pv9y@vax5.cit.cornell.edu (07/20/90)
A friend of mine who does graphic design mentioned that she had heard of a new Mac virus that changed the password on LaserWriters to some other value. Has anyone else heard any information about this virus - how it propogates, if GateKeeper catches it, etc? Thanks .... Adam - -- Adam C. Engst pv9y@vax5.cit.cornell.edu - ---------------------------------------------------------------------- "I ain't worried and I ain't scurried and I'm having a good time" -Paul Simon
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (07/24/90)
> of a new Mac virus that changed the password on LaserWriters to some > other value. Has anyone else heard any information about this virus - > how it propogates, if GateKeeper catches it, etc? It had to happen sooner or later. Fortunatly, there is a fix. I have been distributing a routine for some time, that allowed you to reset the password on the laser. I have certain rules about how it gets distributed. The code that I have allows you to read and write any location in the EEPROM. Because of that, I require a signed request on letterhead (department , company or institution), as well as an email message. However, an aquaintance from over in UK has just posted a routine over on comp.lang.postscript that overcomes these problems. It just basicaly reads the eeprom. Nothing more. It reads the password, and returns it to you. Once you have the existing password, you can then reset the password using the standard method allowed in postscript. This routine is relatively benign, in that it simply reports the password, and allows you to set the password back to the default password. It may have already passed by your machine, as it was posted within the last week. I'll try to dig it up, but if anyone gets it, please post it here. Cheers Woody [Ed. Is this virus specific to Apple LaserWriters, or can it affect other PostScript printers? Even if it is specific to LWs, that certainly doesn't limit it to just Macintosh environments, so I've removed the "(Mac)" from the subject line. Please correct me if I'm wrong.]
swsh@midway.uchicago.edu (Janet M. Swisher) (07/25/90)
I have heard in several places that this LaserWriter nasty is a Trojan horse. If so, that would seem to restrict it to being a Mac problem. However, nothing that I have seen mentions the name that this Trojan goes under, so I don't know what to look out for. Could someone with actual experience with the problem confirm/deny/specify? Janet Swisher swsh@midway.uchicago.edu U of Chicago, Academic and Public Computing
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (07/26/90)
[Ed. After much pleading, Woody convinced me to post this message for him, which contains binary PostScript code (apparently he was receiving many many e-requests for the code). I am personally opposed to distributing binary code on a public discussion group such as this one for a variety of reasons. To its credit, this code was posted to two other newsgroups, and apparently met with lots of approval there. Note that anyone choosing to use the code (on a postscript printer) must do so at their own risk. Furthermore, I do not wish to set a precedent here by sending out the binary - this is both a first and a last time. In the future any and all binaries will be distributed via the VIRUS-L/comp.virus archive sites, including CERT/CC's anonymous FTP facility, cert.sei.cmu.edu.] woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) writes: > It had to happen sooner or later. Fortunatly, there is a fix. I have > been distributing a routine for some time, that allowed you to reset WHEW! After 20 or 30 requests for this code, I guess that I'd better clarify a thing or 2 My address is Woody Baker Rt.1 Box I Manor, Tx. 78653 Please understand that the reset routine allows you to alter ANY part of the eeprom, including machine hardware registration parameters, printer serialnumbers (will handily defeat the old Adobe fonts that were tied to a particular serial number) if you know the serial number, among many other things. For this reason, I had determined that there might be some liabilty associated with the distribution of this code. Thus the rules: Department, or company letterhead, signed by a department head. The basic reason, is so I have some thing to point to if someone says "I got it from woody...