From berk@linux.org.tr Fri Jun 22 08:44:02 2001 Date: Thu, 07 Jun 2001 13:56:49 +0300 From: Berk Demir To: project@honeynet.org Subject: Submission: Scan of the Month - June Hi, This is my very first submission to Honeynet. Thank you for starting this lovely and educating project. Security community really adores you. My Answers: --- (1) [ Encryption algorithm used ]--- I don't think this is a kind of REAL encryption algorithm but, the file was byte XOR'ed with 255 (0xFF) --- (2) [ How I determined the algorithm used ]--- I looked to file with 'od' (from GNU Textutils). The byte distribution was generally bigger than 210. Thought that, this smooth distribution generally happens on XOR'ed text files. --- (3) [ How I've decrypted the file ]--- I don't know a tool that XOR's a file byte by byte and give output. So decided to punch my own. Wrote a quick C program. (This so simple source code 'xor.c' is below) --- (4) [ Purpose of the file and why encrypted ? ]--- File seems like a configuration file of the rootkit. Built like a windows '.ini' file. Categories "[file]", "[ps]", "[netstat]", "[login]" is specified. Every category first specifies the compromised binary for the category. For example: Modified netstat lies in the path '/dev/pts/01/bin/netstat' Categories also include the behavior of the compromised binaries. For example: "net_filters" variable in the category "[netstat]" specifies, the compromised netstat program will not show the status of ports "47018 and 6668". ...And the categories go on. I will not explain each category and variables under it. I think everyone following the Honeynet Project is smart enough to understand them. This file was encrypted by the intruder because it includes the keyword, that alters the compromised 'su' to allow root logins. The keyword is "l33th4x0r". Also, this pretty clean looking config file shouts like "Hey ! I am a rootkit config file !". Any *smart* Solaris administrator can understand this if comes across with it. --- (5) [ What lesson did I learn from this challenge ]--- I've learned that, these kinds of rootkits use very simple methods to put backdoors and hide their footprints. I was expecting something more sophisticated. I've also again realized that, blackhats especially the newbies use very lame passwords (like "l33th4x0r" maybe this is the default password of the rootkit) --- (6) [ How long did it take ]--- It took 2 minutes 10 seconds for 'od' and guess the method. 110 seconds with "xor.c" Write, compile, execute with parameter 255 Oops! But it take 14 minutes to write/format this message :-) Cheers, Berk Demir /* bdd */ --My Attachments ---------------------------8<--------------------------[ xor.c ]------- #include #include int main(int argc, char *argv[]) { int buf; int filter; FILE *fd; if(argc != 3) { fprintf(stderr, "Error in usage\n" "Usage : %s input_file integer\n", argv[0]); return 1; } if((fd = fopen(argv[1], "r")) == NULL) { fprintf(stderr, "Unable open input file %s\n",argv[1]); return 1; } filter = atoi(argv[2]); while((buf = fgetc(fd)) != EOF) { printf("%c", buf ^ filter); } return 0; } --------------------------->8--------------------------[ xor.c ]------- ---------------------------8<-------------[ somefile_decrypted ]------- [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r --------------------------->8-------------[ somefile_decrypted ]-------