From jeffh@zeta.org.au Fri Jun 22 08:49:59 2001
Date: Thu, 21 Jun 2001 18:46:23 +1000
From: Jeffrey Horton
The file has been "encrypted" by complementing each byte of the file. This is
easily achieved by XORing each byte of the file with 0xff.
First, extract the file from the gzipped tarfile:
Q1.Identify the encryption algorithm used to encrypt the file.
Q2.How did you determine the encryption method?
gunzip -c somefile.tgz | tar -xvf -
Use the command:
od -x somefile
to get a hexadecimal representation of the file. A portion of the dump is shown
below:
0000000 99a4 9396 a29a 99f5 9196 c29b 9bd0 899a
0000020 8fd0 8c8b cfd0 d0ce 969d d091 9699 9b91
0000040 9bf5 c28a 9bd0 899a 8fd0 8c8b cfd0 d0ce
0000060 969d d091 8a9b 93f5 c28c 9bd0 899a 8fd0
0000100 8c8b cfd0 d0ce 969d d091 8c93 99f5 9396
0000120 a09a 9699 8b93 8d9a c28c cecf 93d3 939d
0000140 9d96 8c8f 8cd1 d390 918c 93d1 8fd3 908d
0000160 d392 939c 9e9a 9a91 d38d 909b d38c 9c8a
0000200 9190 d199 9196 d389 8c8f 919d d39c 8f93
Observe that the high bit of each byte is set. This is a pattern that is most
unlikely to be present in the output of an encryption algorithm such as DES.
So this file is not the result of applying such an algorithm.
Whatever program uses this encrypted file would obviously need to be able to decrypt it at some later date, which means that the encryption key will be available to an admin, with enough work, to decrypt the file. There isn't much point in using some sort of fancy algorithm in this case.
So the encryption algorithm is probably something simple. A simple algorithm, perhaps the simplest, is XORing each byte of the file with 0xff. A quick program was written to perform this operation:
#includeInspection of the output revealed ASCII text. This indicates that the correct algorithm has been discovered.#include #include #include int main( int argc, char **argv ) { char buf[128]; int bytes, i; while ( (bytes = fread( buf, 1, sizeof(buf), stdin )) > 0 ) { if ( (bytes != sizeof(buf)) && ferror(stdin) ) break; for (i = 0; i < bytes; ++i) buf[i] ^= 0xff; fwrite( buf, 1, bytes, stdout ); } if ( ferror(stdin) ) { fprintf( stderr, "Error reading bytes: %s\n", strerror(errno) ); exit(1); } return 0; }
Note that without access to any programs that would have decrypted this file in the course of their work, decryption of the file would have been significantly more complicated had a slightly more sophisticated algorithm been used in the encryption.
Compile the program shown above using gcc:
gcc decryptor.cApply to the encrypted file:
./a.out < somefile > decrypted_fileThis reveals the following text:
[file] find=/dev/pts/01/bin/find du=/dev/pts/01/bin/du ls=/dev/pts/01/bin/ls file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER [ps] ps=/dev/pts/01/bin/psr ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys lsof_filters=lp,uconf.inv,psniff,psr,:13000,:25000,:6668,:6667,/dev/pts/01,sn.l,prom,lsof,psbnc [netstat] netstat=/dev/pts/01/bin/netstat net_filters=47018,6668 [login] su_loc=/dev/pts/01/bin/su ping=/dev/pts/01/bin/ping passwd=/dev/pts/01/bin/passwd shell=/bin/sh su_pass=l33th4x0r
At this point, I spent some time conducting net searches for any web pages or newsgroup postings that mentioned similar files, with some success.
The file is part of a security toolkit that as part of its operation
replaces system binaries such as find, du, ls, ps, netstat
. The
original versions are hidden away elsewhere in the file system for later
use.
This file identifies the locations of the original system binaries for use by
the toolkit's replacement binaries. Additionally, it specifies a variety of
filters to be applied by the replacement binaries to the output of the original
binaries before this output is displayed to the user. This prevents the user
from discovering toolkit files through the use of ls
, or toolkit
processes by using ps
. Any processes set up by the toolkit to listen
for remote connections are also concealed from the user by modifying the output
of netstat
.
Also note the presence of a field in the decrypted file suspiciously titled
su_pass
. This could be a password that can be employed to gain
access remotely via some backdoor installed by the toolkit.
So why was the file encrypted? Obfuscation seems to be the obvious reason. Encrypting a file in such a manner makes determination of exactly how and what a system was compromised more difficult.
I learnt a lot more about how toolkits such as the one from which this file was taken work. This is useful information, as toolkits such as these will probably become increasingly common.
I can't identify the toolkit exactly. However, the decrypted file does bear remarkable resemblance to one found in a toolkit called "Universal Root Kit", version 0.9.7. Notes included in the package indicate that the author had just added the simple encryption technique with the stated purpose of rendering a configuration file difficult for people to read.
Comments in a newsgroup posting that more closely matched against terms extracted from the decrypted file indicate that this file is likely from this toolkit or a descendant, crossed with another rootkit attributed to "Tragedy/Dor".