(after messing up a network printer...) My offer still holds, but here is the more benign version. Both routines are specific to 68000 based ADOBE postscript interpreters. Both routines depend on a short machine language routine that gets downloaded into the printer, and establishes a new operator. The following code handles this by simply reporting the password. I post it here, as grabbed off comp.lang.postscript. This should suffice for nearly all needs. I'd prefer people used this one, rather than the one that I have simply due to the reduced potential for mis-use.... From: quando@ibmpcug.co.uk (Nigel Yeoh) Newsgroups: comp.lang.postscript,connect.audit Subject: resetpassword.ps Summary: resetting passwords on the laserwriter Keywords: postscript laserwriter password Message-ID: <1990Jul19.232247.3166@ibmpcug.co.uk> Date: 19 Jul 90 23:22:47 GMT Organization: The IBM PC User Group, UK. Lines: 88 Xref: chinacat comp.lang.postscript:1253 Here is the piece of code that resets the password in a PostScript printer, which I've obtained. I'd like to make a point of clarification. Some people might know that Woody Baker offered to make copies of his code available to people who wrote in to him, subject to slightly more onerous conditions than at least one other person on the net thought correct. I then offered to make this code available, making an oblique barbed reference to Woody in the process. I have since had the opportunity to speak to Woody about this, and I would like to emphasize tha t Woody's code is more complex and contains more powerful, and dangerous operators than mine, and considerable potential for harm. Woody's terms are entirely appropriate and generous considering what he had on offer. I think I've provided a cleaner and simpler solution but those who need the additional power of Woody's code can still write to Woody. This program resets the password to zero, using the standard PostScript operator setpassword. Woody and I both feel that in this form, the code is useful to those who have forgotten the laserwriter password and don't feel apple ought to charge and arm and a leg to correct the problem, and not particularly dangerous, though of course such things by their nature can cause harm. Please use with care. I can't guarantee this will work but it's not likely to blow your laserwriter to bits in the process, at least. It will most likely fail on clones and won't work with Emerald RIPs. %!PS-Adobe-1.0 % Title: ResetPassword.ps % mark currentfile eexec F983EF00CFF33246DBAA182FF38F30A722A6B0F67364219B80FF63CBAA9D3168 9EC5ED80BD34DCD31199F230F37FDE5C0C0F931DF757070778C386963A0EE646 2B367616E46ED464C56D2B62B3416AD558879BFFE033C65186BD4524EFEFA61E 1AC930D9B4A28DFE8CF379043BFA6C88B66D7C479EE9BE5B1F303C96481C2846 2BB288B20ED5B25C42B0322683DA5DEA5DCF2EB7F97EFDA1810B136E56F76575 298CBFC30DEB70803CB165EDEF2752E609D533118B471027FCDB7C7AE7B104D0 0D5FBFA28BD6F4F88B577868380EB81F3C2A5A8417D197EED34892E2978CD667 E8DF6B56A85865E77AA1BC5F93017638054BEAB3E97099CDC15A51F8863313F3 152A20D5D9E08EC47A5F618A208E1F1FD2ACA1694925BF48AA906A18803928AB 0560D80A7B15DE1136DAD5C60B3B4346D5965B8F0544DDA470301C675954A16C A2C525C5CD957722E768C53F9883EBF5D5634608494A7F78764DFB5429D5A9BF AD5639A8906AE0ABC05493EF1F81E20F53808740A190366960AF3335D34172EF BF7C17528FBDF9DF4016D50FD7551DAA8490829909D335FC65223992231899FC 8F23840FF0E654C166F25305D1645DF50EC96CD5429D214E050C2D2180AC59FC 9DA5CD8F3F11692BC1316197A5274A062171F2621DEF36E7E387B7B00B0CB617 91CD36925D0C32AEBEF00003CFEC6CE982E81993B9ADB0A01269EB6474365619 87F97F0B7FE666989FD625AE6D260334BC3BF1FCFADBBA5CEC168B6FC4303160 1A4194539D3DBFCA2D82D53D7BCE336EA3C77E1483CFDD586E3342902625404A 8B8980C3D86BBAB8CCB30BD913BC0AAA562F485EBEEE317ECFBCB39B62FEA461 5A2F0D91A53A00540C77A827232809A475DBCB6B63F33433CDCD1DFC568883BC 359C1E4F1AC86AFE5F8542656E728A632479AB0417190340398F1A1DACCD0083 46A439174775A164A29549D4C6092192AE597DA1B9B8EAA05EA7F1933D1DD73C D71D8D7BBE1AC2AA9882403B780911565C054D9A7753E12EF564E3E2AA58992F 83EEC063986DF6300409CD18DDA32E3B4E9F7C70E94B725017EEDEB70CBCFD4A FC72762CF700D5EA28BEC9F390566F90C2F23DC3D9CBF634CDC3E3084ADA4C80 3B9434CB44565D4EDB076F6BF4E08C67BA5DC92529CB46E1B62B763D9AB175B4 9A7D81F6F3B870CA5BFC99CEDF4CEFF4A5EB13748D60943737FF719D0E42E75F B6799BF713A390F9C4439E5F3F4A43E2F46281A07C038A3A946719A8B6EECE3F 82AA115FABD658DFE1B408B660350BD1F5ED62C83CC2E70B5D1770DDA46735F3 D3C43161659ED4CB1AAA95420FDD7ABBC92EF533434541EA0F502CC9501F1303 39C05A9DB80C38ED9F5E282BDD3EA60A80A40DCE90B63E937A99FF813572E19A 20FFB4A56BD92A1084CCC55F268A9CA441575F3BB4E096372C12E4EB25964BA1 