Reverse Challenge Entry - Bob Mathews

Analysis

Since I did not have the resources to set up an isolated environment in which to test the captured binary, all my analysis was static. I examined the packet traces which were provided, and disassembled a good part of the binary itself.

Network Traffic Analysis

I started this challenge late in the game, after the network logs were already avaliable. That seemed like a good place to start, so the first thing I did was take a quick look at the packet log.
% tcpdump -nr snort.log
01:32:34.417321 172.16.196.132 > 172.16.183.2:  ip-proto-11 402
01:33:26.930071 172.16.196.132 > 172.16.183.2:  ip-proto-11 402
01:37:09.328991 172.16.196.132 > 172.16.183.2:  ip-proto-11 402
01:41:37.934005 172.16.196.132 > 172.16.183.2:  ip-proto-11 402
01:41:38.117856 172.16.183.2 > 109.197.191.34:  ip-proto-11 480
01:41:38.120040 172.16.183.2 > 126.85.250.183:  ip-proto-11 480
01:41:38.131012 172.16.183.2 > 233.96.38.22:  ip-proto-11 480
01:41:38.132089 172.16.183.2 > 210.13.117.98:  ip-proto-11 480
01:41:38.138874 172.16.183.2 > 219.93.216.82:  ip-proto-11 480
01:41:38.148974 172.16.183.2 > 203.173.144.35:  ip-proto-11 480
01:41:38.158987 172.16.183.2 > 41.230.157.197:  ip-proto-11 480
01:41:38.168881 172.16.183.2 > 20.17.169.129:  ip-proto-11 480
01:41:38.178779 172.16.183.2 > 214.104.164.84:  ip-proto-11 480
01:41:38.592342 172.16.183.2 > 109.197.191.34:  ip-proto-11 583
01:41:38.593447 172.16.183.2 > 126.85.250.183:  ip-proto-11 583
01:41:38.608905 172.16.183.2 > 233.96.38.22:  ip-proto-11 583
01:41:38.619118 172.16.183.2 > 210.13.117.98:  ip-proto-11 583
01:41:38.628781 172.16.183.2 > 219.93.216.82:  ip-proto-11 583
01:41:38.638902 172.16.183.2 > 203.173.144.35:  ip-proto-11 583
01:41:38.648826 172.16.183.2 > 41.230.157.197:  ip-proto-11 583
01:41:38.658969 172.16.183.2 > 20.17.169.129:  ip-proto-11 583
01:41:38.668876 172.16.183.2 > 214.104.164.84:  ip-proto-11 583
Right away, we can see that this program is using an unusual network protocol to communicate. The machine 172.16.183.2 receives several packets from 172.16.196.132 (which is probably a bogus source address). It then sends out two bursts of packets to nine other machines. One of those is probably a machine owned by the intruder; the others are just chaff meant to confuse analysis.

Next, I look inside the packets. Two are reproduced below for illustration.

