67 7 THIS FILE WAS ORIGINALLY POSTED ON OSUNY (914)428-7216, UNLESS OTHERWISE NOTED. SUFFICIENT CREDIT SHOULD BE GIVEN*************************************************************** *** Extended 914 Area Code List *** *** Updated January 15th 1984 *** *************************************************************** / Number / Name /Type /Baud rate /Type of BBS --------------------------------------------------------------- 221-0774 /CCIS Hopewell / IBM / 300/1200 /General BBS 221-2248 /Hopewell JCT / IBM / 300/1200 /General BBS 225-2471 /EL Trading Place/Atari / 300/1200 /General BBS 234-6530 /Temple of Doom /Apple / 300 /General BBS 238-3160 /The Cemetary /Apple / 300 /D & D Board 246-7605 /IBBS Saugerties / IBM / 300/1200 /General BBS 297-0665 /Bullet Plus /TRS-80/ 300/1200 /General BBS 343-0475 /Socraties / IBM / 300/1200 /General BBS 343-1031 /CEBBS Middletown/ IBM / 300/1200 /General BBS 343-5016 /TI BBS / T.I. / 300 /General BBS 352-3814 /Bear Works / C-64 / 300 /General BBS 352-6543 /Sherwood Forest3/Apple / 300 /Phreak Board 357-8791 /Satan's Hollow /Apple / 300 /Private Pirate 358-8879 /IBBS Rockland / IBM / 300/1200 /General BBS 359-1517 /Sherwood Forest2/Apple / 300/1200 /General BBS 362-1422 / Telemation / CoCo / 300 /One of a kind BBS 365-0180 /MNEMATICS Net /MNFRME/ 300/1200 /Network costs $$$ 425-2060 /The DST Dungeon /Atari / 300/1200 /Phreak Board 428-7216 / OSUNY / OSI / 300/1200 /**Soon:Multuser ** 429-5616 /The Crusifiction/Apple / 300 /General BBS 471-7605 /PC Poughipsie / IBM / 300/1200 /General BBS 472-7956 /The Outer Limits/Atari / 300 /General BBS 485-3393 /Bullet Plus #2 /TRS-80/ 300/1200 /General BBS 496-4155 /Penetentary / C-64 / 300 /Phreak Board 528-0104 /Crystal Caverns /Apple / 300 /Apple Users ONLY 528-5259 /Adventureland /Atari / 300/1200 /General BBS 562-3187 /CEBBS #2 / IBM / 300/1200 /General BBS 623-1939 /Camalot /Atari / 300 /Atari Users ONLY! 624-8692 /The Lair /Apple / 300 /Temporairly Down 634-8385 /D.A.T.A. RBBS / IBM / 300/1200 /Great D/L 's 634-8590 /Lancelot'sCastle/Atari / 300 /Atari Users ONLY 636-0649 /DOCS 'R' US #2 / C-64 / 300 /Documentation BBS 638-4248 /Apple Orchard /Apple / 300 /** General BBS ** 638-1493 / ECS / ??? / 300 /War Board 668-3664 /DOCS 'R' US / C-64 / 300 /Documentation BBS 679-6559 /SJBBS Bearsville/ IBM / 300/1200 /General BBS 679-8734 /Woodstock RBBS /Z-100 / 300/1200 /Genaral BBS 733-4766 /S & K Telex /TRS-80/ 300 /TELEX SERVICE 733-4410 /-------------Help Line For Above-------------------- 735-9362 /Computer Dating /TRS-80/ 300/1200 /Computer Matches 738-6015 /Altered Arena /Apple / 300 /Open 1/20/85 738-6857 /M & M Pelham /LNW-80/ 300/1200 /***General BBS *** 769-0148 /The Medow / C-64 / 300 /Decent C-64 Board 786-3705 /MuMPs (ubbs) /TRS-16/300/1200 /For UNIX users 843-4259 /RC/PM Woodstock /S-100 / 300/1200 /General CP/M Sys 942-0386 /RMN Comp Comm /TRS-80/ 300/1200 /*** X-Rated *** 942-2638 /RACS III /TRS-80/ 300/1200 /Phreak Board 961-8049 /Westchester #2 / CoCo / 300/1200 /General BBS 965-2355 /WstchsterBBS 1 / CoCo / 300/1200 /General BBS 965-7600 /Colorama / CoCo / 300/1200 /General BBS 969-2632 /New York BBS /Atari / 300 /Phreak Board This List is compiled By Daniel Gelman, BUT with help from Pinball Wizard, Gimly Gnarly, Bill the Cat,and The Archnoid. If you find ANY of these telephone Numbers out of date (I.E. Name Change,# Change,Disconnected & New BBS's), Please leave me a message on THIS System. This List Is updated Monthly Enjoy The list! Bulletin to print, for list, or to exit?  December 10, 1997 Hello my name is Eugene Winkelberger and I am 15 years old. I saw the movie Hackers tonight and I want to be a hacker! I have a computer but no internet access I'll talk to my computer teacher tomorrow about what I can do about that. I almost forgot to tell you I got this Diary from my mom a year ago for Thanksgiving we give out Hanukkah presents on Thanksgiving because my parents say prices for presents are to high around Hanukkah and to many people rip off to many Gentiles around Christmas that we have to rip them off around Thanksgiving so we can make money for presents. Well this was my first entry I'll write you again tomorrow. December 11, 1997 I talked to my computer teacher at school today and asked if there's a way of some type of free Internet type thing I can access from a computer and she said call a BBS I asked what is that and she said a Bulletin Board. Then for the rest of class she was ignoring me. Uh Oh! I think she knows I want to be a Hacker because I want free Internet BBS. Well I'm going to figure out this BBS stuff now. I'll write again later on tonight. Hi again its been 4 hours since my last entry well I called 411 and asked for BBS and they