19 March 2002: Add comments and links.

17 March 2002: See also DIRT's worse companion HOPE:

http://cryptome.sabotage.org/dirty-hope.htm

15 March 2002

These are responses to release of the D.I.R.T. program and user guide:

http://cryptome.sabotage.org/dirty-war.zip (the program)
http://cryptome.sabotage.org/dirt-guide.htm (HTML guide)

Considering the vile reputation of Codex Data Systems, headed by a convicted ex-cop, it is worth pondering whether any of the leaked Codex material contains code which reports back to Codex what is happening to the material and what machine is being used. Among its nasty snooping products, Codex markets BAIT and HOPE which plant such tracking and user-identification code in documents. DIRT, BAIT and HOPE report to a designated party information on targets gathered by the programs. As described for HOPE below, Codex proposes that its programs can be used to set up "dangles," that is, alluring bait to ensnare targets whose access to and use of the dangles are logged and reported back to the dangler. These are standard dirty-tricks and traps in the world of intelligence and covert surveillance.

Cryptome was assured by the dirty-tricks-knowledgeable source of the Codex material that it had been carefully checked for covert hooks and code and none was found. However, users should beware that criminal products by Codex are treacherous and could double-cross. Development of protection against treachery and double-cross of seemingly benign and covertly criminal products, not only from Codex, is the purpose of releasing the Codex material.


14 March 2002

I read the story on theregister about DIRT with interest and followed the 
link to your site.

You might want to reconsider having the DIRT software available for 
download - I downloaded it earlier and it is pathetically easy to enable 
the software for full unlimited account use giving a trojan creation 
software.(Though having thousands of trojans out there may kick the 
virus companies into action)

To activate it without requirement for a dongle took about 20 minutes of 
basic examination and only 6 bytes of change were required.

The software seems to work by shoehorning in the file CORE.DAT to 
whatever executable is tagged for 'bugging'. Disassembly of that file and 
the associated coredll.dat reveals the keylogging routines.

[Transmittal of an enabled DIRT implementation.]

I've included the listings for the relevant files along with the executables (they are 
labelled .lst in the main directory). The file "dummy1.lst" was created by disassembling 
the included dummy.exe file after 'bugging' it. dummy.lst is the file before bugging. In 
case you are wondering the name "Gary Colton" at the top of the listings comes from the 
copy of IDA pro I used to have a look :-). Perhaps he should be credited with their 
discovery :-)

Looking at the dates on the executables leads me to believe it may be an old version of 
the code.

Basically unzip, using the directory paths included. The file cctray can then be run and 
you can trojan/steal data/abuse human rights to your hearts content :-(

http://cryptome.sabotage.org/moredirt.zip (866KB)

[The program is provided for public benefit research. Use of trojans like DIRT 
against other persons is immoral and illegal unless you are a government criminal;
Frank Jones, an ex-New York City policeman and DIRT's producer, was convicted 
of this crime.]


