Summary of this page: Some examples of current virii: "W32.Badtrans.B" Computer Virus (Worm), "Goner" worm, sircam.worm "TROJ_SIRCAM.A". Please be suspicious about the political impact of this possible technical development (remember George Orwell's '1984') |
CyberWar Update #2 of November 30th, 2001,
assembled by Mark Hopkins
Virus Invasion
Badtrans is the name of the virus that is making the rounds currently and grinding email servers to a halt worldwide. There is much speculation by respectable theorists that this may be the much-talked about keylogging virus the FBI is threatening to release on the public known by the name Magic Lantern. Operationally, it fits the profile, logging keystrokes to a temp-file and when the temp-file reaches a certain size, mailing the log file to a pre-specified recipient. The Badtrans virus has had a couple modifications made to it over the last couple weeks, making it's transmission and operations more smooth, and therefore more infections and effective, however it is reported that most commercially available anti-virus software still picks it up prior to infection.The new version of the Badtrans virus activates embedded HTML in the email and automatically informs Microsoft email programs to activate the attached virus program. The virus also appears to activate the MP3 player.
There are three scenarios within possibility which would explain the origin of the Badtrans virus. The first, most obvious, and most widely accepted is that it is a simple keylogging virus put out by a random hacker to get user's usernames and passwords. The second theory is more of an addendum to the first, in that it's a virus put out by a random hacker at this time to try to create a buzz and make it look as if the FBI is targetting certain groups or demographics (this theory has been posited by many members of the OSINT group RMNews). The third theory is that this is in fact the second iteration of the Magic Lantern keylogger.
The first theory is supported by the simple fact that this sort of thing comes out on a fairly regular basis, and to assume that this virus is any different than the last 15 that have come out is pure conjecture -- at least at first glance. The third theory is supported by the plethora of news releases that has accompanied the virus's release that tell of the FBI's Magic Lantern keylogger's inner workings. The operations are very similar in description, and a mass release through worm form is an effective means of distribution, despite the preferred method of delivery is reportedly the newly allowed ''sneak and peek'' method -- however, distribution through an email virus does seem to be a bit unconventional, a bit of a kludge-type attack. Granted, the FBI's technology teams have proven somewhat clueless as to implementation of internet technologies in the past, but this tends to lack the type of precision the FBI needs, and seems like it could lead to the type of legal troubl! e the FBI could ill-afford.
All of this lends the most credence to the second theory, that it is most likely being used as an Infowar tool, to make individuals feel as if they are being singled out by the FBI or other government agencies since most virus detection systems alert the user of it and mention it's purpose. It may have originally started out as the tool mentioned in theory one, but it has quickly become the tool mentioned in theory two.
FBI vs. CIA in Cyberspace
Most people who are in the intelligence community and those who follow it recognize that there was a vast intelligence failure that led up to the Sept 11 attacks.
The FBI and CIA are two agencies charged with law enforcement and intelligence operations, have taken the most heat for the failure. Both agencies had few areas of cooperation prior to Sept. 11. As it turns out the FBI and CIA have suddenly found themselves in diametrecially opposed roles inside cyberspace.
Below is a list of tools that would aid US Federal law
FBI tools:
Carnivore ( http://www.fbi.gov/hq/lab/carnivore/carnlrgmap.htm) The way carnivore works, according to the diagrams and explanations on the FBI website, is to trap all data going through a certain point, make a copy and send it back to a centralized point. The FBI is then able to sift through it using keyword searches.Some time last year the FBI was forced by privacy advocates such as the ACLU and the EFF to reveal that it had a new software program called Carnivore designed to monitor Internet e-mail. The way the Carnivore system operates is not on home personal computers, or the client side, but on Internet Service Provider computers, or the server side. This allows the agency to siphon off data from suspected customers.
It is used only for looking through email, according to its description, *however* from it's description, it is also capable of sifting through web traffick. (remember that)
Magic Lantern
There is no official documentation on Magic Lantern on FBI's website,
but open source intelligence resources describe it's operation and
implementation as such:
It is to be spread either through an agent manually infecting the machine by inserting an infected disk or downloading the infection, or through targeted email virus infections. (i.e., opening an email, and a hidden virus is installed on the victim's machine without his knowlege by way of many security holes in email software).
It is a key-logging program, designed to intercept passwords and outgoing emails from the user's machine. It cannot log mouse clicks, however, which is it's only weakness. (i.e., if a user has an encryption software installed, and has the password stored locally, it can be activated by mouse clicks instead of a password being typed in, thus defeating the keylogging method).
dTective
Developed jointly by Ocean Systems Co. of Burtonsville Md. (did the
software side) and Avid Technology Inc. (hardware side). Its purpose is
to trace the financial transactions linked to Sept's terrorist attacks
against New York and Washington by enhancing ATM video surveillance
images that were previously unusable due to bad lighting and such.
Encase
Deleted file recovery tool. Used in cases where the suspect has clean
sweep deleted the hard drive of data.
CIA tools:
Triangle Boy/SafeWebIt's original intent was to allow Asian Surfers (primarily Chinese) to surf the web without government interference. It allowed them to bypass governmentally blockage of websites and to do so anonymously (at least to governments other than the United States).
Technically, this tool sponsored by the CIA could be used as an aid to hackers, as well as those hiding from governments and companies who filter what their users are able to see.
It could also be used as a device to in some way circumvent the FBI from positively tracking down the author of a message. Imagine if a terrorist sets up an account on Hotmail, but uses Triangle Boy to access it. The FBI would be able to determine what the content was, but would be unable to find the user by way of IP tracking. Nor would the FBI know what computer to put Magic Lantern on in case the user was employing a method of encryption, which would prevent the FBI from even seeing the content of the messages as well.
Fluent
Custom-written software scours foreign Web sites and displays
information in English back to
analysts. The program already understands at least nine languages,
including Russian, French and Japanese. Not a remarkable piece of
software, same results that this software produce can be accomplished by
combining the power of Digital's babelfish project with Google's search
engine software.
Echelon
Essentially a European Carnivore, not officially acknowleged by the US
government. [read more about Echelon]
Oasis
Technology that listens to worldwide television and radio broadcasts and
transcribes detailed reports for analysts. Oasis currently misinterprets
about one in every five words and has difficulty recognizing colloquial
Arabic, but the system is improving, said Larry Fairchild, head of the
CIA's year-old Office of Advanced Information Technology.
Conflicting tools:
The tool conflict comes up between the CIA and the FBI are the CIA's Triangle Boy utility and the FBI's Magic Lantern and Carnivore snooping utilities. Essentially, by using the Triangle Boy web proxy utility or any other commercially available approximation thereof while simultaneously running any number of publicly available different 128-bit encryption routines, you can effectively and completely block yourself off from any FBI monitoring.What Triangle Boy allows you to do is anonymously surf the web. There are a couple public projects on the internet that approximate what Triangle Boy does, such as it's predecessor Anonymizer.com, probably the web's first public anonymous proxy server. By using this or a similar service to log on to a public, free email server, you have prevented the email server from logging your IP address, or in other words, a number that can be linked to your person.
To completely make your message unintelligable and unbreakable to the US Federal government, use 128-bit or better encryption methods, preferrably the RC5 standard. Distributed.net has been working with a brute force hack of the RC5 encryption routine (64-bit encryption) since 1998 using thousands of computers simultaneously on the project and estimates they have a year left until they break the code. From this one can safely assume that by the time the government is able to break your message at 128-bits, the usefulness of the contents of the message will long past be viable, not to mention most statute of limitation laws will have expired in the process.
Vulnerabilities in the Magic Lantern Keylogger
The Magic Lantern keylogger not only is ineffective in accomplishing it's purpose by virtue of the CIA's and the private sector's privacy tools, it also could backfire on the federal government. Any technically savvy hacker, could quite easily reverse engineer the product to either hack into the repository for the keylogged files or re-distribute the virus as an agent to gather his own data, especially if the government strikes deals with anti-virus makers to make the utility unnoticed by their detection software.Brooks Isoldi, editor - bisoldi@intellnet.org - www.intellnet.org
Latest Virus Alerts
"W32.Badtrans.B" Computer Virus (Worm)
W32.Badtrans.B@mm: Discovered on: November 24, 2001. W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several different file names. This worm also drops a backdoor trojan that logs keystrokes.
"[W32.Badtrans.B] does not require the email recipient to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients (Microsoft Outlook and Microsoft Outlook Express) to automatically execute the file attachment. This vulnerability is also known as Automatic Execution of Embedded MIME type."
The "W32.Badtrans.B" Computer Virus (Worm) is running rampant. As of December 3rd, Trend Micro reports over 73,000 WORM_BADTRANS.B infections detected by "HouseCall" (its free online virus checker) (from http://wtc.trendmicro.com/wtc/ ).
Complete information on this virus (worm) can be found here: http://www.sarc.com/avcenter/venc/data/w32.badtrans.b@mm.html
28 Dec '01: The FBI wants access to worm's pilfered data http://www.dailyrotten.com/articles/archive/189387.html The FBI is asking for access to a massive database that contains the private communications and passwords of the victims of the Badtrans Internet worm. (...) The United States is becoming an Orwellian nightmare!
NEW VIRUS ALERT: "Goner" worm
Sent by Mona LaVineNEW YORK - Electronic security experts are warning of a powerful new computer worm that can do everything from send e-mail to delete virus programs to hack other machines, all from your own PC.
Disguised as an innocuous screensaver program from a thoughtful friend, the "Goner" worm appeared Tuesday morning and is on its way to becoming a worldwide epidemic - and computer-virus specialists are warning people to be on the alert.
"The subject line says 'Hi' and will be from someone you know," Symantec security response group manager Kevin Haley said. The text will say 'How are you? I saw this screensaver and immediately thought of you.' That's a giveaway (or) I am in a hurry, I promise you will love it!"
Needless to say, computer users are advised not to open the attached "screensaver" program, or they will unleash a computer worm that will delve through their e-mail address books, replicate itself and send itself out to all their friends.
Goner works through Microsoft programs like Outlook and Outlook Express and can send itself through instant-messaging services like ICQ and Internet Relay Chat.
Solution for new virus Gone and others at http://securityresponse.symantec.com/avcenter/venc/data/w32.goner.a@mm.removal.tool.html
Sircam.worm "TROJ_SIRCAM.A" in attachment - by Ralph Nimmann
Subject: any file nameMail Size: usually 100 KByte or more
visible text message:
"Hi! How are you
I send you this file in order to have your advice
See you later
Thanks"
The virus attaches itself to any file of any size it likes in your PC and sends off emails WITH IT'S OWN EMAIL CLIENT. Your modem appears to be doing funny things since it does not need to use Outlook Express to send infected mail to others. Infected files are identified with an extra extension on things like: *.doc.com, *.zip.* ...etc. The virus will pick up a file randomly from your computer to do this and sends as an attachment.
Once the attachment is opened, their computers will also become infected and so the cycle goes on...
Visit www.pandasoftware.com where a free download will fix your problem.
You can download a removal tool for the virus at:
http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.removal.tool.html
More here: http://support.ca.com/techbases/ilnt/virusalert2.html