1.) Even after spendng much time looking at it I am still unsure of
its true functionality. It appears to grab all the info it can about
the target machine, alter some files and send the results off. I was
unable to see what exactly all the system calls and conditional loops were
doing. Everything I was able to see was basiscally at the system call
level and observed filesystem changes. This gave me a vague sense of
what was happening but no reall understanding of the contents of the reads,
writes and socket calls. See the analysis section for ltrace and linux
trace toolkit output.
In general the purpose is to allow remote execution of code on a previously
comprimised machine. It opens a socket and waits. A properly
formated message will result in the execution of code on the machine.
Most likely the message gives the code to be executed. The test data
released for the challange resulted in a large number of files being read.
The filesystem was modified. Another socket was created, most likely
to communicate the results of the data collected. It seems related
to rpc, from the strings contained in the binary and strings in the network
output it generates. See analysis for details on which files are opened.
2.) Can not determine the limits of what it has modified on the running
system. It appears to read gather information from numerous locale
config files. Also unsure of its limitations for accepting instructions
to run and the output it can generate.
3.) I was unable to determine the ecnoding scheme.
4.) The test network traffic from the target machine showed some strings
with rpcinfo output in them. Snort rules could be generated to detect
these strings and generate a warning.
5.) It is stripped and statically linked. It forks repeatedly.
I was unable to debug it with gdb or fenris. Although this failing
may be more to do with my unfamiliartiy with debugging. I found the
object dump, ptrace and the linux trace toolkit the most useful.
6.) The libraries used by this binary matched google searches for 2 programs.
Safeload and an inetd in lrk4. My lack of understanding the specifics
of this program prevents me from making further comparisons.