# Appendix B: Moonlight Maze Technical Report ## Tools, Exploits, and Scripts What follows is a comprehensive breakdown of the artifacts leveraged throughout a window of Moonlight Maze attacks from 1998-1999 that employed the ‘HRTest’ relay. The operators would pull down TAR archives with different tools, scripts, and exploits to test out on victim systems. Many archives were deployed through this relay but most contained some combination of the artefacts herein described. The total count is 45 binaries, comprised of 28 SunOS SPARC _binaries and 17 IRIX MIPS binaries. These include both custom tools as well as repurposed_ publicly available source code for tools and exploits, and in some cases combinations of the two. Where redundancies and modifications were obvious, these were noted. Where the source code was identified, a link is provided. Additionally, there are 9 scripts that the operators would execute on victim machines. These include two exploits and several custom scripts meant to efficiently orchestrate malware already operating on a victim system. Since the operators’ modus operandi required them to connect to victim networks to issue commands and exfiltration, many binaries were developed to check tasking files under specific names located in the directory. The scripts often place these tasks onto these specific files. They would also efficiently prepare data for exfiltration or prune logs for IPs and hostnames that would list further targets on an intranet or interrelated network. Note that the identified exploits were largely shared on forums designed to improve security awareness and to enable system administrators to get in front of emerging threats that may not be patched by the manufacturers in a timely fashion. Where exploit authors are identified, this is done without assignation of malice and merely as recognition of their skills and contributions to the security community of their time, regardless of their misuse by the attackers. The binaries, exploits, and scripts have been intermingled into sets as were seen deployed inthe-wild. This allow for an easier understanding of how these sets operated together. Where redundancies occurred, these are noted in the set overviews. ----- ## ETAR1 – SPARC Tool and Exploit Set ### Overview ETAR1 is by far one of the most complete tool sets leveraged by the Moonlight Maze operators. It is also less specific and includes redundancies, such as standalone binaries whose functionality is also folded into other binaries also present within the same archive. It features a wide spread of functionalities including multiple log cleaners, kernel patchers, a tunnel redirector, system information stealer, multiple covert channel backdoors, a sniffer, and an xserver keylogger. The archive also includes a wide swath of exploits largely aimed at privilege escalation. ### Tools |Filename|cle| |---|---| |MD5|647d7b711f7b4434145ea30d0ef207b0| |Size|9.3KB| |File Type|SunOS SPARC Binary| |Notes|Usage: ./cle filename template_file Custom log cleaner that takes two parameters, a log filename and a template file. It uses the template file to create a list in memory of any strings within the that match the template and then proceeds to purge those that contain a given string. It serves as a log cleaner when provided with a username to wipe from system logs.| |Filename|de| |---|---| |MD5|4bc7ed168fb78f0dc688ee2be20c9703| |Size|7.8KB| |File Type|SunOS SPARC Binary| |Notes|A tunnel redirector mean to stay resident in memory. It opens a socket and loops through packet blocks of size 1460| ----- |Col1|(or 0x5b4) in order to redirect them elsewhere. Interesting observations: ● The fork of the fork is referred to as ‘Vnuk’, a transliteration of the Russian for ‘grandchild’. ● Similar tools are used by modern Turla to build bridges deeper within partially segmented networks.