F9F24800E2D40C77DB89EC0628BA7BFBC292487C7ABA6A8D69C411301CB0268C 24579E85F3F6A92C38EC09AB3E63C98BFD32E5A2E7FC8464682EDADD9666F575 0AB37794DBDF698FFF7F1D563C4837CAF159E94FD4585EC16864494925CE9CBA C1976FCEB809FE2B5EABA28B7DEC5C4BB54011131D699E1819DD31CF92BBB179 1E7041C9F0C8FC8AB3517C5C77CF9797E608FFFCF97BE8C5E571933DDD0D314F 20DCDF4A9060583B7D94C911CCC128B2102EDAAD97247B0FB0383B47B3C8A779 F6873EB1C59850E8DA0BEA042590BD3C6E7DF7E410B9FF2080ACF4BF6E2DD13B 8B32FB28027C7AD504F1E156C53FE014677001A443DFC39BD7B05D0C2B613B65 23D88890C19BBE19DA99C6A5E204C637CCD8D3EBE036E1EBC61E7CC708A5B8B4 51A8D26834473086B4FDFCFAAD69802BB1AB2C882132CDD8B3182DD75E0082F7 4E34A9CBED8D48DFFC203752B2EB8EB1CCA65ABF1D1396907C 000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000 0000000000 cleartomark end statusdict begin 177 readeerom 24 bitshift 178 readeerom 16 bitshift or 179 readeerom 8 bitshift or 180 readeerom or 0 setpassword-- Automatic Disclaimer: The views expressed above are those of the author alone and may not represent the views of the IBM PC User Group. Cheers Woody
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (07/26/90)
swsh@midway.uchicago.edu (Janet M. Swisher) writes: > I have heard in several places that this LaserWriter nasty is a Trojan > horse. If so, that would seem to restrict it to being a Mac problem. > However, nothing that I have seen mentions the name that this Trojan > goes under, so I don't know what to look out for. Could someone with > actual experience with the problem confirm/deny/specify? Well, since Postscript printers are intellegent, (they understand a very complex and rich general purpose programming language,) and every thing sent to them is in actuality a program, the problem knows no boundries. Now, for the problem, (luckily it isn't very widespread, if at all. The original discussion centered on the POSSIBLITY of a Postscript nasty.) The Adobe postscript printers are interpreter driven. Part of the interpreter is called the "server loop". It is written in Postscript (using built in primatives). When you send a job to the printer, it reads the input stream, parses it into tokens and dispatches each token to cause it to execute. It also "wraps" each job with a save/restore context. That is to say, it saves the current state of the VM, executes the job and then restores it. This allow s programs to run without interfering with each other. This also means that each program is discarded when it is through running. In order to downloadl something permantly (until power-off) into the machine, such as a header or preamble, you have to escape the save/restore context. The mechanism to do this, is the keyword exitserver. exitserver takes as one parameter, a password. This password is compared with a password stored int the eeprom, and if they match, the exit takes place, and whatever comes down the line until a ^D (EOF), will be stored in memory "under the server, outside of the save and restore". The server is then restarted and the code that was loaded sets there regardless of the save/restore wrapping by the server. The default password is 0. Many applications will attempt to download a preamble, or perhaps a font or 2 and put them "under the server". If the password is not what the application expects, it will fail to work (the preamble will get thrown away). Generaly, people don't mess with the password. Adobe provides a mechanism to set the password, IF you know the old one. It imposes a 1 second delay for each attempt at changing the password. On a network, people typicaly will set the password for each printer to some other one than the default. Then modify the application to issue the correct password. This prevents an unwanted application from downloading preambles. Since almost all of the postscript operators can be redifined, preambles give you a way to drasticaly alter the operation of the printer. For example, you can change the definition of showpage (the command that causes the page to be emmited) to do most anything, including printing things on the page, etc etc. For this reason, generaly on networks the password gets changed. Now, suppose someone comes along with a routine called writeeprom that writes an arbitryary byte to a location in theeeprom. They can now write to the locations that control the password, regardless of what it is and change it. If you forget the password, Apple at least, will reset it for $600.00!!!!! You have to send your board in. Needless to say, you can cost a place a pile of money real fast, not to mention lost time by messing the passwords up. ANY postscript program can change the password using the built in operator, and ANY postscript program can change the password using writeeprom. writeeprom is what My resetter uses to do it's work, and that is why I have restricted acess to it. Well, sorry for the longwinded post. Hope that this helps. If your applications suddenly quit working, check the password out. It may have changed. The suppliment for your printer will detail how it is dne. Cheers Woody Baker Rt.1 Box I Manor, Tx. 78653
