1. Identify and explain the purpose of the binary.
    Main purpose of the binary is tunneling attacker's commands into the compromised machine and back. In order to avoid being detected and/or blocked by standard firewall/IDS rules, it uses a non-standard unreliable connection-less protocol for data transfer. The details of the packets are explained in analysis.html document.
  2. Identify and explain the different features of the binary. What are its capabilities?
  3. Basically, it is able to execute any kind of non-interactive command, possibly returning its output. Besides that, it is able to spawn a standard rootshell communicating via TCP/IP (and kill it). There may or may not be other capabilities I haven't found/investigated yet.
  4. The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it
    It is a trivial autokey cipher (with constant key 0x17) (see ). The decoder is implemented as a preprocessor-plugin for Snort, a free IDS.
  5. Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.
    Based on the observed behaviour, this network traffic can be detected by almost any IDS or Firewall. I've decided to use the afore-mentioned Snort with the following rules:

    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "Tool incoming traffic"; \
    content: "|0200|"; offset: 0; dsize: >200;)
    alert ip $HOME_NET any -> $EXTERNAL_NET any (msg: "Tool outgoing traffic"; \
    content: "|0300|"; offset: 0; dsize: >200;) 
  6. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
    I haven't noticed any such techniques being used in the binary (if I don't count the encryption of the backdoor password )... Of course, I probably missed something.
  7. Identify two tools in the past that have demonstrated similar functionality.
    One example can be "Q" by Mixter