said hold on a second. Then I heard the operator whisper "Shit damn" (What a potty mouth) then the operator told me that there is a very large BBS list and I said give me any number and she said okay. So I called that BBS and it asked for personal information I usually wouldn't give out but I was afraid if I gave fake info they'd know I was a hacker so I gave real info. Then I got on and asked how to be a hacker and I got banned from that BBS I have no idea why. December 14, 1997 Sorry I couldn't write for the past few days I am just so happy! On the twelfth I got this thing in the mail called AOL whatever it stands for anyway I say it ail because that's how the word aol is said. Well it said I get access to the internet and 50 free hours! I figured I better take this deal up because I might never get one of these disks again. So I logged on and it asked for a Credit Card number so I used my moms and I got on AOL its fun my handle is EW-Hacker meaning Eugene Winkelberger Hacker. People think I'm dumb but sooner or later I'll show them I'm cool. December 15, 1997 Today the strangest thing happened on AOL I got a message from an AOL representative saying Hacker's have hacked the database and my information is lost and please supply them with billing info, name, etc. I am not done with my 50 free hours so I gave the info to them because hell I want my 50 hours! I wonder who these hacker's who hacked the database are I'd like to meet them. December 16, 1997 I went on the World Wide Web today and I like it and since its not AOL I can stay on it and my 50 hours aren't used I figure most likely. I am downloading this program called mIRC that I heard hackers hang out in. December 17, 1997 I went on mIRC today and the people in #hackers kicked me for being on AOL I asked them why? AOL is cool you get 50 free hours then a minute later everything stopped moving on my screen and after 5 minutes someone said I was lagged. I am not lagged who's lagged he must be some expert hacker. December 18, 1997 I heard about some hacker channel called #phreak these guys must all have blue hair or somthing if they are freaks. When I joined I was commented about my ISP what's an ISP? Then someone called me a l4m3r what's an L four M three R? It must be somthing cool they must think I'm a cool hacker. I don't want them to think I am not a good hacker so they think I am a dumb person so I changed my nick from EW-Hacker to l4m3r. They all laughed I guess I was being too serious so I started laughing to then someone said LOL what's LOL? Maybe it's a better internet service like AOL. After searching the WWW looking for LOL I couldn't find it so I logged off. December 19, 1997 Bad news... Today some guy who worked for AOL saying there's multiple accounts on AOL with the same Billing Information, which is ours, called our house. I later then knew one of those people in #phreak hacked me! Ooh I want revenge! December 20, 1997 I told my mom someone hacked me and that's how it happened so she put a password on the computer. Now I can't be a hacker so I'm really depressed now. I don't know what's going on my mom beat me with her big plastic vibrator when I told her about the hackers. December 21, 1997 This will be my last diary entry because I have just slit my wrists because I am depressed and I don't want to live because I can't be a hacker. I first numbed my arm by filling a pot up with cold water and ice cubes and kept my arm in there for an hour while I watched 2 episodes of Full House. Then 3 minutes ago after I took my arm out of the pot I slit down my vein in my wrist vertically then I slashed it sideways in three different areas. I am starting to feel a little dizzy but I think I can write a few more sentences. I have written on the cover of this diary GIVE TO KURT Kurt is my cousin who is trying to be a hacker who will type this up for me and send it out on the internet. Well I am feeling really weird right now and really dizzy. Well see you Diary I will miss you. Epilogue Eugene Winkelberger shortly passed out after finishing his last diary entry but before he completely was dead his mom called an ambulance and he was taken to the hospital. Where they were able to save him but the bad thing was Eugene had inflicted severe brain damage and is unable to talk and think. All the time Eugene stays in a wheel chair 24 hours a day in his room with a TV in front of him and you'd think he was dead because he can't do anything but blink and also he is unable to move unless someone pushes his wheel chair around. This is Kurt his cousin and I like the advantage of him being in a wheel chair and unable to talk, scream, and move because I butt rape him all the time probably almost