The past several Scan of the Month challenges have been oriented towards beginners,
our goal has been to introduce newer security members to the world of incident
response and forensic analysis. We decided to change things this month and
make a more difficult challenge for advance members.
In March, 2001 a Solaris system was compromised. A collection of tools,
utilities and files were uploaded onto the system by the blackhat. One
of the files was encrypted. For this challenge, we have changed the name
of the encrypted file to "somefile". You can download this file as
somefile.zip, MD5 Checksum=eb7ed869ffcfe72d4b48caf57e648910, or
somefile.tgz, MD5 Checksum=f7964d9860cbf8135ef64bcf5b96facb. Your missions
is as follows:
Identify the encryption algorithim used to encrypt the file.
How did you determine the encryption method?
Decrypt the file, be sure to explain how you decrypted the file.
Once decrypted, explain the purpose/function of the file and why it
What lesson did you learn from this challenge?
How long did this challenge take you?
This encryption method and file are part of a security toolkit.
Can you identify this toolkit?
The results for this month were incredible, we received 47 submissions
(the most ever to date). Almost everyone successfully decrypted the challenge.
As many of you pointed out, this was not so much an encrypted file as it
was an obfuscated file. Judging was extremely difficult due to the high quality
and almost everyone was technically correct. As such, winners were selected based
on who provided the most detailed information (specifically their methods) in
an easy to understand format. If you believe a mistake has been made, please let
us know, as we are trying our best.
Surprisingly, the Bonus Question seemed to be the hardest part, and not
the challenge itself. It was amazing the tools that were developed to analyze
and decrypt the file. Solutions were coded in Perl, Pascal, C, C++, QBasic, Python,
and Java. What we thought was ingenious is how people were able to determine
the contents of the file (ASCII text file) before even decrypting somefile. Great
job folks! We hope everyone had fun and continues to learn from these events.
Writeup from the Honeynet Project members.
Since we knew the name of the file, we had a slight advantage, thus our methodology was different.
The compromised system (and this 'encrypted' file) were discovered on a compromised
Solaris system while many Honeynet members were attending the
CanSecWest security conference. Never to pass up a challenge, David Dittirch and
rain forest puppy analyzed and decrypted the file. Below is their thought process.
Writeup from the Security Community