| |---|---| |Filename|dt25| |---|---| |MD5|e32f9c0dac812bc7418685fa5dda6329| |Size|7.3KB| |File Type|SunOS SPARC Binary| |Notes|A Kernel Patcher meant to kernel memory dependent on command-line parameters. The filename suggests that this version targets SunOS version 2.5. Interestingly, the program uses an unusual convention of error code responses unconventional for the attackers. This implies the source code was likely taken from elsewhere but has yet to be identified: ● “*1100” -> Not enough arguments ● “*1350” -> Can’t open device for reading ● “*1300” -> fseek error ● “*1301” -> fread error ● “*1200” -> Address error ● “*1551” -> Successful patch| |Filename|dt26| |---|---| |MD5|7dc4f81ed408ff5a369cca737dff064c| |Size|10KB| |File Type|SunOS SPARC Binary| ----- |Notes|Another kernel memory patcher likely targeting SunOS version 2.6 based on the filename. Similar codebase to described above including the error message convention.| |---|---| |Filename|gr (2)|Col3|Col4|Col5| |---|---|---|---|---| |MD5|534a1a3212894cf44d8071bdd96ba738|||| |Size|261 bytes|||| |File Type|Script|||| |Notes|A reconnaissance script to collect system configuration files such as host files including remote authentication databases (/etc/hosts, /etc/hosts.equiv, /.rhosts), a list of servers configured for the management of internet services (/etc/inetd.conf), and, of course, user accounts and passwords (/etc/passwd, /etc/shadow). These are copied to the to the folder where the script is executed. It then creates a series of files with the output of the following commands: Command Output df -kb Disk space in kilobytes dmesg System diagnostic messages /usr/bin/ifconfig -a Current configuration for all network interfaces netstat -r Display network routing tables pkginfo Software packages installed on the system uname -a Name and basic system information ps -eaf List detailed active process information|||| |||Command|Output|| |||df -kb|Disk space in kilobytes|| |||dmesg|System diagnostic messages|| |||/usr/bin/ifconfig -a|Current configuration for all network interfaces|| |||netstat -r|Display network routing tables|| |||pkginfo|Software packages installed on the system|| |||uname -a|Name and basic system information|| |||ps -eaf|List detailed active process information|| |||||| |Filename|lo| |---|---| |MD5|a3164d2bbc45fb1eef5fde7eb8b245ea| ----- |Original|Replaced| |---|---| |"/stat" /* Stat the client */|!stat| |"/swapt" /* Swap protocols */|!swapt| |"/quit" /* Quit the client */|!quit| |"/quit all" /* Kill all clients and server */|!quit all| |Size|18KB| |---|---| |File Type|SunOS SPARC Binary| |Source|http://phrack.org/issues/51/6.html| |Notes|Implementation of the Loki 2 ICMP information-tunneling backdoor source code published in Phrack 1996-1997. Though the bulk of the codebase appears to come from the published source code, minor alterations suggest attempts to hide the nature of the backdoor. This particular version no longer features obvious references to ‘[lokid]’ and additionally has strings shortened to remove certain vowels: Original: “lokid: client <%d> requested an all kill” Modified: “clnt <%d> rqstd n ll kll” Command-line options have been slightly modified to start with a bang: Original Replaced "/stat" /* Stat the !stat client */ "/swapt" /* Swap !swapt protocols */ "/quit" /* Quit !quit the client */ "/quit all" !quit all /* Kill all clients and server */| ----- |Filename|lopg| |---|---| |MD5|9ab532cd3c16b66d98e0e738ddbe05a1| |Size|40KB| |File Type|SunOS SPARC Binary| |Source|http://phrack.org/issues/51/6.html| |Notes|As the name