[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Strange Code...found in a Website...anyone who knows what this is? - [MODERATED]
- To: undisclosed-recipients: ;
- Subject: RE: [Full-Disclosure] Strange Code...found in a Website...anyone who knows what this is? - [MODERATED]
- From: "On-the-fly Security Institute" <jason@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 12 Sep 2003 18:11:51 -0400 (EDT)
Battle.net Cryptanalysis
------------------------
WARNING: We are not responsible for persons that continue reading this bulletin
who do not possess the appropriate security clearance. Please see U.S.
Government Executive Order 12968, Access to Classified Information" for more
information.
We had received an advanced notification of the encrypted text from SANS, CERT,
and DoD, but unfortunately someone posted to Full-Disclosure before the
findings could be completed. Below is a step-by-step review of our analysis to
date, performed over the last 48 hrs:
1) HTML steganography
The data structure appears to not match any common patterns in the FBI digital
watermarking database. This implies an unknown origin or some sort of
extra-processtual manipulation. Due to UCITA and the DMCA, it was difficult to
analyze the precise HTML in its original format. Only after a kernel debugger
was connected via a serial console to a Windows 95 workstation were we able to
uncover some of the commonalities in this sequence. This was our starting point.
Reference: http://tech.millto.net/~morry/kdebug/
2) Payload extraction
Obviously, we're dealing with a highly specialized encoding devices, as the
protocol headers were not even marginalized in an ISO-compliant manner
(seriously!). Clearly, "@", "(", "#", "%", "*", and similar characters are
delimiters for this payload.
Our team cursorily identified two major data representation groups in the
message, apparently repeated for obscurity:
Data A) JLKZXJLKD
Data B) GJSDLKJZXLKJCOIWUTGOIWEUTR
3) ROT13 cipher attack
As is typical for high security data transmissions, a lesser-known Red Herring
technique was tossed into the mix:
ROT13 of Data A) WYXMKWYXQ
ROT13 of Data B) TWFQYXWMKYXWPBVJHGTBVJRHGE
NOTE: In order to filter out potentially malicious individuals from using this
information against the country in a way that could mitigate our national
defense systems, I've left the interepretation as an exercise to the AUTHORIZED
readers. (Though it may seem obvious to the cryptographers among you, a case
study published in 1997 by the National Steganographic Society found that
individuals who identified themselves as "IT savvy" were increasingly unable to
produce any compelling evidence after ROT13 analysis).
(For those of you still with us... keep reading!)
4) Chinese Remainders
After hours of dead-ends, we began looking at the message in raw form by
acquiring a bridge tap lock on the serial null modem cable. It is especially
lucky that we decided to serialize the data, as the observations began to
concisely abstractificate into increasingly contextual form.
Specifically, we were seeing 0x23 and 0x54 appearing in rapid succession in
between the ASCII milestones. What we normally would've dismissed as "random
noise", actually had a detectable pattern. As of yet, the guys over in EE have
not determined what the precise cause of this decipherable noise is. But, in
base 10, the resultants:
Steganographic Resultant A) 35
Steganographic Resultant B) 84
The Euclidean Algorithm is a process which gives the greatest common divisor of
two natural numbers. Recall that, for any natural numbers r ands, and any
integer t, we have (r, s) = (r, s + tr). We will use a consequence of the
Euclidean Algorithm, called the Chinese Remainder Theorem:
We compute (35, 84). Since 35 goes into 84 twice, we subtract 2 ú 35 = 70 from
84 to see that (35, 84) = (35, 14). Notice now that 35 is the larger number. We
can subtract 2 ú 14 = 28 from 35 to get (35, 14) = (7, 14). Now, since 14 is a
multiple of 7, we see that (35, 84) = 47.
There are several paths of interpretation, but our only crpytanalysis hit came
when we calculated this to be ASCII string "47" (as opposed to its numeric
representation).
What word does 47 represent? Dividing by 27, we find thatthe quotient is 1,
with a remainder of 20. Since 1 is less than 27, the wordis 120, or AT. What
about 13703? Dividing by 27, we get 507, with aremainder of 14. Dividing 507 by
27, we get 18 with a remainder of 21. 18is less than 27, so we are done, and we
get the word 182114, or "DoD". Yes, that's right... The Department of Defense.
This message was probably placed by the Department of Defense or one of its
contracting agencies on a Battle.net server without the knowledge of any of the
webmasters, as public Internet distribution of this content would conjur up
memories of Judge James Edwin Horton and the Trial of the "Argentinian Cipher
Militia".
5) **Unprecedented information security breach**
-----
[Note from editor: For the first time in history, per instructions from
international law enforcement agencies, I have been forced to moderate the
contents of this post. Please expect a follow-up post after findings are made
public. For media & local law enforcement, direct inquiries to
privacy@xxxxxxxxxxxxx ]
-----
Well, there it is. Save yourselves while you still can!
Regards,
Jason Sloderbeck
On-the-fly Security Institute Gosford, Antarctica
"Cryptanalysis performed while you wait" ID# B418 B290 ACC0
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html