From lcamtuf@bos.bindview.com Fri Jun 22 08:42:04 2001 Date: Mon, 4 Jun 2001 09:37:21 -0400 (EDT) From: Michal Zalewski To: Lance Spitzner Subject: Re: Scan of the Month - Decrypt Resent-Date: Mon, 4 Jun 2001 09:37:38 -0400 (EDT) Resent-From: Michal Zalewski Resent-To: project@honeynet.org Resent-Subject: Re: Scan of the Month - Decrypt On Mon, 4 Jun 2001, Lance Spitzner wrote: > For the month of June, the Honeynet Project has decided to release a > more difficult challenge. Your mission this month is decrypt and > analyze an encrypted file found on a compromised system. As always, > you can find the Scan of the Month at: Here comes my write-up, probably way too messy, but I think it would be good :) 1) This file seems to be encrypted with XOR 255 algorithm applied to single bytes. You can tell that by viewing the encrypted file in binary and comparing bit layout with typical text-file - it is almost extactly inversed, bits that are usually set are usually cleared, and vice versa, and this observation would apply to whole sample... So I tried, and it worked. I considered shifted byte values as well. 2) Encrypted contents would be: [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r 3) Its purpose. It seems to be a rootkit configuration file. My guesses are: find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls That would be the location of original files. This trojan apparently replaces them, probably to become 'stealth' (quite lame technique). file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc, lpacct,USER These are his own filenames it is trying to hide from viewing. This rootkit seems to consist from typical set of sniffer, log cleaner, DoS utility and IRC bouncer - but I can't tell it without viewing these files. ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys It hides its own processes, as well, and these are its names. Basically, it is hard to tell if it actually tries to backdoor lpd and sshd services, or only using these names. lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667, /dev/pts/01,sn.l,prom,lsof,psbnc It seems to hide used ports - 6667 and 6668 for irc bouncer, and few others probably used for root shells. [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 Yup, that seems like netstat replacement, which hides two more ports. [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd These setuid binaries are apparenly backdoored... shell=/bin/sh ...shell location, to be invoked from above programs... su_pass=l33th4x0r And this would be an universal su password, if I am correct =) Ok, time spend on that: 10 minutes :> -- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=