wtfu4 - Meltdown

_0bfu5cati0n

HoneyNet Research Group

Ready Response/ISSO

Revision History
Revision 0.123rd May 2002Revised by: _0bfu5cati0n
Draft Version

Abstract

 

What do you mean, "I'll be back" ?

 Anon.

Somewhere on the internet, a system has been compromised by an unknown authority using standard vulnerabilities. Once within the bounds of this system they have compromised its function to become a slave to their cause which remains unknown. The compromised host has a new binary installed and executed providing unknown functionality to its creator.

The purpose of this paper is to document the process of investigating this binary (which we have affectionately named wtfu4) In particular to answer the following questions posed by the HoneyNet Research group .

  1. Identify and explain the purpose of the binary.

  2. Identify and explain the different features of the binary. What are its capabilities?

  3. The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it

  4. Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.

  5. Identify and explain any techniques in the binary that protect it from being analysed or reverse engineered.

  6. Identify two tools in the past that have demonstrated similar functionality.

Bonus Questions:

  1. What kind of information can be derived about the person who developed this tool? For example, what is their skill level?

  2. What advancements in tools with similar purposes can we expect in the future?

From the start we have set ourselves the task to use only open source or shareware tools which are freely available for the duration of this challenge. As way of introduction it has to be stressed that none of the contributors of this entry had carried out reverse engineering before, hopefully the final outcome won't display such a lack of experience. What follows in the document are the trials and tribulations of a couple of experienced hackers (please do NOT substitute this for crackers as is common practice) as they toil their way through the mission presented. There will even be logs from some of the IRC sessions held to discuss the dismantling of wtfu4 to show the relative inexperience with this type of analysis. What we hope to demonstrate is the ability of anyone with an understanding of computer technology and systems and the ability to use their experience to achieve the impossible.

So, we have an additional challenge to accomplish. We have to not only prove the reverse engineering of this tool possible, but we have to prove it possible from a humble security background using existing, freely available tools.

So, without further ado, we give you our analysis of the wtfu4 binary.