From cursor@terra.com.br Fri Jun 22 08:48:04 2001 Date: Sun, 17 Jun 2001 14:17:11 -0300 From: Fernando P Amatte To: project@honeynet.org Subject: Scan of the month - JUNE To your appreciation. Regards -- -------------------------------------------------------------------------- <'D / C / Fernando Pompeo Amatte ()-^ --+-\\ cursor at cas dot zaz dot com dot br / > | \ -------------------------------------------------------------------------- [ Part 2: "Attached Text" ] Scan 16 In March, 2001 a Solaris system was compromised. A collection of tools, utilities and files were uploaded onto the system by the blackhat. One of the files was encrypted.   1. Identify the encryption algorithim used to encrypt the file. We have characters from 87h to F5h, this way the encryption don't looks very heavy.I thought that this encryption method could be  byte plus byte, byte minus byte, or a kind of XOR. 2. How did you determine the encryption method? As the encrypted file don't use all the 255 possibilities of a Byte, I decided to try XOR,  first using a fixed value.       1 #!/usr/bin/perl       2 open (STDIN,$ARGV[0]) || die "Can't open $ARGV[0]: $!/n"       3         if $ARGV[0];       4 read(STDIN,$data,16);       5 @array=unpack('C*',$data);       6 for ($i=1;$i<=255;$i++) {       7 print "$i - ";       8         for ($j=0;$j<=15;$j++){       9                 $cr[$j]=$array[$j]^$i;      10                 $o = chr($cr[$j]);      11                 $o =~ tr/\0-\37\177-\377/./;      12                 printf "%s",$o;      13         }      14 print " \n";      15 }      16 close (STDIN); [root@bug /honey]# ./test_xor.pl  somefile # just the last lines .. 242 - VkdahP.kdci0"ih{ 243 - Wje`iQ.jebh1#hiz 244 - PmbgnV.mbeo6$on} 245 - QlcfoW.lcdn7%no| 246 - Ro`elT.o`gm4&ml. 247 - SnadmU.nafl5'lm~ 248 - \ankbZ.anic:(cbq 249 - ]`ojc[.`ohb;)bcp 250 - ^cli`X.clka8*a`s 251 - _bmhaY.bmj`9+`ar 252 - Xejof^.ejmg>,gfu 253 - Ydkng_.dklf?-fgt 254 - Zghmd\.ghoe<.edw 255 - [file].find=/dev BINGO. The last try show me something  "readable" . The file was encrypted with XOR using a FIXED  value  255d ( FFh ) 3. Decrypt the file, be sure to explain how you decrypted the file. Once I knew  the encryption method, I code another Perl program to show me the hole file. Line 7 do the  XOR  with  255d ( FFh ). Line 8 If we found a 10d, do a line feed. Line 12  transform any special character in "dot"       1 #!/usr/bin/perl       2 my $data,$array,$cr,$o;       3 open (STDIN,$ARGV[0]) || die "Can't open $ARGV[0]: $!/n"       4         if $ARGV[0];       5 while ((read(STDIN,$data,1)) ==1 ) {       6         $array=unpack('C*',$data);       7         $cr=$array^255;       8         if ($cr == 10 ) {       9                 print "\n";      10         }else{      11                 $o = chr($cr);      12                 $o =~ tr/\0-\37\177-\377/./;      13                 print "$o";      14         }      15 }      16 print "\n";      17 close(STDIN); [root@bug /honey]# ./decry.pl  somefile [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r     4. Once decrypted, explain the purpose/function of the file and why it was encrypted This file is part of a installed rootkit, it seems to be using "xxx_filters" to hide information from some commands, and its why this file was encrypted. 5. What lesson did you learn from this challenge? Simple XOR is not a good encryption method . . . 6. How long did this challenge take you? 10  minutes to code the first tool 05 minutes to code the final tool. 10 minutes dial-up connection to find references about this file. 10 minutes to make this page Total 35 minutes   Bonus Question: This encryption method and file are part of a security toolkit. Can you identify this toolkit? References http://www.ciac.org/ciac/bulletins/l-065.shtml http://archives.neohapsis.com/archives/sf/sun/2001-q2/0096.html http://www.sans.org/infosecFAQ/malicious/comp_sys.htm   Regards -- --------------------------------------------------------------------------        <'D   /       C /            Fernando Pompeo Amatte         ( )-^  --+-\ \      cursor at cas dot zaz dot com dot br         /  >            |  \ --------------------------------------------------------------------------