suggests, is a combination of the LOKI2 backdoor with put/get functionality. It has also been merged with the functionality of , a strange tool described that watches for commands and interacts with the pine mail client. Just as described above, it no longer features overt references to [lokid] and has many original strings shortened to remove vowels. The put/get functionality has the following usage: Usage: @ By allowing for direct placement and retrieval/exfiltration of files, the attackers can build a parallel network between infected machines no longer reliant on protocols like FTP and telnet that are likely to be monitored in an ongoing investigation. Constant spelling mistakes and clunky use of the English language suggest the get/put functionality was developed by the operators themselves: ● "ERROR: Can not open socket...." ● "open file for read" ● "open file for write" ● "receving message" ● "Error in parametrs:" ● "ERROR: Not connect..." ● "Connect successful...."| ----- |Filename|slok| |---|---| |MD5|d0f208486c90384117172796dc07f256| |Size|8.4KB| |File Type|SunOS SPARC Binary| |Notes|Custom tool that goes resident when executed and watches ‘/var/tmp/task’ for commands. Depending on the commands received via the task file, it spawns the pine mail reader in an xterm window. Its purpose is unclear.| |Filename|snc (2)| |---|---| |MD5|99a4a154ddecffdab5f0bf91f8bfabb8| |Size|5.1KB| |File Type|SunOS SPARC Binary| |Notes|A tool to run a root shell ( /bin/sh ) by forcing setuid 0 and setgid 0 or setuid to a user defined value. This is useful if you can get a root user to mark the binary as suid, then you can store it in a hidden place on the machine as an easy way to escalate privileges.| |Filename|spl| |---|---| |MD5|b4755c24e6a84e447c96b29ca6ed8633| |Size|6.1KB| |File Type|SunOS SPARC Binary| |Notes|Tool that extracts the first and last 1KB from a filename given as argument. The data is written in two files with their names composed as the original filename to which “.head” and “.tail” are appended.| ----- |Filename|tdn| |---|---| |MD5|927426b558888ad680829bd34b0ad0e7| |Size|91KB| |File Type|SunOS SPARC Binary| |Notes|Tool is build from tcpdump and libpcap sources. Attackers used tcpdump v 1.118 and compiled the tool in 1996. The tool takes the parameters from an external file named “/var/tmp/task”. The parameters are standard libpcap filter expressions, such as “(port 21) or (port 23) or (port 513)”. The attackers deployed these rules by writing them from shell scripts to “/var/tmp/task”. Accompanying configuration script is described below.| |Filename|ts (2)| |---|---| |MD5|7a0d6b2fdc43b1b2a96b6409d4eed6e4| |Size|74 bytes| |File Type|Script| |Content|echo "(port 21) or (port 23) or (port 513) or (port 110)" > /var/tmp/task| |Notes|Configuration script for the sniffer, meant to place ports into a tasking file checked by on startup.| |Filename|u| |---|---| |MD5|d98796dcda1443a37b124dbdc041fe3b| |Size|9KB| ----- |File Type|SunOS SPARC Binary| |---|---| |Source|Based on publicly available tool “utclean.c”: http://cd.textfiles.com/cuteskunk/Unix-Hacking- Exploits/utclean.c| |Notes|usage: %s [hostname] Tool used to clean various system logs such as: /var/adm/wtmp /var/adm/utmp /var/adm/lastlog /var/adm/wtmpx /var/adm/utmpx At the end, it will execute the following commands: ls -la /var/adm/wtmp* ; /bin/cp ./wtmp.tmp /var/adm/wtmp ; rm ./wtmp.tmp /bin/cp ./wtmpx.tmp /var/adm/wtmpx ; rm ./wtmpx.tmp ls -la /var/adm/wtmp* It finishes by printing the following two messages: ● “fixthings: done.” ● “Hiding complit...n” Attackers changed the string “...that's it. peace man :)” to “Hiding complit...n”.