathsome con artist. ®
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 07:18:30 PDT