jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
|  D.I.R.T. - joke or for real? Magic Lantern?
They had this on cryptome.org. I remember DIRT was concidered as a joke...until issues related to Magic Lantern came out. Is this for real or....Cryptome does seem like a reliable source.
Hmmmm....
»cryptome.org/dirt-guide.htm
--
My privacy related homepage & PGP keys:»www.markusjansson.net |
|
New Years$
join:2001-12-20
| Markus, dirt was just another trojan sold by some nut case who pretended the cops used it and he tried to make a buck on it.
It is an every day..badly written thing..it is OLD as the HILLS.
You sure do hang around in Paranioville a lot lately. But, I love the stuff you come up with.
Giggles.
»www.theregister.co.uk/content/4/19480.html
Reg duped by crime-busting D.I.R.T Trojan
By Thomas C Greene in Washington
Posted: 06/06/2001 at 00:04 GMT
My recent article on the D.I.R.T. (Data Interception by Remote Transmission) Trojan, with which law-enforcement agents can secretly monitor a suspect's computer and which is marketed by surveillance outfit Codex Data Systems, contained several inaccuracies, all of which can be attributed solely to my own lapse in the skepticism for which The Reg in general, and I personally, are known.
The full story, as it happens, is immensely more twisted than I imagined when I wrote my original item. Clearly, The Register's readers deserve better -- and here it is:
S.C.A.M.
Thanks to several e-mailed hints from readers, I continued doing background research and have now confirmed that the CEO of Codex Data Systems is one Francis Edward "Frank" Jones, a convicted felon currently on probation for illegal possession of surveillance devices. He was charged with trafficking and conspiracy to traffic in them, but in an agreement he pleaded guilty to simple possession, and the US Government dropped the other two charges.
He was sentenced to three-hundred hours' community service and five years' probation with no jail time, on the strength of his argument to the court that he was not responsible for his illegal acts by reason of mental defect. He has also been required to participate in a mental-health program, which, judging by some of his recent behavior, appears to be less than a screaming success.
Jones is widely regarded as a scam artist with a long history of security/surveillance snake-oil sales. He has, for example, sold bug-detection services, which we're told are completely fraudulent, involving detection apparatus easily cobbled together from the inventory of Radio Shack. He's reported to have planted a bug which he subsequently 'found' during one such charade.
A Legend in His Own Mind
He's also a shameless, Boswellian self-promoter with a Web site devoted to himself in his on-line incarnation, "SpyKing."
Here we're told that SpyKing/Jones is "formerly in military and law enforcement service," and "a popular talk show guest with 15 appearances on national & regional programming and news specials."
As for his law-enforcement experience, we've since learned that he managed to get himself fired from the New York City Police Department in 1975, according to a letter by Association of Counter-Intelligence Professionals (ACIP) Executive Director Michael Richardson.
But the PR beat goes on: "Jones has lectured at M.I.T. (Massachussetts [sic] Institute of Technology) on TEMPEST computer eavesdropping techniques," his Web site claims. Indeed, "No other speaker has their thumb on the pulse of changing world trends in immerging [sic] surveillance technologies."
Our illiterate subject has conned such publications as PC World, E-BusinessWorld, TechWeek, the Wall Street Journal, and, thanks to my carelessness, The Register as well.
The D.I.R.T. on the Trojan
The truly inexcusable element of my first story was my failure challenge rigorously Codex's claims regarding the amazing power of its D.I.R.T. Trojan.
Had I taken the time to learn that SpyKing/Jones was behind this, I would have immediately suspected that it's a lot more talk than technology. But I ran with the piece out of eagerness to work my own agenda, motivated by personal outrage that anyone would be so irresponsible as to sell a Trojan to law-enforcement and governments as a surveillance device.
And the reason for that outrage survives even now; D.I.R.T. unquestionably permits police to upload bogus evidence to a suspect's machine and offers no auditing controls by which they might be caught, which was the focus of my original report.
That much hasn't changed; D.I.R.T. is absolutely ripe for abuse without accountability, and Jones is utterly damnable for trying to sell it to governments and police organizations.
But I was on very shaky ground in reporting its true capabilities. My subsequent investigation indicates that Codex's claim that D.I.R.T. can defeat all known PC firewalls is, quite simply, false.
Furthermore, their claim that "the software is completely transparent to the target and cannot be detected by current anti-virus software," is misleading, if not completely false. There is no technology in D.I.R.T. responsible for this sort of stealth; the server isn't detected simply because no anti-virus vendor has as yet added it to their signatures catalog.
Defeating D.I.R.T.
My suggestions in the original article for defeating D.I.R.T. remain basically sound, if perhaps a bit over-cautious due to my mistaken belief that it defeats all known firewalls (though there is reason to believe it may defeat a few).
Because it isn't presently detected by anti-virus software, one does have to look for evidence of it. By default, it installs two files in the C:\WINDOWS directory -- DESKTOP.EXE and DESKTOP.DLL. If you find either of those files, you need to remove them and any associated files (such as .LOG files), or re-format your HDD to be on the safe side.
One can also check their Windows registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion HKEY_USERS\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion HKEY_USERS\DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion for any references to DESKTOP.EXE or DESKTOP.DLL.
For those not intimately acquainted with the incontinent complexities of the Windows Registry, it would be best simply to search the entirety for references to both files mentioned. (It's also worthwhile to check out some of the suggestions in my previous report.)
Now, because those file names are defaults which can be modified by savvy operators, I'm not saying, 'if you can't find the files, then you're not infected.' The names can be changed; but we can rely on the fact that most operators will be using D.I.R.T. in its default configuration -- after all, its chief selling point is that it can be used successfully by the technically illiterate.