| |Filename|xk| |---|---| |MD5|4065d2a24240426f6e9912a22bbfbab5| |Source|http://web.mit.edu/jhawk/src/xkey.c| ----- |Notes|Keylogger for XServer, partially based on the keylogger source code above but modified to write the logs into a log file. It is also made configurable by use of files in ‘/var/tmp’ as is the operators’ convention. It forks to remain resident, then opens ‘/var/tmp/task’ and proceeds to run a series of checks on additional files like ‘/var/tmp/taskhost’, ‘/var/tmp/tasklog’, ‘/var/tmp/taskpid’, and ‘/var/tmp/taskgid/’. If these are empty, it procures the information and forks. The log starts at the following routine: The logs are XORed with 0x4D and the output is saved into: ‘/var/tmp/.Xtmp01’. However, these logs are found stored in the archives under names like “RES.xk”, “A”, “B”, “ABC” followed by a number, suggesting further manipulation down the line. Decrypted logs show victim communications. Interestingly, shares the same log string convention as the sniffer in the STDN set.| |---|---| ----- ### Exploits |Filename|p9| |---|---| |MD5|2213867345a51ecf09d3a747046af78c| |Size|6.2KB| |File Type|SunOS SPARC Binary| |Source|http://borax.polux- hosting.com/madchat/reseau/advisoriez/sun/sunos/5.6/ping.c| |Notes|Exploits a buffer overflow in the SunOS ping program used to privilege escalation as root.| |Filename|rdi| |---|---| |MD5|34c3ea4d6cc814a174579d295bdd028d| |Size|25KB| |File Type|SunOS SPARC Binary| |Source|http://www.securiteam.com/exploits/3V5QFQ0N5S.html| |Notes|Exploit against SunOS rdist program for privilege escalation as root.| |Filename|ufsr| |---|---| |MD5|07f070302f42219d37419d23ff9df091| |Size|5.9KB| |File Type|SunOS SPARC Binary| ----- |Source|http://seclists.org/bugtraq/1998/Jun/73| |---|---| |Notes|‘ufsrestore’ exploit (Released 1998)| |Filename|ux| |---|---| |MD5|b831cbffa1aee70252bb0f6862265cc9| |Size|7.4KB| |File Type|SunOS SPARC Binary| |Source|http://borax.polux- hosting.com/madchat/reseau/advisoriez/sun/sparc/2.4/holeut mp.c| |Notes|Removes a user from utmp logs.| ----- ## SPTAR – Improved SPARC Attack Set ### Overview SPTAR appears to be an improved toolkit, similar in composition to ETAR1. Many of the binaries are the same. Interesting divergences appear to be modified binaries that include new or improved functionality. In some cases, the operators decided to fold in standalone tools into combined binaries. They’ve also included a new log cleaner. ### Tools |Filename|deg| |---|---| |MD5|8b56e8552a74133da4bc5939b5f74243| |Size|8.5KB| |File Type|SunOS SPARC Binary| |Notes|This is an improved tunnel redirector with functionality similar to in the ETAR1 set. The major modification appears to be an attempt to hide in memory.| |Filename|lopg (2)| |---|---| |MD5|1980958afffb6a9d5a6c73fc1e2795c2| |Size|45KB| |File Type|SunOS SPARC Binary| |Source|http://phrack.org/issues/51/6.html http://seclists.org/bugtraq/1995/May/171| |Notes|Yet another LOKI2 variant, built on top of the improved described in the ETAR1 set but with additional functionality. The attackers have folded in ‘utmprm’, a utmp log cleaning exploit included as a standalone binary in ETAR1 and other sets.| ----- |Filename|wp| |---|---| |MD5|e69efc504934551c6a77b525d5343241| |Size|11KB| |File Type|SunOS SPARC Binary| |Source|http://www.afn.org/~afn28925/wipe.c| |Notes|USAGE: wipe [ u|w|l|a ] ...options... Partially based on source Wipe 1.00 by The Crawler System access log cleaner tool, most likely not written by the attackers. It cleans activity logs in the following system files: ● /var/adm/utmp ● /var/adm/utmpx ● /var/adm/wtmp ● /var/adm/wtmpx ● /var/adm/lastlog| ### Exploits |Filename|eje| |---|---| |MD5|7bc9d8da363091ad57456f8bd5027ab0| |Size|4.1KB| |File Type|SunOS SPARC Binary| |Source|http://insecure.org/sploits/solaris.eject.html| |Notes|‘/bin/eject’ buffer overflow for privilege escalation as root.