lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401310310.26197.danny@ricin.com>
From: danny at ricin.com (Danny)
Subject: mydoom.exe decyphering?

<layman>

Sophos says:
 (sync-1.01; andy; I'm just doing my job, nothing personal, sorry)

OK, this can readily be deducted somewhat from the mydoom.exe but not 
entirely. Ironically aladdin systems can find itself back in the worm's 
'strings' output... a part of it is compressed with stuffit.

[download MyDoomB, cut out the StuffIt part, unstuff it and cut out the 
(3rd/last) data part (use tail or so). Then hexdump -C that one again]

Here's the part with the text (use fixed font in your mail client):

HEX	ff  87  22  92  00  0a  0a  28  73  79  6e  63  2d  31  2e  fd
ASCII	*   *   32  *   0   10  10  40  115 121 110 99  45  49  46  *
SYMBOL	*   *   "   *   *   *   *   (   s   y   n   c   -   1   .   *

HEX	ff  6f  ff  30  31  3b  20  61  6e  64  79  5   49  27  6d  20
ASCII  	*   111 *   48  49  59  32  97  110 100 121 5   73  39  109 32
SYMBOL	*   o   *   0   1   ;       a   n   d   y   *   I   '   m    

HEX	6a  75  73  74  20  64  6f  69  6e  67  20  6d  79  6b  ff  ef
ASCII	106 117 115 116 32  100 111 105 110 103 32  109 121 107 *   *
SYMBOL	j   u   s   t       d   o   i   n   g       m   y   k   *   *

HEX	bf  0d  6f  62  2c  20  6e  6f  74  68  0f  70  65  72  73  6f
ASCII	*   13  111 98  44  32  110 111 116 104 15  112 101 114 115 111
SYMBOL	*   *   o   b   ,       n   o   t   h   *   p   e   r   s   o

HEX	6e  61  6c  11  06  a6  fb  ae  7d  72  72  79  29  42  47  40 
ASCII	110 97  108 17  6   *   *   *   125 114 114 121 41  66  71  64
SYMBOL	n   a   l   *   *   *   *   *   }   r   r   y   )   B   G   @

So: (sync-1...o.01; andy.I'm just doing myk....ob, noth.personal.....}rry)

A few observations:

- 'noth*' seems to get its 'ing ' part from the token 'doing '
- likewise ' just' must be the inspiration for ' job' replacing the ' j' with 
'k****' where * are non ascii. Note that ' just' fits into '****' and j=k-1 
- '*****}rry' should translate to ' sorry' or (sophos) ', sorry'
- is it sync-1.01 or perhaps sync-1.1.p01 or so, anyone has any idea what this 
sync is anyway
- if BG@ at the end could in some way end up being 'BEGIN' we have an 
uuencoded remainder which would have to be 'decrypted' first.
- how did sophos fill in the blanks, or did they

One would think the entire data chunk would be encrypted or encoded or 
whatever you want to call it in the same manner (something like uuenc/decode 
can be used to have binary data be changed and obfuscated as text and 
restored to binary through a 1 on 1 (de)obfuscation, right?).

Any thoughts? Is this a known algorithm that I'm not aware of for unicode 
compressing or something alike? How do other people investigate a binary? (I 
look at hexdumps, strings, output of 'file', magic numbers/strings...)

Let me dare say something I'm going to regret (heck this list is full of 
flamethrowers anyway ;-) To be honest, I have an unpleasant feeling that this 
whole thing might be staged. It's so suggestive. But I lack the skill to look 
further and don't passionately care enough either. Yet, this is one 
interesting thing with the whole MS and SCO background.

Please note, I use FreeBSD exclusively, not Windows, but was bored and got 
interested, and I'm wondering if anyone has done any research or 
experimenting on this. I've looked at them on my FreeBSD desktop box. I'm not 
familiar with Windows code other than looking at some worm and noticing that 
it has smtp code or so. The things with archives within executables holding 
executables and even with a Mac archiving package being used, uhhmm I'll pass 
on that and just assume that that's all normal and doable out there over the 
fence :) 

</layman>

Hope you don't blame me for trying to have some interesting discussion. No 
matter what your skill level, it sure beats the ever present pissing 
contents. 

Regards,

--Dan (normally lurker with habitual attraction to DEL key)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