Digg this story   Add to del.icio.us  
D.I.R.T. Spyware Exposed on Web
Kevin Poulsen, SecurityFocus 2002-03-14

Software marketed as a computer surveillance tool for law enforcement investigators has its secrets laid bare on an anonymous Web site.

A closely-held software package designed to allow law enforcement agencies to secretly monitor a suspect's computer turned up on an anonymous Web site in the Netherlands Wednesday, along with user manuals, financial information, contracts and invoices apparently stolen from the company that makes the surveillance tool.

Frank Jones, founder of New York-based Codex Data Systems, blamed unnamed critics in the security and hacking community for the exposure of his company's spyware product, called D.I.R.T. (Data Interception by Remote Transmission). But Jones downplayed the significance of the leak, dismissing the documents as outdated and obsolete, and emphasizing that the program won't run properly without a software key -- which is not including in the trove of purloined files.

"The information that's available in the documents that are posted out there doesn't hurt the use of the software itself," said Jones. "I have a pretty good idea of the motivation behind it, but none of it hurts us."

Jones has been marketing D.I.R.T. to the law enforcement community since the late 1990's. It's not known if he's had any takers -- the FBI has it's own, similar tool under development -- but files included in the Netherlands stash appear to identify several organizations that received price quotes from Codex, including the Egyptian and Ukranian governments, and the U.S. District Court of New Jersey's Pretrial Services Division, responsible for supervising criminal defendants as they await trial. Jones would neither confirm nor deny the authenticity of the price quote files.

The manuals released on the Web indicate that D.I.R.T. operates in much the same way as well-known hacker Trojan horses like Back Orifice and Sub Seven, with a covert server, what Codex calls a "bug," arriving at a target's computer wrapped within a seemingly innocuous program. Once the hapless target executes the program, the bug monitors the target's keystrokes and sends the results periodically to the person doing the monitoring via email.

"To launch the bug remotely, simply email it to your target," the D.I.R.T. user manual instructs. "Naturally, you will have to know the target's email address in order to deliver the bug.

Once installed, the bug can also be controlled with a remote access client, which gives the spymaster the power to browse the target's hard drive, or run programs on the compromised machine.

The exposed D.I.R.T. files are hosted at the ISP xs4all, under an account that was previously dedicated to an anonymous remailing system maintained by Amsterdam cypherpunk Alex de Joode, who did not answer an email query Wednesday. The top of the Web page quotes Juvenal in asking, "Quis custodiet ipsos custodes?" - "Who watches the watchmen?"

The D.I.R.T. manual is also on Cryptome, a U.S. site that hosts intelligence and miscellaneous cryptographic lore under the stewardship of cypherpunk archivist John Young. In an email, Young said he doesn't know the source of the files, but that the xs4all site "was not the original source."

Jones said he doesn't know how the files got loose. "Could they have hacked into our system and got it? It's possible, I suppose, but highly unlikely," said Jones.

Both Jones and his D.I.R.T. software have been the targets of much skepticism over the years from security experts and hackers, who doubt some of the powers ascribed to D.I.R.T. by Codex, and question Jones' background -- he admits to a past felony conviction for illegal possession of surveillance devices.

With its first public exposure, D.I.R.T. may finally be put to the test. Even if the software's protection scheme holds up against attack, the program's remote access client is not protected. Also open and readable are two macros that the manual says allows D.I.R.T. to be delivered through Microsoft Word and Excel, and an executable "bug" that accompanies them. Analysis could lead to signatures that would allow the spyware to be identified by anti-virus software... just like any other malicious code.

Jones said he's contacted law enforcement and the xs4all ISP. But he claims he's not too worried. "If somebody takes this stuff and they tear it apart, these are all older, early copies," says Jones. "The fact of the matter is the program bears very little resemblance to two or three years ago."

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus