The Challenge:
The past several Scan of the Month challenges have been oriented towards beginners, our goal has been to introduce newer security members to the world of incident response and forensic analysis. We decided to change things this month and make a more difficult challenge for advance members.

In March, 2001 a Solaris system was compromised. A collection of tools, utilities and files were uploaded onto the system by the blackhat. One of the files was encrypted. For this challenge, we have changed the name of the encrypted file to "somefile". You can download this file as somefile.zip, MD5 Checksum=eb7ed869ffcfe72d4b48caf57e648910, or somefile.tgz, MD5 Checksum=f7964d9860cbf8135ef64bcf5b96facb. Your missions is as follows:

1. Identify the encryption algorithim used to encrypt the file.
2. How did you determine the encryption method?
3. Decrypt the file, be sure to explain how you decrypted the file.
4. Once decrypted, explain the purpose/function of the file and why it was encrypted
5. What lesson did you learn from this challenge?
6. How long did this challenge take you?

Bonus Question:
This encryption method and file are part of a security toolkit. Can you identify this toolkit?

The Results:
The results for this month were incredible, we received 47 submissions (the most ever to date). Almost everyone successfully decrypted the challenge. As many of you pointed out, this was not so much an encrypted file as it was an obfuscated file. Judging was extremely difficult due to the high quality and almost everyone was technically correct. As such, winners were selected based on who provided the most detailed information (specifically their methods) in an easy to understand format. If you believe a mistake has been made, please let us know, as we are trying our best.

Surprisingly, the Bonus Question seemed to be the hardest part, and not the challenge itself. It was amazing the tools that were developed to analyze and decrypt the file. Solutions were coded in Perl, Pascal, C, C++, QBasic, Python, and Java. What we thought was ingenious is how people were able to determine the contents of the file (ASCII text file) before even decrypting somefile. Great job folks! We hope everyone had fun and continues to learn from these events.

Writeup from the Honeynet Project members.
Since we knew the name of the file, we had a slight advantage, thus our methodology was different. The compromised system (and this 'encrypted' file) were discovered on a compromised Solaris system while many Honeynet members were attending the CanSecWest security conference. Never to pass up a challenge, David Dittirch and rain forest puppy analyzed and decrypted the file. Below is their thought process.

• Write from David Dittrich and rain forest puppy

Writeup from the Security Community

Top Ten

• John Edward Scott - Top Three
• Rob McCauley - Top Three
• Nicolas Dubee - Top Three
• Matt Fiddler
• Jeremiah Shirk
• Andreas Schuster
• Can Erkin Acar
• Solar Eclipse
• Marco Foglia
• Adam Langley

Top Twenty

• Albert Bendicho
• Joris Bontje
• Mario de Boer
• Peter Kosinar
• Grzegorz Banasiak
• Jeffrey Horton
• Guido van Rooij
• John K. Riggleman, Jr.
• Bart Banautgaerden
• Matthew Rench

• Fernando P Amatte
• Scott Diamond
• pingouin
• ghandi
• Ari Reen
• Bill Cummins
• Trent Whaley
• Berk Demir
• Jean-Christophe Touve
• Alexander Reelsen
• Henning Matthias Breiholz
• Philippe Teuwen
• Dan Budne
• Pete Bevin
• Robert Lee
• Mark James
• Christophe Ternat
• Ivo van der Wijk
• Marco Walther
• Eric Walters
• Michal Zalewski
• Patrick Stein
• anakata
• Ken Savage
• Martin J. Laubach
• Panagiotis Rentzepopoulos
• Osiris Jones