everyday. OoOoh Yeah!!!! If you would like to talk to me I go as Spdr in #hacked. Date: Fri, 30 Apr 1993 19:43:34 -0400 From: tyetiser@umbc.edu (Mr. Tarkan Yetiser) Subject: Polymorphic Viruses Polymorphic Viruses: Implementation, Detection, and Protection Copyright (c) 1993 by VDS Advanced Research Group P.O. Box 9393 Baltimore, MD 21228, U.S.A. prepared by Tarkan Yetiser e-mail: tyetiser@umbc5.umbc.edu Jan 24, 1993 PA, U.S.A. Summary This paper discusses the subject of polymorphic engines and viruses. It looks at general characteristics of polymorphism as currently implemented. It tries to maintain a practical presentation of the subject matter rather than an academic and abstract approach that would confuse many people. Basic knowledge of the Intel 80x86 instruction set will be highly useful in understanding the material presented. A very detailed discussion is avoided not to have the side effect of "teaching" how to create polymorphic engines or viruses. The purpose is to help computer professionals understand this trend of virus development and the threats it poses. It should serve as a starting point for individuals who would like to get an idea about the polymorphic viruses and how they are implemented. Long gone are the days of innocence, when any schoolboy could write a virus scanner using a few signatures extracted from captured virus samples. The subject of polymorphism can be extended to other areas such as anti-reverse-engineering or anti-direct-attacks, and it can be argued to be useful in that context. This paper only looks at the use of polymorphism in PC viruses to avoid simple detection techniques. 1. Introduction In the Spring of 1992, we analyzed a polymorphic engine called MtE, and provided a report to satisfy the curiosity of the public. We also provided a freeware program called CatchMtE. At the end of 1992, we received reports of a new polymorphic engine, called TridenT Polymorphic Engine, or TPE for short. It was released in Europe by someone who calls himself Masud Khafir. Both MtE and TPE are distributed as object modules that can be linked to programs allowing them to create different-looking decryptors. One notorious use of such a module is for writing so-called "polymorphic" viruses. Prior to the appearance of TPE, several viruses using MtE (Mutation Engine) have been seen. The claimed author of TPE pays tribute to the author of MtE in the documentation that comes with TPE. MtE is about 2.4 kilobytes in size. It can generate decyptors using based or indexed addressing modes with word-size displacement. The decryptor steps through the code a word at a time. It uses 4 variations of the based or indexed addressing modes. The structure of the decryptors is constant. TPE is about 1.5 kilobytes in size. It can generate decryptors using based or indexed addressing modes with or without displacement. Unlike MtE, TPE can also create byte-at-a-time decryptors, as well as word-at-a-time. It also uses more addressing modes available on the 80x86; 6 variations of the based or indexed addressing modes are used. Its more general nature makes TPE less predictable, and complicates the task of recognizing TPE-based viruses. Many encryptive viruses can be considered a subset of TPE-based decryptors, and may be flagged as such. To overcome this problem, one has to check for other viruses before performing check for the presence of a TPE decryptor. 2. Polymorphism and Its Common Use We will now present some preliminary information on polymorphism in general, and discuss certain features of the Intel 80x86 instruction set. Although polymorphism is independent of encryption, it is easier to use encryption to hide the main body of the virus and implement a polymorphic decryptor. Viruses aim to keep their size as small as possible and it is impractical to make the main virus body polymorphic. One could attempt to rearrange the instructions in the main virus body or even use different instructions (to defy recognition techniques based on checksumming). Such an effort would not be as helpful or as easy as the common approach of using encryption in combination with polymorphism. In summary, current polymorphic viruses keep the main virus body encrypted, and implement a polymorphic decryption routine in plaintext. Since the decryptor is comparatively small, and performs one specific task, the amount of time and effort needed to craft a polymorphic virus is significantly reduced. Pictorially, a generic polymorphic virus would be structured as follows: virus entry point: Polymorphic Decryptor ***************************** ** encrypted **************** ** main virus body ********** ***************************** ***************************** 