-----BEGIN PGP SIGNED MESSAGE----- On Thursday 28 Feb 2002 9:29 pm, Steve Huston wrote: > I just got one of these too; upon booting from CD and doing a little poking > around, I found in /usr/lib/vold/nsdap the file 'defines', which contained > the following: > > ====== > > # Edit these > # Dir to install rootkit in > RKDIR="/usr/lib/vold/nsdap" > # Your email address > EMAIL="bert.smithat_private" > # debug mode on or off > DEBUG=0 [...] Google is your friend - doing a search for that email address picks up two links to the Honeynet project, both for results for the Scan of the Month #16. The most interesting of the two is: http://project.honeynet.org/scans/scan16/som/som34.html by "Solar Eclipse". The useful text is: This looks like our rootkit. According to the README it was written by Tragedy/Dor <bert.smithat_private>. I send an email to this address and Dor was kind enough to send me the binaries of his rootkit - k.tar.gz. I have not analyzed the rootkit in depth, since this is not the objective of Scan 16, but I looked at the installation script. It writes out the configuration to a temporary file and then obfuscates it with a crypt program, included in the rootkit. By disassembling the crypt binary with IDA Pro I found out that it simply reads the file, NOTs every byte and writes it out. My cryptanalysis appears to be correct. The link "k.tar.gz" to the rootkit in the above is broken, though. HTH, HAND, Chris - -- Christopher Samuel [dstl] +44 1684 771134 L007, DSTL, St Andrews Road, Malvern, UK - DSTL is part of the UK MoD DISCLAIMER: The views expressed above are just those of the author and do not represent the views, policy or understanding of any other entity -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPINOIVJ7nmUlvnM9AQHe4wP/XKD7BKv4NN07bCmGsGYS4nKs8q11QCFn UBXVdiSAB1+UrPB+dg/6rp+N7nndmDKihRXc43SHs7fme/aHLXmEHfbUpgjwbL9N 0HvBsK3zLQ7radjkHMGH/5o/F9DtP04ekW+sNmRzV2Mnma2pbwVexGwjaKDsPqYd xB93/jwoz/o= =rN0U -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 22:07:48 PST