% tcpdump -nr snort.log 01:32:34.417321 172.16.196.132 > 172.16.183.2: ip-proto-11 402 01:33:26.930071 172.16.196.132 > 172.16.183.2: ip-proto-11 402 01:37:09.328991 172.16.196.132 > 172.16.183.2: ip-proto-11 402 01:41:37.934005 172.16.196.132 > 172.16.183.2: ip-proto-11 402 01:41:38.117856 172.16.183.2 > 109.197.191.34: ip-proto-11 480 01:41:38.120040 172.16.183.2 > 126.85.250.183: ip-proto-11 480 01:41:38.131012 172.16.183.2 > 233.96.38.22: ip-proto-11 480 01:41:38.132089 172.16.183.2 > 210.13.117.98: ip-proto-11 480 01:41:38.138874 172.16.183.2 > 219.93.216.82: ip-proto-11 480 01:41:38.148974 172.16.183.2 > 203.173.144.35: ip-proto-11 480 01:41:38.158987 172.16.183.2 > 41.230.157.197: ip-proto-11 480 01:41:38.168881 172.16.183.2 > 20.17.169.129: ip-proto-11 480 01:41:38.178779 172.16.183.2 > 214.104.164.84: ip-proto-11 480 01:41:38.592342 172.16.183.2 > 109.197.191.34: ip-proto-11 583 01:41:38.593447 172.16.183.2 > 126.85.250.183: ip-proto-11 583 01:41:38.608905 172.16.183.2 > 233.96.38.22: ip-proto-11 583 01:41:38.619118 172.16.183.2 > 210.13.117.98: ip-proto-11 583 01:41:38.628781 172.16.183.2 > 219.93.216.82: ip-proto-11 583 01:41:38.638902 172.16.183.2 > 203.173.144.35: ip-proto-11 583 01:41:38.648826 172.16.183.2 > 41.230.157.197: ip-proto-11 583 01:41:38.658969 172.16.183.2 > 20.17.169.129: ip-proto-11 583 01:41:38.668876 172.16.183.2 > 214.104.164.84: ip-proto-11 583Right away, we can see that this program is using an unusual network protocol to communicate. The machine 172.16.183.2 receives several packets from 172.16.196.132 (which is probably a bogus source address). It then sends out two bursts of packets to nine other machines. One of those is probably a machine owned by the intruder; the others are just chaff meant to confuse analysis.
Next, I look inside the packets. Two are reproduced below for illustration.
% snort -r snort.log 02/28-01:32:34.417321 172.16.196.132 -> 172.16.183.2 PROTO011 TTL:237 TOS:0x0 ID:27401 IpLen:20 DgmLen:422 02 00 17 30 48 2A EE 95 CF E6 FD 14 2B 42 59 70 ...0H*......+BYp 87 9E B5 CC E3 FA 11 28 3F 56 6D 84 9B B2 C9 E0 .......(?Vm..... F7 0E 25 3C 53 6A 81 98 AF C6 DD F4 0B 22 39 50 ..%<Sj......."9P 67 7E 95 AC C3 DA F1 08 1F 36 4D 64 7B 92 A9 C0 g~.......6Md{... D7 EE 05 1C 33 4A 61 78 8F A6 BD D4 EB 02 19 30 ....3Jax.......0 47 5E 75 8C A3 BA D1 E8 FF 16 2D 44 5B 72 89 A0 G^u.......-D[r.. B7 CE E5 FC 13 2A 41 58 6F 86 9D B4 CB E2 F9 10 .....*AXo....... 27 3E 55 6C 83 9A B1 C8 DF F6 0D 24 3B 52 69 80 '>Ul.......$;Ri. 97 AE C5 DC F3 0A 21 38 4F 66 8D 8F A5 7B BE E8 ......!8Of...{.. 04 23 42 44 5A 30 99 9E BB DA F1 08 1F 36 99 9B .#BDZ0.......6.. B1 87 8A 92 A8 7E 65 67 7D 53 74 8B A2 B9 45 5C .....