|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Info about a PostScript trojan
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
From Jeff Shulman
While I have yet to actually see this trojan there does seem to be enough evidence that one actua exists. What it is is either some font, graphic or document that resets the LaserWriter password osmething other than zero (the default) causing further print jobs the next time the LW is reset t fil
Since it really isn't a Mac executed piece of code you cannot use something like "GateKeeper" to vent it from doing anything. I suppose you can scan for it but you would have to virtually scan evr ocument for it.
The best remedy is to either prevent the password from being changed or just change it back to ze The following are some messages I have seen that discusses these options. Note, I personally canntvuch for them and am provided them with no warranty...
Jeff
VirusDetective author
------------------------------------------------------------------
Subj: LW PW Change Prevention - 90-07-26 19:15:22 EDT
From: Jeff Shulman
I've attached a copy of the fax Henry Norr forwarded to me to the end of this note.
I don't know how knowledgable Peter Fink is. He certainly knows more about PostScript than I do,t that's easy, since I don't know any PostScript.
I've also included a copy of a posting by Woody Baker which appeared on comp.virus today. This ping claims that it is possible to read EEPROM and hence determine the "evil password." This is imotnt, since it means that it would NOT be necessary to replace the EEPROM as claimed by Fink.
I'm passing all of this on to the rest of you in the hopes that some Masher is a PostScript expernd can make some sense out of all of this.
John Norstad
--------------------------------------------------------------------------
From: Peter Fink, DesktopTo Press, 617-527-1899, FAX 617-332-1533
To: PostScript Imagesetting Community - Manufacturers, Software Vendors, Press
Date: July 22, 1990
Subject: Password-change vandal and protective Password Alert! PostScript code
Peter Fink Communications, Inc.
DesktopTo Press
26 Wetherell Street
Newton MA 02164.
Dated July 22, 1990
Message:
It appears that some sort of "Trojan Horse" PostScript file has been
vandalizing PostScript RIPS and printers by resetting their passwords to an
unknown value. This forces the owner to replace the printer's EEROM.
The problem has occurred in several separate areas of the USA during the past few weeks. MacPrePs reported the problem two weeks ago. Friday we
received a report from New York City of a password change that day.
The nature of the password vandal is not yet known. We have developed simple protective PostScripode, however, and are disseminating it free of charge. This code will also help find the offendin ie.
Details and Password Alert! PostScript code follow. Please feel free to
distribute this material inside and outside your organization as needed.
-----------------------------------------------------------------------------
Subj: LW PW Change Prevention (cont) 90-07-26 19:17:54 EDT
From: Jeff Shulman
Password Alert!
serverdict begin 0 exitserver
statusdict /setpassword
{userdict begin /evilpassword exch def pop
(!! PASSWORD ALERT - NOTIFY OWNER!!) - flush
/Helvetica findfont 24 scalefont setfont
20 50 720 {70 exch moveto
(!! PASSWORD ALERT - NOTIFY OWNER!!)
show} for
showpage
} put
[note - I have transcribed this from a fax of a fax, and I do not know any
PostScript. It was particularly difficult to distinguish between curly braces
and parentheses in the copy I received. So there may well be errors in the
code displayed above - JLN]
Password Alert! is designed to do three things:
1. It protects your RIP by redefining the setpassword operator. This
redefinition remains in effect from the time you donwload Password Alert! until the time you reset oeboot the RIP.
2. If a print job tries to reset your password, Password Alert! crashes the
job (which probably doesn't produce a page anyway), sends an PostScript
message to the printing application, and screams bloody murder via its alert
page.
3. Password Alert! also captures the "evil" password you were about to receive
and stores it harmlessly in userdict so you can reveal it to the world. (If
we're lucky, the vandal substitutes the same evil password for zero in all
cases. If this is so, knowing the evil password will save future victims
considerable time and money. By the way, the evil password might not be an
integer, despite what it says in the Red Book.)
If an alert page shows up in your shop, you should apprehend the file being
printed, complete with associated graphics and fonts (likely candidates for
the vandal code). You should also immediately use the Print Evilpassword
utility on the next page to obtain a printout of the evil password - and of
course you should contact us and the entire PostScript community.
