MUSEUM-L Archives

Museum discussion list

MUSEUM-L@HOME.EASE.LSOFT.COM
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
FYI: Trojan horses and ANSI "bombs"
From:
Felicia Pickering <[log in to unmask]>
Reply To:
Museum discussion list <[log in to unmask]>
Date:
Thu, 8 Dec 1994 09:47:47 EST
Content-Type:
text/plain
Parts/Attachments:
text/plain (162 lines) 
----------------------------Original message----------------------------
To: MNHAN063--SIVM
 
From: .       --.
 
Date: Wed, 7 Dec 1994 16:17:46 -0600
From: [log in to unmask]
Message-Id: <[log in to unmask]>
Subject:  FYI:  Trojan horses and ANSI "bombs"
Sender: [log in to unmask]
Precedence: bulk
Reply-To: [log in to unmask]
Apparently-To: [log in to unmask]
 
NewbieNewz                                             07 December 1994
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Responses to "How to exploit fear & newbie-ness"
 
> From:
> Peter McGovern - Portland, OR
> Personal Computer Specialist:
> PCC-Tektronix Onsite Program
> [log in to unmask] or [log in to unmask]
 
There is an interesting discussion of this so-called "goodtimes" virus in
alt.comp.virus.  The bottom line (accoriding to my interpretation) it seems,
is that under certain circumstances, 'text' files *can* do serious damage.
Some ascii reader programs can interpret text as a 'backdoor' way to change
the program.  This can cause actions to occur.
 
Also, if a person has ANSI.SYS loaded, then, supposedly, certain text
strings can reprogram the keyboard, and simulate keystrokes under certain
conditions.  While, the discussion in alt.comp.virus is very convincing (to
me at least), I have run across no posts written by any one who has actually
lost any data due to this supposed virus.
 
Here's a sample of one of those posts:
 
  ANSI codes are dangerous.  Here's a short example:
 
echo ESC[27;13;"CHKDSK";13;p
echo ESC[30;40;m
echo ESC[2J
 
The ESC in the above is a true "Escape" charactor.  You can make
it in Qedit, Borland stuff, etc., by hitting ^P then the escape
key...
 
  The above 3 lines will redefine the Escape key into the
same thing as typing CHKDSK and hitting ENTER.
Hacking it into a FORMAT C:/AUTOTEST>NUL would be nasty!
 
**** end sample 1 ****
 
here's another:
 
But some mail readers or terminal programs can be convinced to execute code
contained in a mail message, by taking advantage of either a bug or a
misfeature.  This can be used to create a letter that is itself a trojan
horse, activating when you try to read it.
 
Emacs, for instance, has the ability to recognize and execute lisp code
that is included in a source file's comments as the file is opened for
editing (perhaps to tune the editor for the language you're using or
set your tabs to your company's coding standards).  If this misfeautre
is enabled (as it was in many emacs distributions), and you use emacs
to read mail or news, malicious posters could include lines that looked
to emacs like something it should run, with all of your normal permissions,
when you open the message for reading.  (A few years back there was a
netnews posting that contained a harmless demonstration of this.)
 
Some terminal emulators emulate ANSI terminals well enough that they can
run an "ANSI-standard trojan horse", which consists of including control
codes in the message that invisibly program a function-key's effect, then
"press" it for you.  Function keys can hold enough keystrokes to exit
from mail and issue commands to wipe your disks.
 
Online-service access software may have, for instance, hooks to "help you
out" by automagically downloading files for you.  If a "letter" is correctly
constructed, it might use these hooks to replace system files on your
machine, or to store an arbitrary file.  If such code is there, it could
easily be susceptible to the internet-worm's buffer-overwrite trick,
allowing the trojan letter to load and execute a small amount of code -
which could blast your disk or run a larger file loaded by a previous
part of the same letter.  Services which provide such software are
unintentionally creating a large base of customers running identical
code with identical bugs at identical program addresses.
 
The point is that you aren't necessarily immune until you run a program
you downloaded.  When you read mail you are ALREADY running a program
which may have a trapdoor, deliberate or unintentional, that could
download and run such programs "for" you as you look at your letters.
 
***** end sample 2 *****
 
 
> From: Jim Jarosz <[log in to unmask]>
 
I have heard of possible ways to do damage to a user's system if they have
ANSI.SYS installed (in DOS). I know that the folks at PKWARE, the authors
of PKZIP, have a utility to look for such a threat.
 
I believe it is possible to use screen codes to erase files or even format
a disk. Perhaps you might look into this matter before telling everyone to
put their shields down. On the commercial services, there are sysops who
look for such problem, as you well know. On the 'net, we're on our own.
 
 
 
> From: Bob Schneider <[log in to unmask]>
 
Well, there are those who would disagree with you.  There has been a thread
on this in the bugtraq and firewalls listservers and a reference in the
comp.risks newsgroup.  See the enclosed postings from bugtraq.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
> > From: Charles Howes <[log in to unmask]>
> > I've heard there are text files that are emailable then if run on a pc
> > actually do things.
> >
> > I.e. a Ascii only file thats legally executable, this is probably a
> > distortion of a similiar story.
> >
> > I have studied the x86 op codes to see if you can actually get much done
> > with an Ascii file.
> >
> > But of course no email programs I know of have a method to autoexecute
> > a received email.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
 
 
> From: Oisin Curtin <[log in to unmask]>
 
For users on actual terminals or users with low-end terminal programs
relying on the operating system to interpret control sequences... there
can be dangerous messages.
 
After reading a message containing an escape sequence, one or more keys
on your keyboard might have been reprogrammed to issue a nasty command...
like "format c:".  I understand such a problem came up on Fidonet many
years ago.
 
I'm all for reassuring the general public, but let's not give them a
false sense of security.  Rather, let's remind them that the only real
protection against viruses, trojans, user error and equipment failures
is frequent and comprehensive backups.  The most common cause of lost
data by far is [operator] failure.
 
 
Curly  "Just because we're paranoid
        doesn't mean there are no trojans"
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"The Only Stupid Question Is The One You Don't Ask. ASK. SOMEONE KNOWS."
 
NEWBIENEWZ                             to switch to the 32 Kb
To unsubscribe, send e-mail            digest version, send e-mail
to:     [log in to unmask]
subj:                                  msg: subscribe newbienewz-digest
msg:    unsubscribe newbienewz              unsubscribe newbienewz
        end                                 end
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ATOM RSS1 RSS2