Trojans in the U.K.
by Veghead
Many installations, in the U.K. at least, now favor PCs as terminals to their UNIX machines.
My college, for example, uses a large Ethernet setup running Sun Microsystems' PC-NFS to access their various UNIX machines, using a PC version of Telnet. I noticed a gapin' 'ole in the security.
As login authentication for the Ethernet, PC-NFS has a DOS-based login program, similar to Novell's, that compares a given password to that found in /etc/passwd on a pre-specified UNIX machine. Stupidly, it'll take the user ID and password from the command tail, so to login I could type:
Trojanizing this meant writing a bit of C code that would intercept the net command, save any interesting info (such as the user ID and password) in a secret file, and pass the original parameters on to the original net program, which would be none the wiser.
This meant that to the user, nothing odd would have happened - no authentication errors to put them on the scent. In fact, it was marginally more complicated than this as the net program interprets any parameter as * to mean "ask the user".
For example:
will make the program respond with:
But overcoming this wasn't really a problem; the Trojan would simply put the questions to the user and then pass them as parameters to the real one (not forgetting to kill the echo on the password!). It worked like a well oiled dream!
I was considering the idea of a "generic Trojan" that could be used in all manner of situations without the need for re-writing the actual code. What I came up with was a badly written bit of 8086 code (I called it Keyspy) that does the following.
1.) When executed, hooks int 15h and Terminates-and-Stay-Resident (TSR).
2.) Records the next forty keystrokes the user makes using the "Keyboard Intercept" interrupt. (So don't try and run it on old style keyboards - it won't work!)
3.) Next time it's executed, it dumps down the key scancode info to a disk file, unhooks itself from the interrupt table and releases the 1k or so of memory it's been holding hostage up until then.
What use is this? O.K., what would happen if you run it before running PC-TELNET? The next user to come along would notice nothing wrong and would hopefully login. All the time, the program would be noting down everything the user was typing. Later on you go back, run it again and it will obediently supply you with a file containing the first forty scancodes of the keys the user had hit.
One way of getting round traditional Trojans is to login in twice, firstly with a dummy password like F*CKYOU, so if the program has been Trojanized you don't get caught and the hacker gets a message. Even if the above user had done this, they would still get caught.
On our network all software is run using a networked copy of a DOS menu called Automenu. All that needs to be done is to insert a command to run Keyspy into the menu code before and after it runs Telnet. Then, when anyone uses Telnet from anywhere, Keyspy supplies a copy of their keystrokes to a centrally located file where I can pick them up from.
Ideally, you would have a program that would dump the info to a file itself, without having to be run again but it would make the code far more complex with loads of undocumented calls, etc. and quite frankly, I couldn't be arsed.
Adventurous programmers could then adapt that program to allow it to wrap itself around an executable file, infecting it so to speak. That way it would be almost undetectable.
The other real downer is that it saves scancodes and not ASCII or anything useful like that. It's necessary to write a program that converts the alphanumeric scancodes to ASCII for your particular keyboard.