| ----- |Filename|ffb| |---|---| |MD5|26143b006710455888e01df9b58e1913| |Size|5.8KB| |File Type|SunOS SPARC Binary| |Source|https://www.exploit-db.com/exploits/19159/| |Notes|FFB buffer overflow that allows user to gain root access, discovered by Cristian Schipor| |Filename|sc| |---|---| |MD5|f684ecccd69cca88ba8508711f140240| |Size|3.4KB| |File Type|SunOS SPARC Binary| |Notes|A tool to run a root shell (/bin/sh) by forcing setuid 0 and setgid 0 in an attempt to escalate privileges.| ----- ## LUTAR – An Early Covert Communications Set ### Overview The LUTAR set appears to have a particular focus on stealth and is comprised of an largely unmodified LOKI2 backdoor, a custom ICMP redirector client meant to interact with it, a simple setuid/getuid attempt to get root shell described in SPTAR, and a utmp access log cleaner. Given the lack of modification to the LOKI2 backdoor, this set is likely an early attempt that came before ETAR1 and SPTAR. ### Tools |Filename|cli| |---|---| |MD5|f106ab64b0dc773167a82da7635dfe27| |Size|10KB| |File Type|SunOS SPARC Binary| |Notes| is a custom ICMP redirector client likely meant to interact with LOKI2 samples. Upon execution it requests the following: ● Enter listen port: ● Enter dst port: ● Enter dst redirect address: ● Enter src addr (in packet): ● Enter dst addr (in packet): It appears that some strings were exchanged back and forth during development as a specific string is shared with the and LOKI2 samples: ● "ERROR: Can not open socket...." Interestingly, the file contains more than the operators’ adorably broken English. This binary includes a compilation bath that reveals the development name as ‘spy_cli.c’ and the user profile ‘iron’: “/disk3/volume_2/users/iron/myprg/| ----- |Col1|redirect/solaris/icmp_redirect; //opt/SUNWspro/bin/../SC4.2/bin/cc -O -lsocket -lnsl -c spy_cli.c - W0,-xp”| |---|---| |Filename|lc| |---|---| |MD5|14cce7e641d308c3a177a8abb5457019| |Size|14KB| |File Type|SunOS SPARC Binary| |Source|http://phrack.org/issues/51/6.html| |Notes| is a relatively straightforward compilation of the LOKI2 source code with some modifications such as the inclusion of a log file called ‘loki.log’, bang replacements for commands (as seen in and ), and connection strings: ● ----- Connected to: %s at %s ● ----- Disconnected from: %s at %s This is likely an earlier attempt than those witnessed in the ETAR1 and SPTAR sets as the original LOKI2 strings are largely intact.| ----- ## IMI – IRIX Tool and Exploit Set ### Overview The IMI toolkit is an IRIX focused toolkit comprised of ported tools seen in the ETAR1 archive like (now ) and the variant of LOKI2 (now ). Additionally, a wealth of different exploits are included focused on providing privilege escalation. ### Tools |Filename|ilok| |---|---| |MD5|155d251e6e0dabce21ab26bd03487066| |Size|18KB| |File Type|IRIX MIPS Binary| |Notes|IRIX version of tool described in the ETAR1 set.| |Filename|loi| |---|---| |MD5|dabee9a7ea0ddaf900ef1e3e166ffe8a| |Size|29KB| |File Type|IRIX MIPS Binary| |Source|http://phrack.org/issues/51/6.html| |Notes|IRIX version of the variant of the LOKI2 backdoor described in ETAR1.| |Filename|snc| |---|---| |MD5|c73bf945587aff7bc7761b16fc85b5d7| ----- |Size|12KB| |---|---| |File Type|IRIX MIPS Binary| |Notes|A tool to run a root shell (/bin/sh) by forcing setuid 0 and setgid 0 or setuid to a user defined value. This is useful if you can get a root user to mark the binary as suid, then you can store it in a hidden place on the machine as an easy way to escalate privileges.