June 5, 2001
By: Lance Walters
Email: sentry07@yahoo.com
Step 1:
10:00PM - Downloaded "somefile". Examined file and found a simple algorithm of encryption. Wrote a Pascal program to test several methods of decryption: SHL, SHR, ASCII +/-32, etc. Nothing worked. So I looked at the actual characters and found the most common character, which was HEX equivelent F5, which I realized was 255(FF) - 13(0C). Rewrote program to subtract the ASCII equivelent of the character from 255 and convert it to a character. Ended up with this:
[file]
find=/dev/pts/01/bin/find
du=/dev/pts/01/bin/du
ls=/dev/pts/01/bin/ls
file_filters=01,lblibps.so,sn.l,prom,cleaner,dos,uconf.inv,psbnc,lpacct,USER
[ps]
ps=/dev/pts/01/bin/psr
ps_filters=lpq,lpsched,sh1t,psr,sshd2,lpset,lpacct,bnclp,lpsys
lsof_filt
Seems to be incomplete. Don't know if this is on the blackhat's part or HoneyNet's part.
(Time taken: 30 minutes)
<Full source and compiled binary of program included, along with decrypted file>
Step 2:
10:30PM - I know nothing about Solaris, so, pop on Yahoo and search for "file_filters" and find information on rootkits and other people having been hacked by rootkits. Interesting enough, it all points to a rootkit for Solaris systems. Checking back through the whitepapers of HoneyNet, there was a compromise using the Sun2 kit. Very interesting.
(Time taken: 15 minutes)
Answers
Question 1: The file is encrypted by taking the ASCII ordinal of the character, subtracting it from 255, and replacing it with the character with the new ordinal.
Question 2: Quite honestly, it was a lucky guess. Have been known to write an oddball encryption scheme or two in my day, so I tried stuff I used before.
Question 3: See above.
Question 4: This file (uconf.inv, I believe) is a configuration file for several system utilities, including Netstat, find, ls, and ps. It is encrypted so that the user can't see the modifications the blackhat has made.
Question 5: Don't write an article about how Solaris system was compromised and post the utility used to do so.
Question 6: Approx 45 minutes
Bonus Question: It appears to be the Solaris Rootkit written by Tragedy and Dor. Very popular kit it seems. Can find it on most local script kiddie websites.