From Panagiotis.Rentzepopoulos@eurodyn.com Fri Jun 22 08:49:02 2001 Date: Tue, 19 Jun 2001 14:17:52 +0300 From: P. Rentzepopoulos To: project@honeynet.org Subject: Re: Scan of the Month [ Part 1, Text/PLAIN (charset: ISO-8859-7 "Latin & Greek") 68 lines. ] [ Unable to print this part. ] [ The following text is in the "iso-8859-7" character set. ] [ Your display is set for the "ISO-8859-1" character set. ] [ Some characters may be displayed incorrectly. ] Scan 16 The scan for June, 2001. Your challenge is to decrypt and analyze an encrypted file. All submissions are due no later then 17:00 CST, Friday, 22 June. Results will be released Monday, 25 June. ____________________________________________________________________ The Challenge: The past several Scan of the Month challenges have been oriented towards beginners, our goal has been to introduce newer security members to the world of incident response and forensic analysis. We decided to change things this month and make a more difficult challenge for advance members. In March, 2001 a Solaris system was compromised. A collection of tools, utilities and files were uploaded onto the system by the blackhat. One of the files was encrypted. For this challenge, we have changed the name of the encrypted file to "somefile". You can download this file as somefile.zip, MD5 Checksum=eb7ed869ffcfe72d4b48caf57e648910, or somefile.tgz, MD5 Checksum=f7964d9860cbf8135ef64bcf5b96facb. Your missions is as follows: 1. Identify the encryption algorithim used to encrypt the file. bit reversing 1. How did you determine the encryption method? I created a small c program to gather character statistics; all non-zero characters were grouped together (which confirmed that it was a one-to-one byte encryption) with the exception of ascii 194, 211 and 245. Of these three, 245 is the reverse of the newline (ascii 10) and voila! 1. Decrypt the file, be sure to explain how you decrypted the file. #include int     main     (int argc, char **argv); int     main     (int argc, char **argv) {         char c;         while ((c=getchar())!=EOF)                 putchar(c^0xff); } Explanation: for every character, XOR it with 0xff, i.e., reverse its bits: 0 to 1 and 1 to 0 1. Once decrypted, explain the purpose/function of the file and why it was encrypted It seems like a configuration file for a virus: it contains the paths to files to be executed in place of certain interesting programs that would reveal its existence: find, du, ls, ps, netstat, ping, passwd and shell 1. What lesson did you learn from this challenge? Many times an encrypted file is not so hard to decrypt; most people encrypt a file only to make it unnoticeable for the casual browser. 1. How long did this challenge take you? About 30 min, including some (3-4) trials and errors :-) 1. Bonus Question: This encryption method and file are part of a security toolkit. Can you identify this toolkit? Sorry... No! -- Dr. Panagiotis Rentzepopoulos   mailto:Panagiotis.Rentzepopoulos@eurodyn.com        Consultancy Unit         Tel: +30 1 8094500       Software Division         Fax: +30 1 8094505     EUROPEAN DYNAMICS S.A.