3. Implementation of Polymorphism on the Intel 80x86 In almost every case we have examined, the polymorphic engine exploits the fact that certain computations can be performed using different registers and instructions. To step through encrypted portion of code, for example, one can use DI, SI, or BX registers. To increment or to decrement the index value, one can ADD to the index register, INC it, or use an implicit instruction that increments it (CMPSB is used in TPE for example). Polymorphic engines can also rely on the availability of instructions that are coded using the same opcodes. On the 80x86, there are 11 opcodes used for several different instructions: 80, 81, 83, D0, D1, D2, D3, F6, F7, FE, and FF. When it is necessary to encode information about one operand, the middle three bits of the ModRM byte are used to distinguish operations. The ModRM byte follows some opcodes and can either extend the opcode or contain information about the operand and addressing modes of an instruction. It contains three fields: Mod (2 bits), Reg (3 bits), and R/M (3 bits). For example, for the opcode 80, the middle three bits of the ModRM byte, which make up the Reg field, have the following meanings: ADD 000 OR 001 ADC 010 SBB 011 AND 100 SUB 101 XOR 110 CMP 111 The second operand of each instruction with an opcode of 80 is an immediate byte, so the ModRM fields in the second byte of machine code encode the first register or memory operand. By flipping a few bits, it is possible to generate code achieving many different operations easily. Combined with a rich set of addressing modes, and a good random number generator, one can create very different-looking decryptors. 4. Common Characteristics of Polymorphic Viruses Polymorphic viruses of varying degrees of complexity have appeared in the past. In the anti-virus community, polymorphism is still an active area of discussion and much disagreement. Most researchers would agree that certain viruses are simply encryptive with a variable key. We do not consider such beasts polymorphic since they can be recognized using simple wild card scan strings. The number of such viruses significantly increased over the past few years as a reaction to the worldwide availability of good signature-based virus scanners. Similarly, scanners also evolved to handle such beasts using more flexible signatures that can include wild card or don't-care values to accommodate the variable parts of the decryptors. There are other viruses that exhibit some polymorphic behavior, though they remain unsophisticated. Classification of such beasts is a gray area. For example, some viruses can generate a limited number of different-looking decryptors. These do not implement a polymorphic code generation engine, but rather pick from a pre-computed set of code fragments that they carry along. Writing detection routines for such viruses is not too difficult. To aid in implementing polymorphism, a random-number generator is often used. A random-number generator provides selection of a part of the decryptor. This selection could be for "noise" instructions that are inserted in the decryptor to render signature-based scanning ineffective. It could also be used to select a certain addressing mode and appropriate registers. The obvious use of random number generators is to get a seed value for encryption. Another aspect of a polymorphic engine is the choice of instructions that actually perform the decryption. XOR is a favorite choice. The chosen operation modifies the code to be decrypted using an addressing mode that allows external memory access. By external, we mean outside the processor registers. By using several instructions and many different addressing modes, a polymorphic engine can achieve a large number of combinations of decryptors. Usually, a loop construct is set up to step through the encrypted code. On the 80x86, many instructions can be used to accomplish looping. The loop counter can be modified implicitly using LOOP instruction. Or it could be more explicit using a DEC CX, JNZ ?? combination. Several such possibilities exist. Again, availability of different approaches increases the number of appearances a decryptor can have. In the MtE, the loop construct was very predictable not only because it used a specific instruction but also because it had a characteristic that made it very simple to recognize MtE-based decryptors. Although "appearance-based" analysis on the MtE left many anti-virus developers in despair, a structural analysis proved to be very effective. We doubt even the developer of MtE noticed how predictable his polymorphic engine is. The goal of a polymorphic engine is not to leave any predictable sequence of instructions that a virus scanner can use to simplify or optimize an appropriate detection algorithm. For example, using the same instruction to increment the index register is too predictable. A mixture of instructions that achieve the same result explicitly or implicitly (as in TPE) would make detection a lot harder. 