14 March 2002 An interesting article regarding "DIRT" and its implications to the unsuspecting. Having all the pass phrases for your own security become a moot point when the government or other arm of the local, state, or federal institutions can acquire access to your computer. Are there ways to detect this program running in the background. Can the bug be isolated and reverse engineered? Your sevices to the public are appreciated by all, and myself.
["Spyking" is Frank Jones.] 15 March 2002 I don't know if you checked the "Way Back Machine", but I did.  As you probably know, this guy is a punk, but here ya go anyway. ----- December 18, 1996 http://web.archive.org/web/19971212062500/www.thecodex.com/c_howto1.html  - The "spyking" walks you through the intricacies of invading somebodies privacy. http://web.archive.org/web/19970117045426/www.thecodex.com/c_crookb.html  - Then he will sell you the "CrookBook" for only $ 75.00.  "Who knows how long it will take before the government tries to ban the CrookBook.  Get you copy today! Before it's to late!" There is a lot more.
15 March 2002 I'm going to take a wild guess at whats going on with DIRT here... By releasing the current version of DIRT into the wild, the maker assures the ability to charge for upgrades. The documentation goes so far as to indicate this is a work in progress. As we speak, highly intelligent white hats are tearing it apart. Soon a freely available detection program will be released. A little further down the road, the makers of DIRT will announce a new stealth upgrade to get past said program. This upgrade will cost money, even if you previously received the free version of DIRT.
15 March 2002 You might have already recieved a couple of these... and I dont know if you want to publish this on your website, but it could be helpful to people who want to try out D.I.R.T. I have only verified the initial HASP check is dead. The same call is used three different times and is the only call with any HASP error string references - so I believe that is all (if its an actual HASP dongle at all). I am cautious to play too much with this... Kaspersky AntiVirus reports the coredll.dat is Trojan.PSW.Johar, which makes DIRT almost useless if the person is running anti-virus software though. If D.I.R.T. were a serious product a custom trojan should have been written.
I tried to send the moredirt.zip from my homeadress to my workadress, but it got caught in our virus detector. The attached text is in danish, but what it says is, basically, that the Moredirt.zip file contains the virus PWS-johar.dll, which I haven't heard of before. Neither has Google. Just to inform you. ---------- Forwarded message ---------- Date: Fri Mar 15 16:11:52 2002 From: mailgateway@pol.dk Subject: Virus Detected by Network Associates, Inc. Webshield SMTP V4.5 MR1a Du har sendt en mail til <skipper@eb.dk>  som indeholdt virus'en PWS-Johar.dll. Mailen er ikke kommet frem til modtageren. Rens din maskine for vira og prøv igen
15 March 2002 Full details on the DIRT trojan JOHAR can be found here: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PSW.JOHAR.A and here: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PSW.JOHAR.A&VSect=T and here: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PSW.JOHAR.A&VSect=S DIRT uses the same filenames - desktop.exe, desktop.log and desktop.dll just like the  psw.johar.a trojan.
Date: Sat, 16 Mar 2002 23:10:45 -0500 (EST) Subject: Re: The Register - Law-enforcement DIRT Trojan released To: cypherpunks@lne.com From: Anonymous <anonymous@non.org> Major Variola (ret) wrote:   > At 10:40 PM 3/14/02 -0600, Jim Choate wrote:   >   >>http://www.theregister.co.uk/content/55/24433.html   >   > Nice.  The .zip file referenced in that article   > (http://161.58.201.197/dirty-war.zip)   > has the following contents:   >   >     Hasp.zip   >     DIRTinstall.ltr.pdf   >     DIRTManual2_2clr.pdf   >     Dirtcdrelease.zip Current status with this package is that the exe's been cracked in about 20 minutes, and it's been identified (in signature, leastways) as the trojan JOHAR. The rest of the files in the /original/ archive all date back to at least a year old - most of them are from 2000. Much of this is basic installion fluff, usage guides and marketing tosh. There are some responses to pitches (one for Air Force Office of Special Investigation, another for the US army), an NDA that (coincidentally?) expired a few months ago, and umpteen docs giving the company's business plans and sales targets. All the IPs listed in the docs (for sample runs or default mail servers) are dead now. As far as I can tell, none of the files have any bugs in, but never say never... I haven't run any of the installers to check for dates within them. If anyone has done so, are they able to confirm version numbers and/or release dates in them? There are three installers in the archive - DIRT (released along with guide on cryptome), BAIT (seems to be a bug dropper, probably incorporated into the DIRT system) and PCPhoneHome (software that "checks-in" to a location which can be monitored by the "CDS Command Center"). Other products and services mentioned in the docs are: - ACHTUNG!: "allows system administrators full remote supervision of all company Windows-based personal computers via the Internet/Intranet." (some "civilian" version of DIRT.) - N.E.S.T.: "a hardware/software application that enables cable system operators detect ongoing theft-of-service" - Hacking 101: "training seminars ... primarily ... directed toward law enforcement/government/military officials but, on a case-by-case basis, may be may available to private corporations as well." - H.O.P.E.: a "combination [of] hardware/software ... that has the capacity to deliver the D.I.R.T.? technology on a ... worldwide scale that has proof of concept and is designed for military/intelligence use." - H.E.R.F.: "hardware based and utilizes high-energy radio frequencies to render a target's electronics inoperable." - HACK THIS: "series of servers with the invitation to the general public to have these servers hacked with impunity. ... Logs will be kept of the hacking techniques used and reports will