% snort -r snort.log

02/28-01:32:34.417321 172.16.196.132 -> 172.16.183.2
PROTO011 TTL:237 TOS:0x0 ID:27401 IpLen:20 DgmLen:422
02 00 17 30 48 2A EE 95 CF E6 FD 14 2B 42 59 70  ...0H*......+BYp
87 9E B5 CC E3 FA 11 28 3F 56 6D 84 9B B2 C9 E0  .......(?Vm.....
F7 0E 25 3C 53 6A 81 98 AF C6 DD F4 0B 22 39 50  ..%<Sj......."9P
67 7E 95 AC C3 DA F1 08 1F 36 4D 64 7B 92 A9 C0  g~.......6Md{...
D7 EE 05 1C 33 4A 61 78 8F A6 BD D4 EB 02 19 30  ....3Jax.......0
47 5E 75 8C A3 BA D1 E8 FF 16 2D 44 5B 72 89 A0  G^u.......-D[r..
B7 CE E5 FC 13 2A 41 58 6F 86 9D B4 CB E2 F9 10  .....*AXo.......
27 3E 55 6C 83 9A B1 C8 DF F6 0D 24 3B 52 69 80  '>Ul.......$;Ri.
97 AE C5 DC F3 0A 21 38 4F 66 8D 8F A5 7B BE E8  ......!8Of...{..
04 23 42 44 5A 30 99 9E BB DA F1 08 1F 36 99 9B  .#BDZ0.......6..
B1 87 8A 92 A8 7E 65 67 7D 53 74 8B A2 B9 45 5C  .....~eg}St...E\
73 8A A1 B8 CF E6 FD 14 2B 42 58 6F 86 9D 54 54  s.......+BXo..TT
6A 40 57 6E 85 9C 3B D6 F4 13 2A 41 58 6F 86 9D  j@Wn..;...*AXo..
B4 CB 66 7D 94 AB C2 E9 00 17 2E 45 5C 73 AC C3  ..f}.......E\s..
DA F1 07 1D 33 49 60 87 9E B5 CC E3 FA 11 27 3D  ....3I`.......'=
53 69 8F A6 BD D4 EF 06 1D 34 B5 80 9D BC B3 B5  Si.......4......
CB A1 5B 5B 71 47 5E 75 8C A3 E8 FF 16 2D F0 F2  ..[[qG^u.....-..
08 DE 46 39 54 73 D6 D8 EE C4 3A 05 22 41 28 2A  ..F9Ts....:."A(*
40 16 2D 44 5B 72 D5 D7 ED C3 C6 CE E4 BA D1 E8  @.-D[r..........
FF 16 2D 44 5B 72 D5 D7 ED C3 DA F1 08 1F 36 4D  ..-D[r........6M
64 7B 2A 0D 2D 4C 83 E8 08 27 3F 56 1A 2C 3D 45  d{*.-L...'?V.,=E
5B 31 4F 66 7D 94 23 25 3B 11 8E 27 44 63 7B 92  [1Of}.#%;..'Dc{.
A9 C0 D7 EE 05 5C 7A 91 A8 BF EE 18 36 55 73 8A  .....\z.....6Us.
A1 B8 EF 54 74 93 42 44 5A 30 82 16 33 52 81 AB  ...Tt.BDZ0..3R..
C9 E8 FF 16 2D 84 A2 B9 D0 E7 16 40 5E 7D 93 A9  ....-......@^}..
BF D5                                            ..