dwal@midway.uchicago.edu (David Walton) (07/28/90)
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) writes: >swsh@midway.uchicago.edu (Janet M. Swisher) writes: >> I have heard in several places that this LaserWriter nasty is a Trojan >> horse. If so, that would seem to restrict it to being a Mac problem. >> However, nothing that I have seen mentions the name that this Trojan >> goes under, so I don't know what to look out for. Could someone with >> actual experience with the problem confirm/deny/specify? > >Well, since Postscript printers are intellegent, (they understand a >very complex and rich general purpose programming language,) and every >thing sent to them is in actuality a program, the problem knows no boundries. [Lots of very useful information removed] Janet's point was that the program that actually sent the PostScript to the printer was a Macintosh trojan horse, so that the PostScript would be downloaded only from a Macintosh. (At least I think that's what she meant. Since we share an office, I suppose I could ask her :-). Granted, once the PostScript is actually in the printer, it's a problem for any computer (Mac, IBM, UNIX box) that wants to contact the printer. But that actual trojan horse itself is a Macintosh application, so other systems wouldn't be able to spread the infection (unless the author has been kind enough to provide the trojan on multiple systems, which of course is entirely possible). Sigh. I love irresponsible hackers. Really, I do. Heavens, what would I do with my time if I couldn't spend it fighting viruses? >Woody Baker >Rt.1 Box I >Manor, Tx. 78653 - -- David Walton Internet: dwal@midway.uchicago.edu University of Chicago { Any opinions found herein are mine, not } Computing Organizations { those of my employers (or anybody else). }
woody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (08/02/90)
I'd like to thank Ken for posting the code, and to aplogize to him for
the rather abrasive note that I sent him. I have since recieved a
series of questions from an individual about the contents of the code.
I have examined the hex code. It is encrypted via a standard
encryption routine used by Adobe, and documented in the new Black Book
(the Type 1 Font Spec) book. The core routine, the 68000 machine
language rotine is identical to the routine that I use for reading the
eeprom, right down to the checksum. Since machine language routines
have to be installed by the cexec operator, and since that operator
will not function unless it is invoked from within a procedure that
has been called via eexec (known as executing from within an eexec
context), Nigel simply did the following:
<
.....680000 code
> userdict begin cexec currentfile closefile
and eexeced it. Then when eexec executes, the machine language will
be executed by cexec, and the operator installed. I have taken
a slightly diffrent tack, to achieve the same result. The dangerous
routine, writeeeprom is a separate bit of 68000 code. I have decided
to remove that from my code, so at this point my code is essentialy
the same as Nigels code, except that I don't chage the password. I just
report it.
As was pointed out, this is a double edged sword. If you know the
password you can reset the password. This routine shows you the
password. If you choose, you can then reset it to some other value.
This means that this routine could be used as the primary attack to
change the password, and mess things up. It also means that if that
happens, you can know about it and fix it. The universe is perverse.
It is, however, better to be able to undo the damage when it is done
than not to be able to undo the damage.
Cheers
Woody
p.s. The code posted is a simple text file that can be sent to any
Adobe 68000 postscript printer by any means whatsoever from any host
whatsoever. It cannot hurt the host in anyway.