| ### Exploits |Filename|daynotify.sh| |---|---| |MD5|10096abc73b7b7540b607c0ac1a27b49| |Size|1.3KB| |File Type|Script| |Source|http://insecure.org/sploits/IRIX.day5notifier.html| |Notes|Copy of a shell executable script written by Mike Neuman in August, 1996 to showcase an exploitable vulnerability in the ‘day5notifier’ program in IRIX 6.2. The attackers copied Neuman’s exact script which allows command execution as root.| |Filename|io| |---|---| |MD5|25bcfc394d44d717f20d416354d2126e| |Size|176 bytes| |File Type|Script| |Source|https://www.exploit-db.com/exploits/19163/| |Notes|Exploits a vulnerability in the IRIX 6.4 ioconfig binary to allow the execution of arbitrary programs as root Reported by Loneguard and classified as CVE-1999-0314 Exact PoC code shown here with a few comment lines removed| ----- |Filename|eject| |---|---| |MD5|864e1d74e610a48c885ac719b5564eb1| |Size|17KB| |File Type|IRIX MIPS Binary| |Source|https://www.exploit-db.com/exploits/19277/| |Notes|Irix exploit by Last Stage of Delirium: “A vulnerability exists in the eject program shipped with Irix 6.2 from Silicon Graphics. By supplying a long argument to the eject program, it is possible to overwrite the return address on the stack, and execute arbitrary code as root. Eject is normally used to eject removeable [sic] media from the system, and as such is setuid root to allow for any user at the console to perform eject operations.”| |Filename|log| |---|---| |MD5|a26bad2b79075f454c83203fa00ed50c| |Size|12KB| |File Type|IRIX MIPS Binary| |Source|http://insecure.org/sploits/IRIX.login.overflow.html| |Notes|IRIX v5 and v6 ‘/bin/login’ exploit, originally found by David Hedley and posted on Bugtraq on 26 May 1997. Shellcode highlighted below:| ----- |Col1|Tool was compiled by user “max”. User “max” also compiled the “tdn” tool for IRIX.| |---|---| |Filename|pset| |---|---| |MD5|86499f8e6cfc90770a65dc30f1c9939b| |Size|17KB| |File Type|IRIX MIPS Binary| |Source|https://www.exploit-db.com/exploits/19347/| |Notes|‘/sbin/pset’ exploit for IRIX: “The pset utility, as shipped by SGI with Irix 5.x and 6.x through 6.3, contains a buffer overflow, which can allow any user on the system to execute arbitrary code on the machine as root. Pset is used to configure and administer processor groups in multiprocessor systems. By supplying a well crafted, long buffer as an argument, the return address on the stack is overwritten, allowing an attacker to execute code other than that which was intended.”| ----- |Filename|xconsole| |---|---| |MD5|f67fc6e90f05ba13f207c7fdaa8c2cab| |Size|13KB| |File Type|IRIX MIPS Binary| |Source|http://insecure.org/sploits/IRIX.xconsole.cdplayer.xwsh.monpan el.html| |Notes|‘/usr/bin/X11/xconsole’ buffer overflow exploit for IRIX by David Hedley.| |Filename|xlock| |---|---| |MD5|5937db3896cdd8b0beb3df44e509e136| |Size|16KB| |File Type|IRIX MIPS Binary| |Source|ftp://ftp.ntua.gr/mirror/technotronic/unix/irix- exploits/6.2/xlock.c| |Notes|IRIX 6.2 xlock exploit for arbitrary code execution as root.| |Filename|xterm| |---|---| |MD5|f4ed5170dcea7e5ba62537d84392b280| |Size|13KB| |File Type|IRIX MIPS Binary| |Source|https://cliplab.org/~alopez/bugs/bugtraq/0307.html| |Notes|IRIX exploit for ‘/usr/bin/X11/xterm’ by David Hedley| ----- ## IMTAR – IRIX Tool and Exploit Set ### Overview Improved IRIX toolkit including the LOKI2 variants with added functionality, additional privilege escalation exploits, and log cleaners. ### Tools |Filename|ig| |---|---| |MD5|4110c87e966d4ce6a03c5375353969af| |Size|77KB| |File Type|IRIX MIPS Binary| |Notes|Gzip tool compiled for IRIX, renamed to “ig”| |Filename|lo (2)| |---|---| |MD5|f8df359c909ae12f313d9444a6d958d2| |Size|41KB| |File Type|IRIX MIPS Binary| |Source|http://phrack.org/issues/51/6.html| |Notes|IRIX port of the variant of LOKI2, minor differences from .