DIRT Bugs Strike!
By Winn Schwartau
"Imagine being able to monitor and intercept data from any PC in the world anytime you want.
Then DIRTís for you.
DIRT stands for Data Interception by Remote Transmission, and if Codex Data Systems in Bardonia, New York has anything to say about it, will become the next law enforcement tool to help stop the bad guys.
The cops are having a terrifically hard time dealing with cybercrime, and they all put on-line child pornography at the top of the list because of the emotional response to it. Suspected terrorists, drug traffickers, money launderers, are also potential targets for DIRT as are various criminal organizations which employ anonymity, remote control and encryption to hide themselves. DIRT represents a fabulous, but questionably legal/ethical means of information gathering by intelligence agencies as well as private investigators.
Thus Frank Jones and Codex Data Systems begat DIRT. "We have to give law enforcement the tools they need to get real criminals. So many of them are now using encryption, DIRT allows law enforcement to read encrypted messages."
DIRT operates surreptitiously like a Trojan Horse. It is transmitted secretly to a target via email in several ways: either as a proprietary protocol, self extracting executable, dummy segment fault, hidden ZIP file, application specific weakness, macro, a steganographic attachment or other methods the companyís technical wizard, Eric Schneider will not divulge.
Once the DIRT-Bug is successfully embedded in the target machine, two things occur. One, all keystrokes at the keyboard are secretly captured and when the target machine is connected on-line, it will stealthily transmit the captured contents to a remotely located DIRT-Control Central for analysis. This is how encryption keys are to be discovered and later used to develop evidence in criminal cases.
Secondly, when the target is on-line, his PC will invisibly behave like an anonymous FTP server, giving the folks at DIRT-Control Center 100% access to all resources. So much for privacy!
Dave Banisar Staff Counsel at the Electronic Privacy Information Center in Washington, DC. said DIRT "Sounds like something the Stasi would have developed." The problem is enforcement and abuse he points out. "The only way to control this technology is after the fact, during the trial when the police have to show how they obtained evidence."
When I first saw DIRT demonstrated in New York (June 5, 1998), I thought, "What if this gets out to the entire Internet communityÖ what will happen if we no longer ever trust our email?"
The vast majority of computer crime goes unrecognized, unreported and unprosecuted. Despite the fact that the use of DIRT or a DIRT-like clone developed by the computer underground violates the Computer Abuse Act of 1984 and an assortment of other laws, the ability to control it remains extremely slim. And the uses for DIRT-like software stagger the imagination.
All that someone with DIRT needs to know is your email address. Period. All he has to do is send you an email, with the embedded DIRT-Trojan Horse and heís home free, and you are a clueless victim.
Large organizations usually worry about hackers breaking and entering their networks. Now they have reason to worry that DIRT-Bugs could invade their networks as well; whether launched by an investigating law enforcement authority, international competitors or spies, or just hackers. The last thing in the world they want is for critical workstations to be broadcasting passwords, encryption codes and providing complete system access to whoever controls DIRT-Central.
Unfortunately, most firms with whom I deal have little implementation of the minor policies they have developed. Thus, defending against DIRT can be difficult. However, organizations which utilize NAT and proxies in their firewalls achieve some degree of confidence that DIRTís remote access capability will not function. Just the keyboard strokes (and associated private information) will be broadcast to DIRT-Central.
According to the developers at Codex Data Systems, if you are a solitary PC sitting on a dial-up or a cable modem, there is nothing Ė today Ė you can do except donít click on your email attachments. Of course, ignoring email from strangers is always a good idea. But, if I were a cop or a bad guy using DIRT, I would certainly go after your home PC as well as the one at work. Itís a whole lot easier, and I am going to learn just as much.
With the advent of more and more powerful Trojans, such as DIRT (which only occupies 20K), the threat to our networked systems gets clearer and clearer. As Frank Jones, the inventor says, "There are no more secrets with DIRT."
"There is another powerful tool for surreptitiously intercepting data, but it is only available to law enforcement and the military. Called DIRT (Data Interception and Remote Transmission), it was released in June by Codex Data Systems, Inc. Investigators need only know your e-mail address to secretly install the program. Once they do, investigators can read your documents, view your images, download your files and intercept your encryption keys. DIRT was developed to assist law enforcement in pedophilia investigations, but future uses could include drug investigations, money laundering cases and information warfare.
How is DIRT different from Back Orifice? The sale of DIRT is restricted, while Back Orifice is free for the downloading. Also, there are already fixes available for Back Orifice, but no way yet to defend against DIRT. "
Most feel secure when they encrypt their data, but itís an illusion of comfort if a keystroke monitor is involved. DIRT defeated Pretty Good Privacy in a matter of minutes at a recent conference simply by stealing the userís key as it was typed in."
"Codex Data Systems, Inc. of New York has created Data Interception for Remote Transmission (DIRT), a surveillance tool designed for law enforcement professionals. DIRT is similar to BO in some respects, but it is smaller (less than 18K versus 120K for BO) and yet more stealthy. It runs as a much lower level process and is virtually undetectable. In addition, it cannot be stopped by firewalls.
DIRT was originally developed to aid in the investigation of child pornographers and other isolated criminals using standalone PCs. By becoming a spy in the user's computer, the law enforcement official can gather needed evidence to successfully prosecute a criminal case. Frank Jones, creator of DIRT, surveyed the market for computer surveillance tools to aid law enforcement professionals. When he found no suitable products, he began developing DIRT, which he continues to enhance.
DIRT logs all keystrokes on the target workstation and transmits them the next time that system is online. Because users type in their encryption pass phrases at the keyboard, which are then transmitted via DIRT, the product helps law enforcement officials decrypt documents and provides them with substantial evidence for criminal investigations. All DIRT communications are encrypted on their way back to the DIRT Control Center, protecting them in case they are intercepted by a random system administrator.
In the latest version of DIRT, the agency need not send the software as an e-mail message at all; the law enforcement agency needs only the e-mail address or the IP address of the target system. (At the very least, the variety of techniques described here should make users wary of dismissing the idea that a third party could install software without their knowledge.)
DIRT currently runs on Windows 95, 98, and NT systems and a Unix version is being developed. Only qualified law enforcement agencies can purchase DIRT; furthermore, Codex currently sells the software only to U.S. law enforcement agencies.
Jones emphasizes that surreptitious surveillance tools, such as Back Orifice and keystroke logging facilities, are illegal to develop or possess in the United States, according to U.S. code 2512. These tools are illegal even if they are used by network administrators unless each end user explicitly agrees to the monitoring.
DIRT is legal because it is a law enforcement tool that can only be sold to law enforcement agencies. DIRT itself is not a threat to the average corporate network, but the knowledge that such a tool exists should make users consider whether their networks are secure. Security is clearly a relative term, and organizations ignore security issues at their own risk."
Codex Data Systems, Inc. will be happy to provide a demonstration
to any authorized agency