SECWAY SARL

10, rue des Lampes

92190 MEUDON

FRANCE

 

 

 

 

 

 

 

Analysis of a binary found on a compromised system

 

 

 

The HoneyPot University

 

 

 

 

Name

Title

Phone

email

Approval

Grégoire Sirou

Security consultant

(removed)

gsirou@secway.com

 

 

Nicolas Dubée

Security consultant

(removed)

ndubee@secway.com

 

 


 

Overview of this report

Summary

The attached documents (all of them making “the report”) describe the methods and results of the analysis of a binary found by the HoneyPot University (also called “customer” in this report) on a compromised system.

 

Analysis of this binary was delegated by the HoneyPot University to Secway SARL on May, 6th 2002.

 

The work documented in this report was performed by Grégoire Sirou and Nicolas Dubée from Thursday, May 30th 2002 to Friday, May 31st 2002.

Documents supplied in the report

The customer will find in the report the following documents:

 

-         Index.html, this document, covert page for the whole report.

 

Index.html

        Author       :       Nicolas Dubée

        Last edited        :       XXX

        MD5 sum   :       (none available)

 

-         Summary.html, a non-technical summary of the work done, explaining the key aspects of the binary, how it works, the threats it poses, and how to detect and defend against it.

 

Summary.html

        Author       :       Nicolas Dubée

last edited :       XXX

MD5 sum   :       XXX

 

-         Advisory.html, a technical document providing technical responses to the questions mentioned above.

 

Advisory.html

        Author       :       Nicolas Dubée

        Last edited        :       XXX

        MD5 sum   :       XXX

 

-         Method.html, a technical document describing methods and tools we used to come to this report.

 

Method.html

        Authors     :       Grégoire Sirou, Nicolas Dubée

        Last edited        :       XXX

        MD5 sum   :       XXX

 

-         Answers.html, answers to a set of questions the customer was looking for.

 

Answers.html

        Author       :       Nicolas Dubée

        Last edited        :       XXX

        MD5 sum   :       XXX

 

-         Costs.html, cost-estimate of the incident.

 

Costs.html

        Author       :       Nicolas Dubée

        Last edited        :       XXX

        MD5 sum   :       XXX

 

-         log2c.pl, a tool to convert log files to C arrays

 

log2c.pl

        Author       :       Grégoire Sirou

        Last edited        :       XXX

        MD5 sum   :       XXX

 

-         decoder.c, a tool to decrypt backdoor traffic

 

decoder.c

        Author       :       Grégoire Sirou

        Last edited        :       XXX

        MD5 sum   :       XXX