One final point regarding defenses against the Trojan: soon after I posted the first article recommending disk re-formats for those unsure how to combat D.I.R.T., which was mentioned and linked at Cryptome.org, a reader submitted the following warning:
"D.I.R.T. uses 'unused' space in the file system, so high-level reformatting will not destroy it. (This 'unused' space is used by operating systems to handle classified information with data structures similar to that in SE_Linux). Removing D.I.R.T. requires wiping the disk at the device-driver level."
I spoke with Eric Schneider, who wrote the program before leaving Codex on ethical grounds; and he told me that so far as he knows "there is no technology in D.I.R.T. which comes close to surviving a high-level format."
So there you have it. Codex's D.I.R.T. is a remote administration tool that functions in large part just like the free Trojans SubSeven and BO2K, which is being sold by a disgraced former cop, current felon and self-confessed lunatic for thousands of dollars a pop to creepy Feds in countries where the sort of abuse it invites is routine and impossible for a victim to challenge in court.
In all, a loathsome scam run by an equally loathsome con artist. ® |
|
spy1$
join:2001-10-06
Clover, SC | »www.security-pro.co.uk/yabb/YaBB···16187232 . Pete |
|
a4nic8er
Tempus Fugit, Carpe Cerevisi
join:2001-03-09
New Zealand
clubs: | reply to jansson_mark
Update: Aussie Cops getting DIRTy?
A few suckers down under. LMAO
»www.theregister.co.uk/content/55/24477.html
--
If I aim to fail and succeed, which did I do? |
|
New Years$
join:2001-12-20 | Aussie Cops getting DIRTy?
scammed would be better..maybe they will find em and lock him up again> |
|
Anon | reply to jansson_mark
D.I.R.T. Analysis
»www.diamondcs.com.au/web/alerts/···ysis.htm |
|
New Years$
join:2001-12-20 | Wayne,
Did you include it in your last update as a sales gimmick or do you really see this as a threat?
John |
|
Anon | reply to jansson_mark
Re: D.I.R.T. - joke or for real? Magic Lantern?
The analysis concludes that it's nothing to worry about - not really the sort of thing you can make a 'sales gimmick' out of? To this date nobody has performed a comprehensive analysis on DIRT so nobody knew what it really was (other than descriptions in media reports), so we tore it apart and performed a complete autopsy - only now can we be confident that it's not a risk.
The latest databases will naturally detect the trojan (it's very easy to detect, as the analysis demonstrates) -- it would be wrong of us not to include detection for it, but the chance of being infected by DIRT is very minimal.
Regards,
Wayne |
|
Lurkers inc
Don't Call Me Doink
join:2001-10-13
Seattle, WA
| reply to New Years$
Re: D.I.R.T. Analysis
said by New Years:
Wayne,
Did you include it in your last update as a sales gimmick or do you really see this as a threat?
John
Hi John, sorry to butt in, but that is a good question and I would not mind hearing the answer myself.  Remeber the heated debate about A/V companies not adding Magic Lantern to their definitions if they got a copy? I think this is a little different because D.I.R.T. is so widely available now but I doubt it will be out in the wild much myself for many reasons.
That would be a sinking feeling though to find it on my computer with out my knowledge.
Do you or others here think A/V software makers like Norton and the like, should add it to their deffinitions?
Paul, |
|
New Years$
join:2001-12-20
|  Do you or others here think A/V software makers like Norton and the like, should add it to their deffinitions?
____________________________________________________________
I do not know Paul..and I do not really care.Let the others buy a copy of DIRT or contact Diamond.
I asked Wayne that question before anyone else did for a reason.
Did you see all the work that was done, not only tearing that thing apart, but then the comprehensive write up now documented.
Most of these others give you a brief description..tell you to buy their product to handle it..do not even tell you what to look for..just take two aspirin and pull out your credit card.
You can not find that on any other place on the Internet.
I call that class.
It will never be a risk for anyone who now uses that product or the upcoming TDS-4.
Case closed.
Thanks Wayne! |
|
Lurkers inc
Don't Call Me Doink
join:2001-10-13
Seattle, WA
| said by New Years:
I do not know Paul..and I do not really care.Let the others buy a copy of DIRT or contact Diamond.
You may not have noticed but "The Register" has a download link in their article for it. But that is another controversial topic that I prefer not to get into myself.
Paul, |
|
New Years$
join:2001-12-20
| But you already did Paul..and yes I noticed the Register. But thanks for the concern.
Can the controvesy be coaxed out of you..or is it a private matter? I have a deadline to meet and I am fresh out of news. |
|
a4nic8er
Tempus Fugit, Carpe Cerevisi
join:2001-03-09
New Zealand
clubs:
 ·Xnet
·Xtra Broadband
| reply to jansson_mark
scratched around some of those links and ...
at wilders.org antiDIRT BB message. »www.security-pro.co.uk/yabb/YaBB···16187232 says;
quote:
We've been working on it all day and TDS now easily detects this trojan with todays update.
DIRT guide page »cryptome.org/dirt-guide.htm says;
quote:
To help security researchers develop defenses against D.I.R.T. and similar covert spying tools here is the D.I.R.T. program
The DIRT vendor site (complete with 9/ll montage) »www.codexdatasystems.com/
LOL @ the perps self promoting web site »www.spyking.com
Well, he has balls, this Jones kid.
The wilders/security-pro link contains another link to this ... »cryptome.org/dirty-jones.htm quote:
These are conviction and probabtion documents of Frank Jones, proprietor of Codex Data Systems, Inc., and producer of the D.I.R.T. covert computer surveillance program sold only to law enforcement and governmental agencies. More on D.I.R.T.
--
If I aim to fail and succeed, which did I do? |
|
