spacer [an error occurred while processing this directive]
About the Project
Research Alliance
Our Book

Scan of the Month

Scan 16

The scan for June, 2001. Your challenge is to decrypt and analyze an encrypted file. All submissions are due no later then 17:00 CST, Friday, 22 June. Results will be released Monday, 25 June.

The Challenge:
The past several Scan of the Month challenges have been oriented towards beginners, our goal has been to introduce newer security members to the world of incident response and forensic analysis. We decided to change things this month and make a more difficult challenge for advance members.

In March, 2001 a Solaris system was compromised. A collection of tools, utilities and files were uploaded onto the system by the blackhat. One of the files was encrypted. For this challenge, we have changed the name of the encrypted file to "somefile". You can download this file as, MD5 Checksum=eb7ed869ffcfe72d4b48caf57e648910, or somefile.tgz, MD5 Checksum=f7964d9860cbf8135ef64bcf5b96facb. Your missions is as follows:

  1. Identify the encryption algorithim used to encrypt the file.
  2. How did you determine the encryption method?
  3. Decrypt the file, be sure to explain how you decrypted the file.
  4. Once decrypted, explain the purpose/function of the file and why it was encrypted
  5. What lesson did you learn from this challenge?
  6. How long did this challenge take you?

Bonus Question:
This encryption method and file are part of a security toolkit. Can you identify this toolkit?

The Results:
The results for this month were incredible, we received 47 submissions (the most ever to date). Almost everyone successfully decrypted the challenge. As many of you pointed out, this was not so much an encrypted file as it was an obfuscated file. Judging was extremely difficult due to the high quality and almost everyone was technically correct. As such, winners were selected based on who provided the most detailed information (specifically their methods) in an easy to understand format. If you believe a mistake has been made, please let us know, as we are trying our best.

Surprisingly, the Bonus Question seemed to be the hardest part, and not the challenge itself. It was amazing the tools that were developed to analyze and decrypt the file. Solutions were coded in Perl, Pascal, C, C++, QBasic, Python, and Java. What we thought was ingenious is how people were able to determine the contents of the file (ASCII text file) before even decrypting somefile. Great job folks! We hope everyone had fun and continues to learn from these events.

Writeup from the Honeynet Project members.
Since we knew the name of the file, we had a slight advantage, thus our methodology was different. The compromised system (and this 'encrypted' file) were discovered on a compromised Solaris system while many Honeynet members were attending the CanSecWest security conference. Never to pass up a challenge, David Dittirch and rain forest puppy analyzed and decrypted the file. Below is their thought process.

Writeup from the Security Community

Top Ten

Top Twenty

Remaining Submissions

Back to Top