M$ Does it again

Richard B. Johnson (root@chaos.analogic.com)
Fri, 26 Oct 2001 09:38:12 -0400 (EDT)


I am told that the latest Windows/XP has a Trojan built into it.
This was done as part of a deal with the United States Department
of Justice in settling the long term problem with Microsoft's
monopoly conviction.

This Trojan, upon specifc network inquiry, has the capability
of sending any intelligence that exists within the computer,
(Motherboard type, Peripherals, hard disk contents, the contents
of video buffers, etc.) to a remote network agent, any time the
machine is connected to a network.

Since the secret inquiry commands and port(s) must be known by
the developers, I hope that somebody is working on a Linux clone
that will pretend that it's a M$ machine owned by the Pope.

Anyway, I have a XP machine here. I have monitored its startup
with a phony static IP address and NO default route that should
not be able to be routed out of the LAN. It does a lot of
network chatter and actually communicates with a name server
outside of our firewall!

I tried to find out how, so I first wanted to find some
M$ servers. This is what whois reports!!

[whois.internic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

MICROSOFT.COM.ZZZ.SUCKS.AZZ.PHAEN.AS
MICROSOFT.COM.Z---HELLO-FROM-SIBERIA---I.Z3S.COM
MICROSOFT.COM.WILL.NEVER.SATISFY.A.TRUE.TELNETJUNKIE.COM
MICROSOFT.COM.WILL.NEVER.RUN.PUREDATA.NET
MICROSOFT.COM.WILL.LIVE.FOREVER.BUT.LUNIX.SUCKS-BYBIRTH.ARTISTICCHEESE.COM
MICROSOFT.COM.WILL.ALWAYS.FEARPENGUINS.COM
MICROSOFT.COM.WHOIS.RESULTS.MAKE.A.GREAT.HUMOUR-LIST.COM
MICROSOFT.COM.WAS.HACKED.TODAY.BY.JAMESSMALL.COM
MICROSOFT.COM.TONY.HAS.SEXUAL.IN.ADEQUACY.ORG
MICROSOFT.COM.TOLD.ME.TO.KILL.UR.PC.LIVE-EVIL.COM
MICROSOFT.COM.TOHA.KANKEI.ARIMASEN.300BPS.NET
MICROSOFT.COM.TAKES.IT.IN.THE.BUTT.FROM.WHILE1.ORG
MICROSOFT.COM.SUKZ.ORG
MICROSOFT.COM.SHOULD.GIVE.UP.BECAUSE.LINUXISGOD.COM
MICROSOFT.COM.SE.FAIT.HAX0RIZER.PAR.TOUT.LE.ZOY.ORG
MICROSOFT.COM.RUNSLINUX.NET
MICROSOFT.COM.PRODUCTS.WILL.NEVER.BE.SEEN.AT.MCNEIGHT.ORG
MICROSOFT.COM.OWNED.BY.MAT.HACKSWARE.COM
MICROSOFT.COM.NOTHING.HAPPENS.XYZZY.COM
MICROSOFT.COM.NAO.VALE.UM.CARALHO.NET
MICROSOFT.COM.N-AIME.BILL.QUE.QUAND.IL.N-EST.PAS.NU
MICROSOFT.COM.MUST.STOP.TAKEDRUGS.ORG
MICROSOFT.COM.MAKES.SHIT.ASS.SOFTWARE.T10.NET
MICROSOFT.COM.IS.THE.COMMERCIAL.ARM.OF.THE.WORLDGOV.ORG
MICROSOFT.COM.IS.SOON.GOING.TO.THE.DEATHCORPORATION.COM
MICROSOFT.COM.IS.SO.VERY.SKANKY.NET
MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
MICROSOFT.COM.IS.NOTHING.COMPARED.TO.EVILGOAT.NET
MICROSOFT.COM.IS.NOTHING.BUT.A.MONSTER.ORG
MICROSOFT.COM.IS.NO.MATCH.FOR.THE.WANNABE.TERRORISTS.AT.JIMPHILLIPS.ORG
MICROSOFT.COM.IS.NO.MATCH.FOR.A.UNIXNINJA.COM
MICROSOFT.COM.IS.HOPELESSLY.INSECURE.ORG
MICROSOFT.COM.IS.GOD.BUT.LINUX.SUCKS-FOREVER.ARTISTICCHEESE.COM
MICROSOFT.COM.IS.AT.THE.MERCY.OF.DETRIMENT.ORG
MICROSOFT.COM.IS.A.STEAMING.HEAP.OF.FUCKING-BULLSHIT.NET
MICROSOFT.COM.HQ.SHOULD.HAVE.BEEN.MOVED.TO.BAGDAD.JUST.BEFORE.THE.GULFWAR.ORG
MICROSOFT.COM.HEBERGEUR.DE.SCHIZOPHRENE.ORG
MICROSOFT.COM.HAS.NO.LINUXCLUE.COM
MICROSOFT.COM.HACKED.BY.HACKSWARE.COM
MICROSOFT.COM.GUTS.NL
MICROSOFT.COM.FILLS.ME.WITH.BELLIGERENCE.NET
MICROSOFT.COM.FAIT.VRAIMENT.DES.LOGICIELS.A.TROIS.FRANCS.DOUZE.ORG
MICROSOFT.COM.DAN.HILLIER.OF.EXETER.UK.IS.A.DUMB.ASS.EVILJAM.COM
MICROSOFT.COM.CODERS.SHOULD.DUMP.WINDOWS.AND.CODE.FOR.THE.MORE.PRACTICALMAC.COM
MICROSOFT.COM.CANNOT.HACKUNIX.ORG
MICROSOFT.COM.AINT.WORTH.SHIT.KLUGE.ORG
MICROSOFT.COM.A.ETE.CREE.PAR.BILLOU.A.L.EPOQUE.OU.IL.FUMAIT.DU.COLA-COCA.ORG
MICROSOFT.COM.A.BIEN.BU.DU.COLA-COCA.SUR.L.ILE.DE.NUMEA.COM
MICROSOFT.COM

[Snipped]

Neat!

Anyway, XP will certainly find its way around a network. It discovers
any Microsoft servers on the LAN and uses their default route. That's
how it finds the firewall. It then queries a bunch of servers using
port 53 (DNS) and does a zone-dump. Then it uses the mail port 25 to
exchange information. This information is not text. I don't know
what it is.

It does this all upon startup! Our firewall doesn't 'know' about
this machine. It shouldn't even be able to talk outside because
our firewall interface does NAT and nobody has configured it for
the new machine.

If somebody has the time, it would be a good idea to look into
how they do this stuff and make some Linux software to emulate,
attack, expose, and thereby destroy the new Microsoft capability.

Cheers,
Dick Johnson

Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).

I was going to compile a list of innovations that could be
attributed to Microsoft. Once I realized that Ctrl-Alt-Del
was handled in the BIOS, I found that there aren't any.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/