[If this is a duplicate, I appologise, ssz didnt accept first attempt ] -=|[ Relevance: Backdoor Systems, Spook penetration Tools, etc... ]|=- I believe it would be good to throw in some additional toys for analysis: Recently (many months ago) we came across a version of the TSAdBot system, produced by Conducent ( http://www.conducent.com ), which very easily utilized its given backdoors in various windows {95,98,98b,NT5/2000,etc} installations, heedless of any 3rd party security or protection system. In short, we watched this little deamon run streight through the first tier of Win 'security' and then begin iterative/enumerative analysis of registry entries at system level to conjure up a coherent (probibly bitmapped and cyphered) representation of the os and installed components, then to be sent off to a central server, which responeded back with the algo for the next level of penetration. Truthfully, with publicly available tools, you can watch the TsAdBot system and its multi-purpose components rip streight through your system, 'compromise' all personal and internal data in your registry, and then proceed to interact with its central control server for next-phase penetration instructions. Upon completion of this first task, the infiltration system is housed nicely amongst core system dll and other files, has numerous tautologic registry routes to ensure its stability and operation, and is among the first systems to be loaded by the os upon next boot... What it does while running? How should we know, it merely does ADVERTISING, right? ;) One version we analysed used a variety of old methods of simple ghosting and self-protection mechanisms, including a killable daemon which told the higher level system (which, after 3rd pass of infiltration, your user-level tools are no longer able to see within the win system components it has compromised) of its demise, thus allowing the higher-functioning code -- running invisbly in most of your systems at this moment -- to maintain its spooky existance. Various tactful methods are used by the system to be self-supporting; TsAdBot easily penetrates low-level system bounds (admin level/passwds/etc) and starts acting at the system level upon the commencement of its operation, but also uses a variety of hidden features (cloning, self-checking, and self-protecting mechanisms) to ensure its stability, but moreso used an interesting mechanism of registry re-routing that allowed the penetration code to be nestled within any number of system components, yet not visible due to cyphered and other round-about routes of accessing and activating itself upon reboot. In short, within a few flops, this system penetrates windows security and lodges at least one copy of itself in 'untouchable' space, contacts external servers for second phase penetration instructions, and moreso, disguises itself as a simple ADVERTISING CLIENT in most major software pacakges. We recall what happened to Aureate systems when they were disclosed, however, Conducent seems to have some additional support structures... How else would they know the intentional m$ provided backdoors, and moreso been able to easily introduce the package into 90% of business workstations and personal computers without the assistance of some overbearing entity? Now, I state here basic overview, possibly 'speculation' and nothing more. You are expected to review the various versions of this advanced Conducent system and its reality. Note: The version I worked with primarily was recovered a few months ago, and no formal report has been made regarding its mechanisms. Do note, especially, their press releases... such things as stating that the method and strange communication are harmless to the user, and other such bullshit which is most obviously frivilous sheep-talk. http://www.conducent.com/aboutus-presskit.shtm most of the articles I recall are still on their website. I would quote directly, but this is already a heavy message. Of other notes, Vmware and bochs/etc have imaging of fake drives, How about someone using their brain and runing some simulations on various versions? Simple code reversing is not that complex either. I personally won't go there at this second, but would be happy to inform anyone interested in the pursuit... Its not hard to map out and reverse a process... This is a fairly well coded operation and system, and it serves its purpose to penetrate your computer security quite well, however, there is nothing we cant fix, and this, dear friends, is something the non-affiliated public should very quickly act upon. Note: I have not analysed the current TsAdBot systems nor any other from this source recently, as their internal structure, mechanisms, or versions may have changed, but, I definitely still have on record a variety of the old versions for analysis... Its merely an advertising client, isnt it?... Regardless, the listing of software which uses the system is quite easily accessable on their site, including demo packages and whatnot for review. I strongly suggest, if you value the integrity of your winx systems, that you not run any programs on it until you have reviewed the realities. You probibly already have, though... I leave it at that. Open for 'speculation' and 'review'... however I expect 'review' to be quite a prominant element in the near future. Good day, dear friend sheeps :) -Wilfred L. Guerin Wilfred@Cryogen.com [SideNote: Originally, the code looked like something the FBfeds would come up with, but after more recent review, I truthfully cant speculate on the origin, its merely code, but talking to centralized servers and being so obvious is now a common trait of most of the organizations...] At 05:18 PM 9/26/2000 -0400, you wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Lions and Tigers and Backdoors, Oh, My.
Frankly, I expect that NSA would be remiss in their grope-age indeed if they *didn't* try to get a backdoor into anything it could, and, of
I mean, can't they be a little more *creative*, fer chrissakes? How stupid do they think the public really is?
Oh. Right. I forgot...
Cheers, RAH
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQEVAwUBOdESj8UCGwxmWcHhAQHSDQgAlA1/+asZTagnQ4vL44WJ9If+fTVwkPCC ----------------- R. A. Hettinga <mailto: rah@ibuc.com>