From u233@home.com Fri Jun 22 08:44:13 2001 Date: Fri, 8 Jun 2001 14:39:21 -0700 From: Trent Whaley To: project@honeynet.org Subject: Scan of the Month - June - Decrypt SunOS RootKit configuration file Scan of the month, June, 2001 Decrypt and Identify a mystery file. This is a configuration file for SunOS RootKit by Tragedy/Dor It has been Obfuscated by bitwise inversion. Bitwise inversion was the second trivial decryption I attempted (after memfrob) Time to find decryption method about 30 seconds. Contents of file: ============================Begin decrypted data=============================== [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r ========================end decrypted data================================= This is a configuration file for the SunOS Rootkit by Tragedy/Dor. it configures each trojaned binary to preserve the function of the saved origional, and tells them what behaviour to change. The file section tells find, du, and ls to ignore certain files. The ps section tells ps to ignore certain proceses and any processes with certain files open The netstat section tells netstat to ignore certain ports. the login section inserts a password of l33th4x0r to allow the hacker to su to root. Note thast this file contains both the cracker's password and the phrase "/bin/sh" If the security team at the site were running snort in packet logging mode when this file was uploaded they would have an alert with the hackers password in it if it were not encrypted. Lesson learded: don't rule out the obvious. Time: Not including finding out that it was SunOS Rootkit: 1 minute 45 seconds. Including finding the rootkit used: 4 hours. Appendices ============================================================================ Appendix 1) Log of investigation: June 8, 2001, 9:59 Downloaded somefile.tgz man md5sum (I've never used this before) md5sum somefile.tgz > f7964d9860cbf8135ef64bcf5b96facb somefile.tgz tar -xzf somefile.tgz >somefile June 8, 2001, 10:00 Coffee break. Postulated: honeynet hasn't given any clues such as passwords or packet captures, so it must be very easy to decrypt. Possibly: Single DES -- which I won't be able to decrypt, but maybe others in the challenge can. Crypt Memfrob Xor (n) Bytewise Reverse Bitwise Invert June 8, 2001, 10:10 Start with the obvious. Open KHexEdit. Observe no visible strings. Postulate: Perhaps our Cracker is also a hacker. I'll un-memfrob it. Tools->Binary filter select operation (Operand Xor Data) set (Format(operand)=decimal) set (operand=42) click (OK) Still no visible strings. Click undo. June 8, 2001, 10:10:30 Not wanting to try and brute-force un-XOR it just yet I try Invert Data. Tools->Binary Filter select operation (INVERT data) click (ok) Strings all over the place. Save file as somedecryptedfile [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r Note the presence of the line: shell=/bin/sh This is Probably why it's inverted. (we don't want to trigger snort now, do we). June 8, 2001, 10:11 Begin Writeup. June 8, 2001, 10:25 Off to work on other projects. June 8, 2001, 10:30 This is just too fun, back to the Challenge I've seen a file like this before, I just don't remember where. searching /etc hierarchy for a file with similar structure. No luck. June 8, 2001, 12:50 searched google for the term "ps_filters=" found 3 references, the relevant one being http://archives.neohapsis.com/archives/sf/sun/2001-q2/0088.html which indicates that this file is part of "SunOS Rootkit v2.5" by Tragedy/Dor June 8, 2001, 1:05pm Google search for the term "Tragedy/Dor" Seventh reference is http://ouah.bsdjeunz.org/programmes2.htm Which is entirely in french. One of the nice things about high schools in Canada is that French is mandatory to grade 11. (which is Sophomore year to those of you from the US) The fifth entry on the list is rootkit pour solaris par Tragedy/Dor which is fairly trivial to translate even if you don't speak french. june 8, 2001, 1:15 pm untar/zip rootkit chmod -R ugo-x * This version of the rootkit does not appear to have that file. It is also a much later version than that above. June 8, 2001, 1:43 pm I am unable to find source for the rootkit. this file probably came from the source. Most of the values in somefile are in the trojaned binaries, though. =============================================================================== Appendix 2 About the Author This summary was written by a computer science student who has been studying security to prevent a recurrance of a root compromise on his home computer in April of 2001.