Register duped by crimebusting D.I.R.T. Trojan

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/4/19480.html

By Thomas C Greene in Washington
Posted: 06/06/2001 at 00:04 GMT

My recent article on the D.I.R.T. (Data Interception by Remote
Transmission) Trojan, with which law-enforcement agents can secretly
monitor a suspect's computer and which is marketed by surveillance
outfit Codex Data Systems, contained several inaccuracies, all of
which can be attributed solely to my own lapse in the skepticism for
which The Reg in general, and I personally, are known.

The full story, as it happens, is immensely more twisted than I
imagined when I wrote my original item. Clearly, The Register's
readers deserve better -- and here it is:

S.C.A.M.

Thanks to several e-mailed hints from readers, I continued doing
background research and have now confirmed that the CEO of Codex Data
Systems is one Francis Edward "Frank" Jones, a convicted felon
currently on probation for illegal possession of surveillance devices.
He was charged with trafficking and conspiracy to traffic in them, but
in an agreement he pleaded guilty to simple possession, and the US
Government dropped the other two charges.

He was sentenced to three-hundred hours' community service and five
years' probation with no jail time, on the strength of his argument to
the court that he was not responsible for his illegal acts by reason
of mental defect. He has also been required to participate in a
mental-health program, which, judging by some of his recent behavior,
appears to be less than a screaming success.

Jones is widely regarded as a scam artist with a long history of
security/surveillance snake-oil sales. He has, for example, sold
bug-detection services, which we're told are completely fraudulent,
involving detection apparatus easily cobbled together from the
inventory of Radio Shack. He's reported to have planted a bug which he
subsequently 'found' during one such charade.

A Legend in His Own Mind

He's also a shameless, Boswellian self-promoter with a Web site
devoted to himself in his on-line incarnation, "SpyKing."

Here we're told that SpyKing/Jones is "formerly in military and law
enforcement service," and "a popular talk show guest with 15
appearances on national & regional programming and news specials."

As for his law-enforcement experience, we've since learned that he
managed to get himself fired from the New York City Police Department
in 1975, according to a letter by Association of Counter-Intelligence
Professionals (ACIP) Executive Director Michael Richardson.

But the PR beat goes on: "Jones has lectured at M.I.T. (Massachussetts
[sic] Institute of Technology) on TEMPEST computer eavesdropping
techniques," his Web site claims. Indeed, "No other speaker has their
thumb on the pulse of changing world trends in immerging [sic]
surveillance technologies."

The security 'experts' our illiterate subject has conned include
hacker trivia master Winn Schwartau and AntiOnline's "JP" John
Vranesevich (no surprises there), and such publications as PC World,
E-BusinessWorld, TechWeek, the Wall Street Journal, and, thanks to my
carelessness, The Register as well.

The D.I.R.T. on the Trojan

The truly inexcusable element of my first story was my failure
challenge rigorously Codex's claims regarding the amazing power of its
D.I.R.T. Trojan.

Had I taken the time to learn that SpyKing/Jones was behind this, I
would have immediately suspected that it's a lot more talk than
technology. But I ran with the piece out of eagerness to work my own
agenda, motivated by personal outrage that anyone would be so
irresponsible as to sell a Trojan to law-enforcement and governments
as a surveillance device.

And the reason for that outrage survives even now; D.I.R.T.
unquestionably permits police to upload bogus evidence to a suspect's
machine and offers no auditing controls by which they might be caught,
which was the focus of my original report.

That much hasn't changed; D.I.R.T. is absolutely ripe for abuse
without accountability, and Jones is utterly damnable for trying to
sell it to governments and police organizations.

But I was on very shaky ground in reporting its true capabilities. My
subsequent investigation indicates that Codex's claim that D.I.R.T.
can defeat all known PC firewalls is, quite simply, false.

Furthermore, their claim that "the software is completely transparent
to the target and cannot be detected by current anti-virus software,"
is misleading, if not completely false. There is no technology in
D.I.R.T. responsible for this sort of stealth; the server isn't
detected simply because no anti-virus vendor has as yet added it to
their signatures catalog.

Defeating D.I.R.T.

My suggestions in the original article for defeating D.I.R.T. remain
basically sound, if perhaps a bit over-cautious due to my mistaken
belief that it defeats all known firewalls (though there is reason to
believe it may defeat a few).

Because it isn't presently detected by anti-virus software, one does
have to look for evidence of it. By default, it installs two files in
the C:\WINDOWS directory -- DESKTOP.EXE and DESKTOP.DLL. Find either
of those files, and it's time to re-format your HDD.

One can also check their Windows registry under:  
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
HKEY_USERS\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
HKEY_USERS\DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion for any
references to DESKTOP.EXE or DESKTOP.DLL.

For those not well acquainted with the incontinent complexities of the
Windows Registry, it would be best simply to search the entirety for
references to both files mentioned.

Now, because those file names are defaults which can be modified by
savvy operators, I'm not saying 'if you can't find the files, then you
are not infected.' They could have been changed; but we can rely on
the fact that most operators will be using D.I.R.T. in its default
configuration -- after all, its chief selling point is that it can be
used successfully by the technically illiterate.

One last point regarding defenses against the Trojan: soon after I
posted the first article recommending disk re-formats for those unsure
how to attack D.I.R.T., which was mentioned and linked at
Cryptome.org, a reader submitted the following warning:

"D.I.R.T. uses 'unused' space in the file system, so high-level
reformatting will not destroy it. (This 'unused' space is used by
operating systems to handle classified information with data
structures similar to that in SE_Linux). Removing D.I.R.T. requires
wiping the disk at the device-driver level."

I spoke with Eric Schneider, who wrote the program before leaving
Codex on ethical grounds; and he told me that so far as he knows,
"there is no technology in D.I.R.T. which comes close to surviving a
high-level format."

So there you have it. D.I.R.T. is a remote administration tool which
functions in large part just like the free Trojans SubSeven and BO2K,
which is being sold by a disgraced former cop and current felon and
mental patient for thousands of dollars a pop to creepy Feds in
countries where the sort of abuse it invites is routine and impossible
for a victim to challenge in court.

In all, a loathsome scam run by an equally loathsome con artist.



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.