hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: A Test / A Challenge
GovernmentSecurity.org > The Archives > General Network Security
saetji
Jan 3 2004, 08:54 PM
Im just testing a new rootkit - so I was wondering if anyone could have a go at deciphering this exe: its basically a compiled batch file which will delete itself after running and runs hidden. Im just curious if anyone can find out what the original batch said wink.gif

(NO this is not from sum1 elses rootkit, NO this will not do anything to ur computer because it has no commands in it, and YES I d konw what the uncompiled batch script is)

Anyone willing to help? Thnx biggrin.gif
SlippyG
Jan 4 2004, 01:12 AM
QUOTE (saetji @ Jan 3 2004, 08:54 PM)
I was wondering if anyone could have a go at deciphering this exe: its basically a compiled batch file which will delete itself after running and runs hidden. Im just curious if anyone can find out what the original batch said wink.gif

I am aware that you may not wish to hear what follows, but here goes:


Firstly, perhaps 'deciphering' is the wrong term since the strength of the algorithm is not an issue at all. Anyone with moderate ASM experience and a disassembler could work out quite quickly where your decryption loop is and from where in the code it draws its key. Thats if they cared to waste any time, there are faster solutions for those that just want a timely answer without the requirement to understand every step of the code.

For example, a simpler method would be to execute the binary in a secure debugging environment (Say, on a spare machine or a VM) One could then simply step through it and pause once the code has run its decryption and read the plaintext right off the screen. Thats the no-brainer solution.

So, the point that should be understood here is that nobody need waste their time breaking or even looking at your cipher as the binary will decrypt it for us during the course of its run.

Please don't feel I am criticising you or your code here. I just feel that this is a point you should be aware of.


Personaly, if I were investigating the code, I would look at all the calls it made during an unhindered execution and find the more interesting ones (Registry writes and certain other DLL calls) this would tell me if the code was running batches, spawning an embedded exe (As in an exebinder), setting keys, injecting code into other processes, calling WSAStartup, etc. and generaly give me an idea of what TYPE of things the code is the code is doing. Once I've identified and shortlisted the calls I wish to inspect more closely I'd then run it again under softice with breakpoints on the interesting calls and read the parameters and, optionaly, return values from the stack and looking at any buffers passed by reference. This approach would generaly give me everything I needed to know quickly whilst minimising he chances I may miss something important.


This is all standard procedure and is well within the capabilities of any competent incident investigator, coder or forensic analyst.

So, in answer to your original question 'could one decrypt the payload' my answer is simply that if it was specificaly requested it could be done trivialy with a little time, but this is seldom of interest and therefore not usualy done. It is sufficient to understand what the code is actualy doing rather than how it stores, encrypts or packs itself and its data. Once the former is understood, the latter becomes an irrelevance.


Anyway, best of luck with your rootkit. Its always nice to see someone actualy getting off their ass and challenging themselves. Well done smile.gif

SG
saetji
Jan 4 2004, 01:34 PM
Interesting reply, and no I dont feel critised. I'm trying to find out exactly how hard it would be because I did take certain precautions ... eg using a stealthed batch file so the output isn't shown etc.

I always believe that there are people out there who know more than me in some field or another (DUH!) so you should always try and use their skills to learn - just because I can't decrypt it doesn't mean sum1 else doesn't know a very simple way of doing it ... hence this thread wink.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.