Associated with Password Alert! are three brief utility PostScript files:
1. Test - Attempts to change password (to confirm that Password Alert! is
installed)
serverdict begin 0 exitserver
statusdict begin 0 1 setpassword
Test tries to change the password from 0 to 1. Download this file after
downloading Password Alert! - you'll probably see the alert message and the
alert page should print. If this doesn't happen, Password Alert! hasn't
downloaded successfully (or has been transcribed incorrectly). You will
probably see the standard %%[exitserver... message. If so, Test has changed
your password to the number 1.
2. Revert to Zero - Changes the password from 1 back to 0 if needed.
serverdict begin 1 exitserver
statusdict begin 1 0 setpassword
Revert to Zero changes the password from 1 back to 0. Download Revert to Zero
if Test gives you the standard %%[exitserver... message and no alert.
3. Print Evilpassword
/Helvetica findfont 12 scalefont setfont
70 70 moveto (The evil password is: ) show
userdict /evilpassword load 256 string cvs show
showpage
[The word "cvs" in the third line above may have been "cvg" or something else
- it's very unclear on the fax of the fax. I think it must be "cvs" for the
PostScript "convert to string" operator - JLN]
If Password Alert! prints an alert page, someone has attempted to change your password. You may e foiled the vandal - and captured the evil password! If so, download Print Evilpassword to printapge with the evil password. Do this before rebooting the RIP, because rebooting will remove the cptre /evilpasswor that generated the alert page, plus all associated fonts and graphics files!
If you obtain the evil password (and/or a suspected vandal file), contact
Peter Fink and DesktopTo Press at the address, phone or FAX below. Password
Alert! should work on all PostScript implementations, and probably also on
clones that use exitserver and the PostScript password sheme. I'd like credit
for writing this program but claim no commercial rights - this code is free
and (as always) used at your own risk. Every service bureau with PostScript
or PostScript-compatible printers should use this or similar code immediately.
Hope this helps you!
Peter Fink, DesktopTo Press
617-527-1899, FAX 617-332-1533
26 Wetherell Street, Newton, MA 02164
-----------------------------------------------------------------------------
Subj: LW PW Reset 90-07-26 19:20:13 EDT
From: Jeff Shulman
From: [email protected] (Nigel Yeoh)
Subject: resetpassword.ps
Summary: resetting passwords on the laserwriter
Date: 19 Jul 90 23:22:47 GMT
Organization: The IBM PC User Group, UK.
Here is the piece of code that resets the password in a PostScript printer,
which I've obtained. I'd like to make a point of clarification. Some people might know that Woody Br offered to make copies of his code available to people who wrote in to him, subject to slightly oeonerous conditions than at least one other person on the net thought correct. I then offered to ak tis code available, making an oblique barbed reference to Woody in the process. I have since ha th oportunity to speak to Woody about this, and I would like to emphasize that Woody's code is moe coplexand contains more powerful, and dangerous operators than mine, and considerable potential or ham. Wody's terms are entirely appropriate and generous considering what he had on offer. I thik I'veprovidd a cleaner and simpler solution but those who need the additional power of Woody's coe can sill wrie to Woody. This program resets the password to zero, using the standard PostScriptoperatorsetpasswrd. Woody and I both feel that in this form, the code is useful to those who have orgotten he laserwiter password and don't feel apple ought to charge and arm and a leg to correct he problem and not prticularly dangerous, though of course such things by their nature can cause hrm. Please se with car. I can't guarantee this will work but it's not likely to blow your laserwrier to bits i the process at least. It will most likely fail on clones and won't work with Emerald IPs.