| |Filename|los| |---|---| |MD5|e59f92aadb6505f29a9f368ab803082e| ----- |Size|37KB| |---|---| |File Type|IRIX MIPS Binary| |Source|http://phrack.org/issues/51/6.html| |Notes|IRIX port of the more advanced variant of LOKI2 that includes the custom put/get functionality and as well as /.| |Filename|ua (or UCL2)| |---|---| |MD5|73a518f0a73ab77033121d4191172820| |Size|17KB| |File Type|IRIX MIPS Binary| |Notes|IRIX log cleaner. English proficiency suggests it was not written by the operators. Strings were ported back to with misspellings.| ### Exploits |Filename|df3| |---|---| |MD5|008ea82f31f585622353bd47fa1d84be| |Size|12KB| |File Type|IRIX MIPS Binary| |Source|https://www.exploit-db.com/exploits/19274/| |Notes|‘/bin/df’ buffer overflow Irix exploit by David Hedley released in 1997.| ----- |Filename|sc (2)| |---|---| |MD5|59198b97f29fcf6e17f8653a99732a74| |Size|12KB| |File Type|IRIX MIPS Binary| |Notes|A tool to run a root shell (/bin/sh) by forcing setuid 0 and setgid 0 in an attempt to escalate privileges.| |Filename|ux (2)| |---|---| |MD5|dc9d91e8b2a90df6d25663778a312014| |Size|17KB| |File Type|IRIX MIPS Binary| |Notes|IRIX port of utmprm, which removes a user from utmp logs.| ----- ## ITDN – IRIX Sniffer Set ### Overview Small set consisting of an IRIX sniffer and its configuration file. The script places the ports to capture onto a file stored at ‘/var/tmp/task’ and checked by at startup. ### Tools |Filename|tdni| |---|---| |MD5|74af85d293ceb1cfd1a47c0d794e44d5| |Size|277KB| |File Type|IRIX MIPS Binary| |Notes|IRIX port of the sniffer tool described in the ETAR1 set. It uses ‘/var/tmp/task’ to read the libpcap rules that will be applied to the network traffic. Configuration script is described below. When compiled, the tool source was located in the following path: irix:/usr/people/max/mytdn- nsl/tcpdump-3.3/./tcpdump.c| |Filename|ts| |---|---| |MD5|84218bfec08af6a329a277cad9e0044a| |Size|60 bytes| |File Type|Script| |Notes|Script to configure the tdn sniffer to capture telnet, ftp and rlogin packets by port number.| ----- ## STDN – SPARC Sniffer Set ### Overview Small Solaris sniffer set. Interestingly, this includes both a malfunctioning sniffer () and a working version already seen in ETAR1. It’s possible that this set came before ETAR1 and was used during a testing phase. Interestingly, despite the issues with , the developers return to ‘solsniffer’ to develop , their most improved sniffer. ### Tools ``` Filename ora MD5 7b86f40e861705d59f5206c482e1f2a5 Source http://read.pudn.com/downloads/sourcecode/hack/sniffer/951 /solsniffer.c__.htm Merged with: http://www.mit.edu/afs.new/athena/astaff/source/src 9.3/third/sysinfo/lib/std/dlpi.c File Type SunOS SPARC Binary Notes Tool is based on solsniffer, from 1994, created by Michael R. Widner (atreus, J.Galt). It was merged with Neal Nuckolls's (Sun Internet Engineering) DLPI "test" kit. It has built in support to filter out smtp, ftp, rlogin and telnet connections. The main purpose would be the interception of usernames and passwords leaked by the insecure authentication methods from these protocols. It checks for the presence of “/var/tmp/gogo” and will exit without displaying any errors if the file is missing. ``` |Filename|ora| |---|---| |MD5|7b86f40e861705d59f5206c482e1f2a5| |Source|http://read.pudn.com/downloads/sourcecode/hack/sniffer/951 /solsniffer.c__.htm Merged with: http://www.mit.edu/afs.new/athena/astaff/source/src- 9.3/third/sysinfo/lib/std/dlpi.c| |File Type|SunOS SPARC Binary| |Notes|Tool is based on solsniffer, from 1994, created by Michael R. Widner (atreus, J.Galt). It was merged with Neal Nuckolls's (Sun Internet Engineering) DLPI "test" kit. It has built in support to filter out smtp, ftp, rlogin and telnet connections. The main purpose would be the interception of usernames and passwords leaked by the insecure authentication methods from these protocols. It checks for the presence of “/var/tmp/gogo” and will exit without displaying any errors if the file is missing.