From alterego@inbox.net Fri Jun 22 08:48:25 2001 Date: 18 Jun 2001 10:11:21 -0000 From: Robert Lee To: project@honeynet.org Subject: June Scan of the Month Before I start, I have a confession to make. I cheated (sort of). I did not spend hours tearing hair on the algorithm like I was supposed to cos I was busy with work and I was no crypto guru, so I used google :) 1. Identify the encryption algorithim used to encrypt the file. It was a simple inversion of the bits in the file. 2. How did you determine the encryption method? I cheated. All crypto algorithms looks like greek to me although the file seems to contain a large number of repeated bits which could indicate some kind of translation algorithm like Caeser's algo. Also, the fact that all the bits in the file was unprintable also gave me some clues that this may not be md5, blowfish etc cos of all encrypted text I've seened so far, I could always pick out some plaintext. Using the hint that it was part of a security toolkit (technically it isn't) I looked in the security newsgroups and the web and found a rootkit (security toolkit?) that does that. Methodically, I could have just tried all possibilities of translation, eg XORing, playing with offsets etc but like I said, I was in a hurry. 3. Decrypt the file, be sure to explain how you decrypted the file. Here is the plaintext: [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r Program used: #!/usr/bin/perl while () { print ~$_; } This is a basic inversion algorithm 4. Once decrypted, explain the purpose/function of the file and why it was encrypted It looks like a configuration file for various trojanized binaries. It provides a list of what to filter and where the locations of the unmodified binaries are. It is encrypted probably to prevent casual discovery by text scanners like grep. 5. What lesson did you learn from this challenge? Some clues on how files are concealed in rootkits. Also some of the most convenient algorithms for scrambling text. Last but not least, a good search engine is the best friend a forensic guy should have. 6. How long did this challenge take you? 3 hrs (mostly searching web). Probably would have taken much more if I really tried trial and error. Bonus Question: This encryption method and file are part of a security toolkit. Can you identify this toolkit? Ironically, the security toolkit description here gave me a hint on where to start. It is the Universal Rootkit (URK).It contains a file called inv.c that inverts the bits in somefile. Somefile is based on the template of urk.conf as seen below. [file] find=/usr/man/man1/xxxxxxbin/find du=/usr/man/man1/xxxxxxbin/du ls=/usr/local/bin/ls.gnu file_filters=xxxxxx,yyyyyy,aaaaaa,mmmmmmmmm [ps] ps=/usr/man/man1/xxxxxxbin/ps ps_filters=nedit,bash [netstat] netstat=/usr/man/man1/xxxxxxbin/netstat net_filters=innu.org [login] su_pass=h4x0r su_loc=/usr/man/man1/xxxxxxbin/su ping=/usr/man/man1/xxxxxxbin/ping passwd=/usr/man/man1/xxxxxxbin/passwd shell=/usr/man/man1/xxxxxxbin/bash * Get your free email at http://www.inbox.net