%!PS-Adobe-1.0
% Title: ResetPassword.ps
%
mark currentfile eexec
F983EF00CFF33246DBAA182FF38F30A722A6B0F67364219B80FF63CBAA9D3168
9EC5ED80BD34DCD31199F230F37FDE5C0C0F931DF757070778C386963A0EE646
2B367616E46ED464C56D2B62B3416AD558879BFFE033C65186BD4524EFEFA61E
1AC930D9B4A28DFE8CF379043BFA6C88B66D7C479EE9BE5B1F303C96481C2846
2BB288B20ED5B25C42B0322683DA5DEA5DCF2EB7F97EFDA1810B136E56F76575
298CBFC30DEB70803CB165EDEF2752E609D533118B471027FCDB7C7AE7B104D0
0D5FBFA28BD6F4F88B577868380EB81F3C2A5A8417D197EED34892E2978CD667
E8DF6B56A85865E77AA1BC5F93017638054BEAB3E97099CDC15A51F8863313F3
152A20D5D9E08EC47A5F618A208E1F1FD2ACA1694925BF48AA906A18803928AB
0560D80A7B15DE1136DAD5C60B3B4346D5965B8F0544DDA470301C675954A16C
A2C525C5CD957722E768C53F9883EBF5D5634608494A7F78764DFB5429D5A9BF
AD5639A8906AE0ABC05493EF1F81E20F53808740A190366960AF3335D34172EF
BF7C17528FBDF9DF4016D50FD7551DAA8490829909D335FC65223992231899FC
8F23840FF0E654C166F25305D1645DF50EC96CD5429D214E050C2D2180AC59FC
9DA5CD8F3F11692BC1316197A5274A062171F2621DEF36E7E387B7B00B0CB617
91CD36925D0C32AEBEF00003CFEC6CE982E81993B9ADB0A01269EB6474365619
87F97F0B7FE666989FD625AE6D260334BC3BF1FCFADBBA5CEC168B6FC4303160
1A4194539D3DBFCA2D82D53D7BCE336EA3C77E1483CFDD586E3342902625404A
8B8980C3D86BBAB8CCB30BD913BC0AAA562F485EBEEE317ECFBCB39B62FEA461
5A2F0D91A53A00540C77A827232809A475DBCB6B63F33433CDCD1DFC568883BC
359C1E4F1AC86AFE5F8542656E728A632479AB0417190340398F1A1DACCD0083
46A439174775A164A29549D4C6092192AE597DA1B9B8EAA05EA7F1933D1DD73C
D71D8D7BBE1AC2AA9882403B780911565C054D9A7753E12EF564E3E2AA58992F
83EEC063986DF6300409CD18DDA32E3B4E9F7C70E94B725017EEDEB70CBCFD4A
FC72762CF700D5EA28BEC9F390566F90C2F23DC3D9CBF634CDC3E3084ADA4C80
3B9434CB44565D4EDB076F6BF4E08C67BA5DC92529CB46E1B62B763D9AB175B4
9A7D81F6F3B870CA5BFC99CEDF4CEFF4A5EB13748D60943737FF719D0E42E75F
B6799BF713A390F9C4439E5F3F4A43E2F46281A07C038A3A946719A8B6EECE3F
82AA115FABD658DFE1B408B660350BD1F5ED62C83CC2E70B5D1770DDA46735F3
D3C43161659ED4CB1AAA95420FDD7ABBC92EF533434541EA0F502CC9501F1303
39C05A9DB80C38ED9F5E282BDD3EA60A80A40DCE90B63E937A99FF813572E19A
20FFB4A56BD92A1084CCC55F268A9CA441575F3BB4E096372C12E4EB25964BA1
F9F24800E2D40C77DB89EC0628BA7BFBC292487C7ABA6A8D69C411301CB0268C
24579E85F3F6A92C38EC09AB3E63C98BFD32E5A2E7FC8464682EDADD9666F575
0AB37794DBDF698FFF7F1D563C4837CAF159E94FD4585EC16864494925CE9CBA
C1976FCEB809FE2B5EABA28B7DEC5C4BB54011131D699E1819DD31CF92BBB179
1E7041C9F0C8FC8AB3517C5C77CF9797E608FFFCF97BE8C5E571933DDD0D314F
20DCDF4A9060583B7D94C911CCC128B2102EDAAD97247B0FB0383B47B3C8A779
F6873EB1C59850E8DA0BEA042590BD3C6E7DF7E410B9FF2080ACF4BF6E2DD13B
8B32FB28027C7AD504F1E156C53FE014677001A443DFC39BD7B05D0C2B613B65
23D88890C19BBE19DA99C6A5E204C637CCD8D3EBE036E1EBC61E7CC708A5B8B4
51A8D26834473086B4FDFCFAAD69802BB1AB2C882132CDD8B3182DD75E0082F7
4E34A9CBED8D48DFFC203752B2EB8EB1CCA65ABF1D1396907C
000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000
cleartomark end
statusdict begin
177 readeerom 24 bitshift 178 readeerom 16 bitshift or
179 readeerom 8 bitshift or 180 readeerom or
0 setpassword--
Automatic Disclaimer:
The views expressed above are those of the author alone and may not represent the views of the IBM Pser Group.
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
|
TSHIRT HELL T-SHIRTS
|