| |Filename|tdn| |---|---| |MD5|927426b558888ad680829bd34b0ad0e7| |Size|91KB| ----- |File Type|SunOS SPARC Binary| |---|---| |Notes|Sniffer described in detail in the ETAR1 Set where it is leveraged with a different configuration script Known shell scripts that write to ‘/var/tmp/task’ are , and .| |Filename|tsa| |---|---| |MD5|58e4aa80f14c16e9292bd8f4535fb0cd| |Size|74 bytes| |File Type|Script| |Notes|Script to configure the tdn sniffer to capture telnet, ftp, pop3 and rlogin packets by port number.| ----- ## STR – Improved SPARC Sniffer Set ### Overview This set is comprised of a vastly improved Solaris sniffer and tools for post-processing the information captured with it. These include scripts to cut out IPs from logs, a utility to resolve those IPs to hostnames, and a script and a gzip binary to prepare files for exfiltration. ### Tools |Filename|g| |---|---| |MD5|338f20250b99d8dc064ba7ce8a9f48e1| |Source|68KB| |File Type|SunOS SPARC Binary| |Notes|Compiled version of gzip, renamed to “g”.| |Filename|get| |---|---| |MD5|7c930162a676c46ac590342c91402dca| |Size|9.5KB| |File Type|SunOS SPARC Binary| |Notes|Tool which uses gethostbyaddr to get the internet host names for all the IPs specified in an input file. It writes the resolved hostnames into an output file and logs errors to “error.log”.| |Filename|gr| |---|---| |MD5|d8347b2e32086bd25d41530849472b8d| |Size|342 bytes| ----- |File Type|Script| |---|---| |Notes|Shell script to extract all unique source and destination IP addresses from td_tr “RES.u” and “RES.s” logs into the output file “list”.| ``` Notes One of the main sniffer tools used by the attackers. A combination of “ora” and “tdn”, it is compiled from the improved 951 version of , released in 1994, tcpdump, and libpcap. It captures packets for commonly used insecure authentication protocols (such as ftp, telnet, pop3) and logs these sessions into a text file with the hardcoded name “RES.u”. The tool contains another filename “RES.s” which is not used in the current versions. Text files contain entries such as: ``` |Filename|td_tr| |---|---| |MD5|66c8fa9569d6b5446eb865544ed67312| |Size|187KB| |File Type|SunOS SPARC Binary| |Source|http://read.pudn.com/downloads/sourcecode/hack/sniffer/951/s olsniffer.c__.htm Tcpdump version 1.18| |Notes|One of the main sniffer tools used by the attackers. A combination of “ora” and “tdn”, it is compiled from the improved 951 version of , released in 1994, tcpdump, and libpcap. It captures packets for commonly used insecure authentication protocols (such as ftp, telnet, pop3) and logs these sessions into a text file with the hardcoded name “RES.u”. The tool contains another filename “RES.s” which is not used in the current versions. Text files contain entries such as:| ----- |Col1|Due to the proliferation of this sniffer, the hackers essentially created their own archeological trail, by sniffing their own activities as they proxied through infected systems and then proceeding to exfiltrate these records along with what they were actually interested in removing.| |---|---| |Filename|tr| |---|---| |MD5|35f87672e8b7cc4641f01fb4f2efe8c3| |File Type|Script| |Size|177 bytes| |Notes|Shell script which automates several tasks: ● Capture network packets using td_tr ● Extract all unique source and destination IPs using “gr” ● Get corresponding internet host names for all IPs into a filename called “RES” ● Add “RES” to “res.tar” ● Gzip the “res.tar” using compression level -9| -----