IP: New attack on PGP keys with a Word Macro from RISKS

[Dave Farber <farber () cis upenn edu>]

Date: Fri, 29 Jan 1999 23:11:40 -0800 (PST) 
From: Fred Cohen <fc () all net> 

I just got a look at a Word file (CALIG.DOC) that contains user IDs and 
passwords to pornographic sites. In addition to these pointers, it has a 
Trojan Horse that finds the user's private PGP key ring and ftp's it to:
209.201.88.110 (codebreakers.org) 
user anonymous 
password itsme@ 
directory incoming 
binary mode 
stored name: NewSecRingFile[0-9][0-9][0-9][0-9]
This Trojan does its job in visual basic and - except for the initial notice 
(if enabled) that macros are present - gives no indication of this function 
that it performs. I figure the best defense against this is to:
1) Have thousands of users ftp phony files to that IP address 
and filename on a regular basis, thus making it impossible to 
get any real PGP keys - preferably send valid-looking PGP keys 
so they have to waste a lot of time cracking them.
2) Cut off all service for ftp with 209.201.88.110 (codebreakers.org) 
- either at the ISP, at your gateway, or at the borders to your country.
3) Prosecute for possession of access devices - with international 
cooperation between authorities.
4) Tell your people that this has been done so they will stop looking at 
pornography listing files fat chance this will work).
At any rate, I hope that you will take prudent precautions within your 
organization against this potential attack on the security of your private 
keys.
Fred Cohen & Associates: http://all.net - fc () all net - tel/fax:925-454-0171 
Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225

[Much-too-long disclaimer omitted, separating the two roles. PGN]