be generated for industry and military on the latest techniques used and the trends displayed by the attackers." - HACKER ELITE: "a software based game that utilizes the information gathered from the HACK THIS? program to develop a best-selling retail game." No more information is available on the state of these projects. They are all marked as R&D aims awaiting capital, but it's always possible that CDS realised some of them were losers from the start... Of the above though, the threat of "HOPE" is one that could easily be driven by the current state of paranoia and stupidity. I seem to be completely unable to read just about all of the MS Excel files from the archive, so if anyone has had any success with those, I'd be glad to hear. A quick scan in a hex editor doesn't help much. What does this release achieve then? Outdated marketing documents and ancient installers may not seem like too much of a catch. On one hand, CDS have had brochures and Powerpoint slideshows and documents meant only for law enforcement offices spread all over public desktops. Public credibility amongst the knowledgable would be non-existent. On the other hand, what have they got to lose, compared to what they have to gain? If they wanted to release old business documents to release their own bug technology, they could have possibly achieved it, but I don't think they're that clever or stupid. Certainly, hits to their webpages would have hit new heights (including all the links through to their new venture, http://www.cybercrimenews.com/). Spam-like, the amount of people noting the "leak" and spitting on the trojan, compared to the amount of good publicity generated might be worth it for the amounts they charge - even 5 new customers would probably be enough. Judging by the glossy talk, the hype ripped from man pages and the level of technical expertise within the docus, their target market seems to have always been the managers that had more money than sense to look up "Netbus" on Google (the released exe's get picked up just as easily by A/V software anyway). Hopefully, this will open up the doors to further, more up-to-date information. I would hope that some of those that would otherwise consider such a solution would also take into account the publicised critics. On a more bizarre note, it's the only website I've ever seen running on MacOS, with a free-to-use chat client running on telnet...
Date: Sun, 17 Mar 2002 13:29:34 -0800 To: cypherpunks@lne.com From: John Young <jya@pipeline.com> Subject: More Codex Docs Another batch of leaked Codex docs appeared last night, the total is now about 140, with, as noted by Anonymous, many of those being company business docs and fluff. A PowerPoint presentation on H.O.P.E. was among the latest:   http://cryptome.sabotage.org/dirty-hope.htm The HOPE program itself was not leaked, but perhaps will be in the future. Mainly what a HOPE-rigged server does is conceal a DIRT tracking and reporting bug in deliberately publicized documents with snoop-appeal, called "dangles," to ensnare the unwary and to trace the distribution of the dangles as well as to assign an ID to every machine that handles the docs. These reports are sent to the dangler or Codex will offer that service. In addition to thinking Codex leaked the docs to boost its products, one might suspect documents of being dangles, and we have added a note to warn of that. So far nobody has found evidence of a planted bug to track the leaked documents. Still, beware. And let us know if bugs are spotted. We were not able to open the XLS docs and a few others, which appear to have protection; however with a hex editor we could see that the docs show who either bought Codex products or to whom proposals were made. They range from the New Jersey District Court Pre-Trial Services (perhaps related to the Scarfo case -- DIRT is a possible candidate for the Scarfo keylogger), to the US government (mostly mil), to an Egyptian government technical research laboratory, to a variety of corporations and eduational institutions (all named). Some of these were DIRT customers, some for BAIT, an anti-theft computer tracking program. Once we get full access we'll publish the names of DIRT customers. The docs also describe Codex contracts with resellers and partners in the US, Australia, Agentina and elsewhere, with profit-sharing arrangements and NDAs. We'll publish this stuff once transcribed. There's a slew of business plans and profit projections, one 5-year projection is to nearly $300 million gross. However they appear to be fund-raising fluff more than actual plans. And most precede the collapse of digital boomtime. As anonymous noted, a fair amount of the material seems designed to exploit the gullible, with a fully panoply of security scare stories and promises of products to deal with any wet dream of intelligence and law enforcement for ballooning budgets and preparing plans for defending against imaginary enemies. Pretty well emulating the digital security market as if Codex was avidly reading this list.
17 March 2002 Take a look at the following link present in one of the leaked documents and see if it is of interest. It looks like everything Codex is peddling is based around a simple Microsoft Visual Basic Trojan Horse that gets flagged by just about every virus detection package out there. The Trojan sets up a "back orifice" interface, and allows evidence to be planted on the targeted machine If you very carefully read the "Confidentiality Agreements" that were leaked it appears that the primary goal of the felon Jones is to keep customers from examining the products, and to conceal everything until the potential customer is on the hook with a MOU or contract (after which time it would be too late for them to back out of the deal). Further examination of the leaked documents reveals that CODEX is currently running some major scams in Canada and South Africa, and that most of their business got cut off in the US after the DLA banned them from doing business with the government. Based on the leaked documents it looks like PC-Phone-Home is just Cyber-Angel in a different box, and it is well a matter of public record what a failure the software was. H.O.P.E. is nothing more then DIRT with a slightly modified interface.
