From fbsi@gamewood.net Fri Jun 22 08:43:29 2001 Date: Wed, 06 Jun 2001 16:32:46 -0400 From: "John K. Riggleman, Jr." To: project@honeynet.org Subject: Submission for scan16 Note that I am using fbsi@gamewood.net again. Thank you for the challenge this month. [ Part 2: "Attached Text" ] ------------------------------- | Scan 16 - XORed Config File | ------------------------------- ********************************************** * John Kent Riggleman, Jr. || 4:08 PM 6/6/01 * *-------------------************************** * fbsi@gamewood.net * ********************* ---------------------------------------------------------------- | Identify the encryption algorithim used to encrypt the file. | ---------------------------------------------------------------- The algorithm used to conceal the contents of this file was the simple eXclusive OR logic gate. XOR is a process done on the binary level of numbers. 255 = 11111111 143 = 10001111 XOR ------------------- 112 = 01110000 A simple explanation for XOR is that each bit is compared. If the 1st bit of #1 is the same as the 1st bit of #2, the resulting bit is 0. If they differ, the resulting bit is 1. A XOR B = C C XOR B = A A XOR C = B ------------------------------------------------ | How did you determine the encryption method? | ------------------------------------------------ Initially I used HIEW (hex editor) to try XORing and doing simple math throughout the file that would make the first character become a "#" (assuming that the file could have been a shell/perl script). I came upon the algorithm by deciding that I would try a simple constant-key XOR before going into anything actually complicated. I created a QBasic program that would XOR all of the bytes by a value of X, display the results, and increase X. Imagine my surprise when the greatest possible byte value (255) was actually the key to decode the entire file. -------------------------------------------------------------------- | Decrypt the file, be sure to explain how you decrypted the file. | -------------------------------------------------------------------- __________________ |Decoded uconf.inv| ``````````````````` [file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r __________________________________ \I used QBasic to decode the file \ `````````````````````````````````` OPEN "somefile" for binary as #1 OPEN "out.txt" for binary as #2 A$ = "." FOR a = 1 to 532 GET #1, a, A$ A$ = CHR$( ASC(A$) XOR 255 ) PUT #2, a, A$ NEXT END ```````````````````````````````````````````` The above Basic code opens somefile, inputs a character from it, XORs the ASCII value of it by 255, and writes the resulting character to out.txt. There are 532 bytes in the file, and after all of the bytes have been decoded the program exits with "END". ------------------------------------------------------------------------------------- | Once decrypted, explain the purpose/function of the file and why it was encrypted | ------------------------------------------------------------------------------------- This file (which would have been named "uconf.inv") is a configuration file used by a rootkit to determine what files, processes, and ports were to be hidden from the system's user. The file was encrypted in an attempt to disguise its devious purpose. -------------------------------------------------- | What lesson did you learn from this challenge? | -------------------------------------------------- I learned that I should not assume that a file is a shell/perl script or any such file that begins with "#". Heh. ----------------------------------------- | How long did this challenge take you? | ----------------------------------------- As usual, the write-up took longer than the challenge itself. I estimate about 40 minutes on the challenge, and an hour on this document. ------------------- | Bonus Question: | ------------------------------------------------------------------------------------------------- |This encryption method and file are part of a security toolkit. Can you identify this toolkit? | ------------------------------------------------------------------------------------------------- Adore is a linux LKM based rootkit for Linux v2.[24]. Features smart PROMISC flag hiding, persistent file and directory hiding (still hidden after reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control everything. Changes: Added 64bit FS support, now fools protection modules as StMichael, and minor fixes. Homepage: http://www.team-teso.net. By Stealth Just by viewing the configuration file, it is doubtful that an accurate assumption can be made on the exact version of the program. References: http://209.143.242.119/cgi-bin/search/search.cgi?authkey=anonymous&uname=anonymous&searchvalue=Adore&type=archives http://www.sans.org/y2k/the_compromise.htm