02/28-01:41:38.120040 172.16.183.2 -> 126.85.250.183
PROTO011 TTL:250 TOS:0x0 ID:28427 IpLen:20 DgmLen:500
03 00 89 A3 DA 11 48 CF 58 DE 5C E5 5D E1 18 A5  ......H.X.\.]...
21 AA 34 6B F2 7B 01 8C 12 49 80 B7 3E C4 4D D8  !.4k.{...I..>.M.
F9 30 67 9E D5 1D 64 AB F2 39 80 B7 EE 25 5C A5  .0g...d..9...%\.
DC 13 4A D5 4F D6 0D 44 7B B2 FA 42 8A C1 F8 7F  ..J.O..D{..B....
05 8E 19 9D 15 9C 23 9F 28 49 80 B7 EE 25 6D B4  ......#.(I...%m.
FB 42 89 D0 07 3E 75 AC F5 2C 63 9A 26 A1 28 5F  .B...>u..,c.&.(_
96 CD 04 4C 94 DC 13 4A D1 57 E0 6B EF 67 EE 75  ...L...J.W.k.g.u
F1 7A 9B D2 09 40 77 BF 06 4D 94 DD 25 5C 93 CA  .z...@w..M..%\..
01 49 80 B7 EE 7A F5 7C B3 EA 21 69 B0 F9 44 7B  .I...z.|..!i..D{
B2 37 BA 40 BA 3C C0 3E C7 E8 1F 56 8D C4 0C 53  .7.@.<.>...V...S
9A E1 2A 72 A9 E0 17 4E 98 CF 06 3D C9 44 CB 02  ..*r...N...=.D..
39 70 B8 FF 48 93 CA 01 86 09 8F 09 8B 0F 8D 16  9p..H...........
37 6E A5 DC 13 5B A2 E9 30 79 C1 F8 2F 66 9D E5  7n...[..0y../f..
1C 53 8A 15 8F 16 4D 84 BB 03 4A 93 DE 15 4C D1  .S....M...J...L.
54 DA 54 D6 5A D8 61 82 B9 F0 27 5E A6 ED 34 7B  T.T.Z.a...'^..4{
C4 0C 43 7A B1 E8 32 69 A0 D7 62 DC 63 9A D1 08  ..Cz..2i..b.c...
50 97 E0 2B 62 99 1E A1 27 A1 23 A7 25 AE CF 06  P..+b...'.#.%...
3D 74 AB F3 3A 81 C8 11 5C 93 CA 01 38 80 B7 EE  =t..:...\...8...
25 B1 2C B3 EA 21 58 8F DF 28 73 AA E1 6B F6 6E  %.,..!X..(s..k.n
F9 85 0F 30 67 9E D5 0C 54 9B E2 29 72 BD F4 2B  ...0g...T..)r..+
62 99 E1 18 4F 86 11 8B 12 49 80 B7 EE 3E 87 D4  b...O....I...>..
0B 42 CC 57 CF 5A E6 70 91 A8 1C A7 49 02 D2 B9  .B.W.Z.p....I...
B7 CC F8 3B 95 06 8E 2D E3 B0 94 8F A1 CA 0A 61  ...;...-.......a
CF 54 F0 A3 6D 4E 46 55 7B B8 0C 77 F9 92 42 09  .T..mNFU{..w..B.
E7 DC E8 0B 45 96 FE 7D 13 C0 84 5F 51 5A 7A B1  ....E..}..._QZz.
FF 64 72 03 20 20 20 70 72 6F 67 72 61 6D 20 76  .dr.   program v
65 72 73 20 70 72 6F 74 6F 20 20 20 70 6F 72 74  ers proto   port
0A 20 20 20 20 31 30 30 30 30 30 20 20 20 20 32  .    100000    2
20 20 20 74 63 70 20 20 20 20 31 31 31 20 20 70     tcp    111  p
6F 72 74 6D 61 70 70 65 72 0A 20 20 20 20 31 30  ortmapper.    10
This is interesting. The first packet is nonsense, but not without patterns. Notice that the second hex digit is usually constant within a given column. The second packet is mostly gibberish, but contains some plain text at the end. The column pattern is not present in the second pattern.

Now I take a flying intuitive leap. I've been working with linear congruential pseudorandom number generators lately, and they have the property that the low 4 bits of the output have a period of 16. I guess that they are adding or xoring the output of such a generator into the data. The first packet must contain a lot of nulls, so the pattern is clearly visible. The data in the second packet obscures the pattern.

To test my theory, I write a small Perl script, solvelcg.pl to attempt to discover the coefficients of the PRNG. The PRNG equation is:

xn+1 = (a*xn + b) mod 256
Because of the properties of modular arithmetic, I only need to find the value of (a mod 256) and (b mod 256). The script simply tries all possible combinations, to see if one of them reproduces a sequence of three bytes I took from the packet. It does! The answer is a=1, b=0x17. This is even simpler than I thought -- they're just adding 0x17 to the previous byte.

decodepkt.pl is the result of a few minutes of trial and error. It can decode the network packets to something that appears to make sense. I'm sorry to say that I did not save those intermediate stages, though.

Reverse Engineering the Binary

I've run out of time, so I must be brief. I extract the pieces of interest from the binary with:
% objdump -d the-binary >code
% objdump -s -j .rodata >rodata
% objdump -s -j .data >data
I examine the disassembled code and locate the system calls (in Linux, they're invoked with an int 0x80 instruction). These are listed in the file syscalls.txt.

Next, I start decompiling the code by hand, starting near the places where the recv syscall is used. Progress is slow, so I write a Perl script, rev.pl to assist with reverse engineering. It does a few simple transformations to make the assembly code more C-like and readable. This helps speed up progress.

Yet another perl script, string.pl looks up indexes of strings in the .rodata section. It's much easier to identify the sprintf by looking for the "%d"s than by trying to disassemble it!

Finally, I finish reverse engineering the binary, but with not enough time left to properly write up my results. All together, I've probably spent around 20-30 hours on this project.