~eg}St...E\ 73 8A A1 B8 CF E6 FD 14 2B 42 58 6F 86 9D 54 54 s.......+BXo..TT 6A 40 57 6E 85 9C 3B D6 F4 13 2A 41 58 6F 86 9D j@Wn..;...*AXo.. B4 CB 66 7D 94 AB C2 E9 00 17 2E 45 5C 73 AC C3 ..f}.......E\s.. DA F1 07 1D 33 49 60 87 9E B5 CC E3 FA 11 27 3D ....3I`.......'= 53 69 8F A6 BD D4 EF 06 1D 34 B5 80 9D BC B3 B5 Si.......4...... CB A1 5B 5B 71 47 5E 75 8C A3 E8 FF 16 2D F0 F2 ..[[qG^u.....-.. 08 DE 46 39 54 73 D6 D8 EE C4 3A 05 22 41 28 2A ..F9Ts....:."A(* 40 16 2D 44 5B 72 D5 D7 ED C3 C6 CE E4 BA D1 E8 @.-D[r.......... FF 16 2D 44 5B 72 D5 D7 ED C3 DA F1 08 1F 36 4D ..-D[r........6M 64 7B 2A 0D 2D 4C 83 E8 08 27 3F 56 1A 2C 3D 45 d{*.-L...'?V.,=E 5B 31 4F 66 7D 94 23 25 3B 11 8E 27 44 63 7B 92 [1Of}.#%;..'Dc{. A9 C0 D7 EE 05 5C 7A 91 A8 BF EE 18 36 55 73 8A .....\z.....6Us. A1 B8 EF 54 74 93 42 44 5A 30 82 16 33 52 81 AB ...Tt.BDZ0..3R.. C9 E8 FF 16 2D 84 A2 B9 D0 E7 16 40 5E 7D 93 A9 ....-......@^}.. BF D5 .. 02/28-01:41:38.120040 172.16.183.2 -> 126.85.250.183 PROTO011 TTL:250 TOS:0x0 ID:28427 IpLen:20 DgmLen:500 03 00 89 A3 DA 11 48 CF 58 DE 5C E5 5D E1 18 A5 ......H.X.\.]... 21 AA 34 6B F2 7B 01 8C 12 49 80 B7 3E C4 4D D8 !.4k.{...I..>.M. F9 30 67 9E D5 1D 64 AB F2 39 80 B7 EE 25 5C A5 .0g...d..9...%\. DC 13 4A D5 4F D6 0D 44 7B B2 FA 42 8A C1 F8 7F ..J.O..D{..B.... 05 8E 19 9D 15 9C 23 9F 28 49 80 B7 EE 25 6D B4 ......#.(I...%m. FB 42 89 D0 07 3E 75 AC F5 2C 63 9A 26 A1 28 5F .B...>u..,c.&.(_ 96 CD 04 4C 94 DC 13 4A D1 57 E0 6B EF 67 EE 75 ...L...J.W.k.g.u F1 7A 9B D2 09 40 77 BF 06 4D 94 DD 25 5C 93 CA .z...@w..M..%\.. 01 49 80 B7 EE 7A F5 7C B3 EA 21 69 B0 F9 44 7B .I...z.|..!i..D{ B2 37 BA 40 BA 3C C0 3E C7 E8 1F 56 8D C4 0C 53 .7.@.<.>...V...S 9A E1 2A 72 A9 E0 17 4E 98 CF 06 3D C9 44 CB 02 ..*r...N...=.D.. 39 70 B8 FF 48 93 CA 01 86 09 8F 09 8B 0F 8D 16 9p..H........... 37 6E A5 DC 13 5B A2 E9 30 79 C1 F8 2F 66 9D E5 7n...[..0y../f.. 1C 53 8A 15 8F 16 4D 84 BB 03 4A 93 DE 15 4C D1 .S....M...J...L. 54 DA 54 D6 5A D8 61 82 B9 F0 27 5E A6 ED 34 7B T.T.Z.a...'^..4{ C4 0C 43 7A B1 E8 32 69 A0 D7 62 DC 63 9A D1 08 ..Cz..2i..b.c... 50 97 E0 2B 62 99 1E A1 27 A1 23 A7 25 AE CF 06 P..+b...'.#.%... 3D 74 AB F3 3A 81 C8 11 5C 93 CA 01 38 80 B7 EE =t..:...\...8... 25 B1 2C B3 EA 21 58 8F DF 28 73 AA E1 6B F6 6E %.,..!X..(s..k.n F9 85 0F 30 67 9E D5 0C 54 9B E2 29 72 BD F4 2B ...0g...T..)r..+ 62 99 E1 18 4F 86 11 8B 12 49 80 B7 EE 3E 87 D4 b...O....I...>.. 0B 42 CC 57 CF 5A E6 70 91 A8 1C A7 49 02 D2 B9 .B.W.Z.p....I... B7 CC F8 3B 95 06 8E 2D E3 B0 94 8F A1 CA 0A 61 ...;...-.......a CF 54 F0 A3 6D 4E 46 55 7B B8 0C 77 F9 92 42 09 .T..mNFU{..w..B. E7 DC E8 0B 45 96 FE 7D 13 C0 84 5F 51 5A 7A B1 ....E..