5. Detection of Polymorphic Viruses There are several problems that must be addressed to develop a reliable detection routine for a given polymorphic engine. The most challenging one appears to be avoiding false positives. Many programs include a run-time decompressor to reduce space requirements. When loaded in memory, the decompressor takes charge and produces an expanded copy of the code that can be run on the CPU. Furthermore, some programs are actually encrypted on disk, and they are decrypted on the fly when they are loaded. The purpose of using such a scheme is to make reverse-engineering efforts difficult. Such programs are more likely to trigger a false positive. To reduce false positive rate, one can limit the search to a small area of the suspect file. This would be helpful in many cases; however, the compressed and encrypted files carry their decompressor/decryptor at the entry point of the program, just where many viruses plant their code. Another trick a few viruses employ is to hide the virus entry point where the decryptor is located. Of course, scattering the virus code while keeping the host functional complicates the virus. A structural analysis of TPE reveals some information that can be used to recognize a TPE-based decryptor, although it is not as useful as it is in the case of MtE. Note that structural analysis does not rely on presence of specific byte sequences, and therefore offers a powerful tool that can be used in developing recognition routine for many polymorphic engines. 6. Protection Mechanisms and Solutions Anti-virus field is full of solutions to almost every existing virus problem, and sometimes solutions to non-existing problems as well. Among other things, one solution prevailed as the most popular: scanning. The inherent flaw in this solution is that it cannot cope with viruses that it does not have signatures for. Therefore ugrades are issued frequently. Deployment of such upgrades in large installations requires tremendous effort, and quickly translates into having a very old version of a scanner installed; even then not necessarily used. Aside from the false sense of security scanning gives, some companies make less-than-honest claims about the capabilities of their scanners to promote their products. Testing such claims is beyond the resources of most organizations. Those who could conduct such tests are not always impartial. Scanning has its place, and it is very useful when used properly. The best protection against computer viruses is user awareness and education. Unfortunately, a well-written virus can be so transparent that even the most observant user may not notice a thing. Even worse, many users lack the technical knowledge to understand how their computers work. Most people simply do not have the time or desire to learn more than how to use a mouse. The proof of this is the proliferation of products that make excessive hardware demands without offering improved functionality. The bulk of the code takes care of the user interface. This trend is unlikely to change. More powerful techniques such as integrity checking can deal with viruses of different kinds, including polymorphic viruses. Even a simple integrity checker should be able to find if a polymorphic virus is spreading all over your disk. In other words, solution to polymorphic viral spread has been available for quite some time. Note that there are some viruses that target integrity-based products and they must be dealt with accordingly. A detailed discussion of such viral methods can be found in a paper written by anti-virus researcher Mr. Vesselin Bontchev of Virus Test Center at the University of Hamburg. His paper is titled Attacks Against Integrity Checkers, and it is available via anonymous FTP. Interested individuals are encouraged to read his excellent paper. The point is that an integrity-based anti-viral solution should be made part of your arsenal against viruses. Such a solution could easily provide you with early detection of viruses before they spread. Once the viral spread is controlled, viruses become nothing more than another "computer glitch" that can haunt only those without timely backups. We believe that neither harsh legislation nor emphasis on responsible computing can stop virus development, although they may slow it down. It is necessary to take matters into your own hands and protect your computers adequately.