Miami Deluxe

Security Advisory
Amiga Internet Users

by Nordic Global Inc., 12/05/98,
for immediate release

During the first week of December a list of over 700 stolen user names, passwords and host names of Internet service providers was circulated in the "scene" and posted in several places, including Usenet. Most public postings did not include the passwords, but they ARE present in the original list, i.e. the list DOES exist, and presents a real threat to users on the list.

Anyone in possession of the list can use entries on the list to break into Internet accounts of corresponding users, unless those users changed their passwords in the meantime. In other words: if YOU appear on the list then anyone who has that list can break into YOUR Internet account, until/unless you change your password.

Some of the entries on the list were obtained using "normal" means, i.e. by breaking into ISP routers or exploiting known Unix or NT system vulnerabilities. Things like that happen all the time, and are difficult to prevent.

However many entries on the list were obtained using a different mechanism: a "Trojan" distributed to Amiga users, that secretely spied username/password information out, and sent them to an Internet account, where that information was gathered by pirates.

After a lot of false and sometimes slanderous rumors how that secret mechanism works and which program is to blame, a joint effort by Nordic Global Inc. and several helpful users, who wish to stay anonymous, finally determined the precise way the passwords were gathered:

A pirate group spread a fake version of "datatypes.library" via Aminet. That version has a version number of either 45.4 or 45.5 (depending on when and how you check the version), and a file size of 32748 bytes. The library contains a concealed Trojan that reads usernames and passwords from the Internet settings files on your harddisk, and sends them by email to a pirate group, who then collects that information and enters it into a database.

If you have that version of "datatypes.library" installed, then you are strongly advised to delete it, and to replace it with one of the legitimite, safe versions of datatypes.library, e.g. one of

If you install 45.4 then make sure the file size is 27780 bytes. If it is 32748 bytes then it is actually the dangerous, fake version 45.5, reporting a wrong version number, not the "real" version 45.4.

After that you should physically switch off your computer, wait for 30 seconds, and switch it on again, just in case.

Once you have done that, log into your Internet provider and change your password. If you have previously already changed your password, but did not replace the fake library, then you should change your password again now, because your account information may have been compromised again in the meantime.

It is not known for sure yet who the author of that fake library and "collector" of the generated stolen accounts is, but an investigation is underway. Also, there are very strong, yet so far unconfirmed, indications (including witness statements by informants) that the infamous pirate group "Digital Corruption" is to blame for this.

If that turned out to be true then it would only prove once again that software written or distributed by or in cooperation with pirate organizations cannot be trusted, and may have harmful secret side effects.

If you are wondering why it is Nordic Global Inc. who are making this announcement: the original password list that was distributed contains a comment in obscene language that those passwords were obtained through an alleged "backdoor in Miami".

Do not be fooled by that. That claim is an obvious lie, a slanderous accusation attempting to tarnish the reputation of Miami and Nordic Global Inc., without any factual basis. Amiga pirate groups, in particular Digital Corruption, have been targetting Nordic Global Inc. with accusations like that for quite some time because of our strong public stand against piracy.

Miami does not have any "backdoors", and could not be used, and was not used to compile the list, or to provide any information that appeared on the list. Nevertheless many users and unfortunately even some developers and dealers spread the false rumor that Miami is "dangerous" in any way. This is obviously not the case.

We felt it necessary to try and find out the truth about how the list was compiled, not only to document the safety of Miami, but also to be able to give Amiga users the information they need to react to this threat and to prevent further damage.

For more information on this attack please visit our web site, in particular the "News" section.

Holger Kruse, Nordic Global Inc.
[email protected]