CDR: Re: Lions and Tigers and Backdoors, oh, my...

[Wilfred L. Guerin]

-=|[ Relevance: Backdoor Systems, Spook penetration Tools, etc... ]|=-

I believe it would be good to throw in some additional toys for analysis:

Recently (many months ago) we came across a version of the TSAdBot system,
produced by Conducent ( http://www.conducent.com ), which very easily
utilized its given backdoors in various windows {95,98,98b,NT5/2000,etc}
installations, heedless of any 3rd party security or protection system.

In short, we watched this little deamon run streight through the first tier
of Win 'security' and then begin iterative/enumerative analysis of registry
entries at system level to conjure up a coherent (probibly bitmapped and
cyphered) representation of the os and installed components, then to be
sent off to a central server, which responeded back with the algo for the
next level of penetration. Truthfully, with publicly available tools, you
can watch the TsAdBot system and its multi-purpose components rip streight
through your system, 'compromise' all personal and internal data in your
registry, and then proceed to interact with its central control server for
next-phase penetration instructions. Upon completion of this first task,
the infiltration system is housed nicely amongst core system dll and other
files, has numerous tautologic registry routes to ensure its stability and
operation, and is among the first systems to be loaded by the os upon next
boot... 

What it does while running? How should we know, it merely does ADVERTISING,
right? ;)

One version we analysed used a variety of old methods of simple ghosting
and self-protection mechanisms, including a killable daemon which told the
higher level system (which, after 3rd pass of infiltration, your user-level
tools are no longer able to see within the win system components it has
compromised) of its demise, thus allowing the higher-functioning code --
running invisbly in most of your systems at this moment -- to maintain its
spooky existance.

Various tactful methods are used by the system to be self-supporting;
TsAdBot easily penetrates low-level system bounds (admin level/passwds/etc)
and starts acting at the system level upon the commencement of its
operation, but also uses a variety of hidden features (cloning,
self-checking, and self-protecting mechanisms) to ensure its stability, but
moreso used an interesting mechanism of registry re-routing that allowed
the penetration code to be nestled within any number of system components,
yet not visible due to cyphered and other round-about routes of accessing
and activating itself upon reboot.

In short, within a few flops, this system penetrates windows security and
lodges at least one copy of itself in 'untouchable' space, contacts
external servers for second phase penetration instructions, and moreso,
disguises itself as a simple ADVERTISING CLIENT in most major software
pacakges.

We recall what happened to Aureate systems when they were disclosed,
however, Conducent seems to have some additional support structures... How
else would they know the intentional m$ provided backdoors, and moreso been
able to easily introduce the package into 90% of business workstations and
personal computers without the assistance of some overbearing entity?

Now, I state here basic overview, possibly 'speculation' and nothing more.
You are expected to review the various versions of this advanced Conducent
system and its reality. Note: The version I worked with primarily was
recovered a few months ago, and no formal report has been made regarding
its mechanisms. 

Do note, especially, their press releases... such things as stating that
the method and strange communication are harmless to the user, and other
such bullshit which is most obviously frivilous sheep-talk.

http://www.conducent.com/aboutus-presskit.shtm

most of the articles I recall are still on their website.

I would quote directly, but this is already a heavy message.

Of other notes, Vmware and bochs/etc have imaging of fake drives, How about
someone using their brain and runing some simulations on various versions?
Simple code reversing is not that complex either. I personally won't go
there at this second, but would be happy to inform anyone interested in the
pursuit... Its not hard to map out and reverse a process... This is a
fairly well coded operation and system, and it serves its purpose to
penetrate your computer security quite well, however, there is nothing we
cant fix, and this, dear friends, is something the non-affiliated public
should very quickly act upon.

Note: I have not analysed the current TsAdBot systems nor any other from
this source recently, as their internal structure, mechanisms, or versions
may have changed, but, I definitely still have on record a variety of the
old versions for analysis... Its merely an advertising client, isnt it?...

Regardless, the listing of software which uses the system is quite easily
accessable on their site, including demo packages and whatnot for review.

I strongly suggest, if you value the integrity of your winx systems, that
you not run any programs on it until you have reviewed the realities. You
probibly already have, though...

I leave it at that. Open for 'speculation' and 'review'... however I expect
'review' to be quite a prominant element in the near future.

Good day, dear friend sheeps :)

-Wilfred L. Guerin
Wilfred at Cryogen.com

[SideNote: Originally, the code looked like something the FBfeds would come
up with, but after more recent review, I truthfully cant speculate on the
origin, its merely code, but talking to centralized servers and being so
obvious is now a common trait of most of the organizations...]




At 05:18 PM 9/26/2000 -0400, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Lions and Tigers and Backdoors, Oh, My.
>
>Frankly, I expect that NSA would be remiss in their grope-age indeed if
>they *didn't* try to get a backdoor into anything it could, and, of
>
>I mean, can't they be a little more *creative*, fer chrissakes? How
>stupid do they think the public really is?
>
>Oh. Right. I forgot...
>
>Cheers,
>RAH
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
>iQEVAwUBOdESj8UCGwxmWcHhAQHSDQgAlA1/+asZTagnQ4vL44WJ9If+fTVwkPCC
>-----------------
>R. A. Hettinga <mailto: rah at ibuc.com>