}..._QZz. FF 64 72 03 20 20 20 70 72 6F 67 72 61 6D 20 76 .dr. program v 65 72 73 20 70 72 6F 74 6F 20 20 20 70 6F 72 74 ers proto port 0A 20 20 20 20 31 30 30 30 30 30 20 20 20 20 32 . 100000 2 20 20 20 74 63 70 20 20 20 20 31 31 31 20 20 70 tcp 111 p 6F 72 74 6D 61 70 70 65 72 0A 20 20 20 20 31 30 ortmapper. 10This is interesting. The first packet is nonsense, but not without patterns. Notice that the second hex digit is usually constant within a given column. The second packet is mostly gibberish, but contains some plain text at the end. The column pattern is not present in the second pattern.
Now I take a flying intuitive leap. I've been working with linear congruential pseudorandom number generators lately, and they have the property that the low 4 bits of the output have a period of 16. I guess that they are adding or xoring the output of such a generator into the data. The first packet must contain a lot of nulls, so the pattern is clearly visible. The data in the second packet obscures the pattern.
To test my theory, I write a small Perl script, solvelcg.pl to attempt to discover the coefficients of the PRNG. The PRNG equation is:
xn+1 = (a*xn + b) mod 256Because of the properties of modular arithmetic, I only need to find the value of (a mod 256) and (b mod 256). The script simply tries all possible combinations, to see if one of them reproduces a sequence of three bytes I took from the packet. It does! The answer is a=1, b=0x17. This is even simpler than I thought -- they're just adding 0x17 to the previous byte.
decodepkt.pl is the result of a few minutes of trial and error. It can decode the network packets to something that appears to make sense. I'm sorry to say that I did not save those intermediate stages, though.
% objdump -d the-binary >code % objdump -s -j .rodata >rodata % objdump -s -j .data >dataI examine the disassembled code and locate the system calls (in Linux, they're invoked with an int 0x80 instruction). These are listed in the file syscalls.txt.
Next, I start decompiling the code by hand, starting near the places where the recv syscall is used. Progress is slow, so I write a Perl script, rev.pl to assist with reverse engineering. It does a few simple transformations to make the assembly code more C-like and readable. This helps speed up progress.
Yet another perl script, string.pl looks up indexes of strings in the .rodata section. It's much easier to identify the sprintf by looking for the "%d"s than by trying to disassemble it!
Finally, I finish reverse engineering the binary, but with not enough time left to properly write up my results. All together, I've probably spent around 20-30 hours on this project.