17 March 2002 I've been working on the xls-files from CODEX, but apparantly I'm not the only one who haven't been able to open them. Still trying. It seems the docs are trying to access a file named invdb.xls or something to that kind. Do you have a link for the new batch of files? I'm dying with curiousity here.
Date: Mon, 18 Mar 2002 06:47:21 -0500 (EST) Subject: Re: More Codex Docs To: cypherpunks@lne.com From: Anonymous <anonymous@non.org> John Young wrote: > A PowerPoint presentation on H.O.P.E. was among the > latest: Worth getting just for those sexy-hype-gifs alone... Surely it's "d4 \/\/4r3Z 3|V|p1R3" though. I'm afraid, anyway. Pesky punk terrorist paedophile piraters. Stop pointing your leet hacker death rays at me! > The HOPE program itself was not leaked, but perhaps will be > in the future. Mainly what a HOPE-rigged server does is > conceal a DIRT tracking and reporting bug in deliberately > publicized documents with snoop-appeal, called "dangles," > to ensnare the unwary and to trace the distribution of the > dangles as well as to assign an ID to every machine that > handles the docs. [...] > As anonymous noted, a fair amount of the material seems > designed to exploit the gullible, with a fully panoply of > security scare stories and promises of products to > deal with any wet dream of intelligence and law enforcement > for ballooning budgets and preparing plans for defending > against imaginary enemies. Pretty well emulating the > digital security market as if Codex was avidly reading > this list. Without dismissing the validity of the leaked code entirely... But an interesting proposition. Some quick thoughts on the possible origins and reasons for disclosure... Case 1; the archives are from an old repository of marketing bumph - a directory used by, say, Terrance "L" Knawles as a store for external yet confidential documents - press releases, financial reports, fancy slideshows and product demos. Possible sources are internal employees disgruntled by the company/management that have discovered old material, or morally-justified hackers playing Codex at their own game. The former is backed up by the reputation and public portrayal of Frank Jones, the latter by the (superficial, at least) seeming absence of technical presentation or knowledge in any of the witnessed documentation (again, I have not run the executables, so am reluctant to comment on them) or associated resources (see "website constructed by monkey on remote-access riddled Mac server"). Outcome - CDS discredited yet further, world saved. Case 2; the archives are from an old respository of since-expired and/or worthless and/or superceded documents, agreements, reports and programs. To stir up some business, CDS (ignoring possible Baiting tactics, although the irony is almost unbearable) decides to use the established information dissemination network to make DIRT and HOPE household names. After all, people buy things simply if they've heard a name before, no matter the context. In addition to increased sales and interest, CDS can monitor industry speculation as to current technology/possible implementations (of "bugs", HOPE, DIRT v3.0, etc) - minimal effort R&D, effectively. Outcome - HOPE becomes a reality in some aspects, or under some governments. Without further, more recent evidence, it is hard to have much faith in case 1. As a note, the apparent lack of "bugs" within released docs should not be taken for granted in any repetitions. I suspect CDS would have been watching the spread of the first lot with interest, bugged or not. Both technically and politically, little has been gained from the material seen. However, one would hope that the cat is partially out of the bag, and that material worthy of discussion would be released soon, to fly in the face of the powerpoint propaganda. Maybe it's time to dust off my video of "Hackers", jack-in to the cyberunderground and go hunt some orc.
18 March 2002 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Dirt command recieved";flags: A+; content:"run"; *additional Snort fluff goes here*) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Dirt command recieved";flags: A+; content:"killbug"; *additional Snort fluff goes here*)
From: "Wayne / DiamondCS.com.au" <wayne@diamondcs.com.au> To: <jya@pipeline.com> Subject: D.I.R.T. Analysis Date: Tue, 19 Mar 2002 16:36:56 +0800 http://www.diamondcs.com.au/web/alerts/dirtanalysis.htm
19 March 2002 I am not so sure that dirt is not in wide use, despite its less than perfect make up. One of its major benefits to gov, mil and big biz is that it does come with a big invoice. These folks just want to cover their behind when it comes to purchasing. I often say that the usual and required response to "What did you do?" is "I bought something" in the computer business. Well-known hack tools are usually superior to vendor provided surveillance products; open-source software enjoys a similar reputation over the commercial counterpart. But in general, these products are not used by people who care about anything except quick deployment and support availability. They do not want to have to learn anything, they want it to be easy, just like their desktop, and why not? Most computer users are told that it should be easy to use a computer, and that if its not, something is wrong with the product you bought, dumbass, so why not buy ours? It's interesting and unusual that the dirt program provides a command line client interface and not a gui. As a command-line hacker, I'm impressed. Anyway, expensive software from "legitimate" sources runs corporate America. Police and spook departments have probably stampeded to purchase this junk because it means they can stay away from sub7 and netbus, which don't come with a pricetag, tradeshow booth, pretty website with friendly graphic of customer service person and telephone support. I submit that if they were really after somebody they would simply find someone who knew what they were doing, but they're not about real stuff. They are about appearing to be doing something, which means spending money.