International Journal of Inactivism (now supplanted by Decoding SwiftHack)

2009/12/25

What we know about the CRU attacker, part 4: ho ho ho!

Filed under: Climatic Research Unit crack — stepanovich @ 00:08

[cite as: F. Bi. 2009. What we know about the CRU attacker, part 4: ho ho ho! Intl. J. Inact., 2:110]

Ho ho ho! Merry Christmas to all!1 πŸ™‚ Today I looked once more at the material cracked from the cyber-attack on CRU, and this time I finally decided (!) to peer into the contents of the files. Now, the .zip file with the cracked material contains several Microsoft Word .doc files. Of these, 9 files have modification times have been doctored to read 1 Jan 2009 00:00 local time, 05:00 UTC; and of these 9 files, 5 have file sizes which aren’t neat multiples of 256:

  • FOIA/documents/magicc-tomike.doc (35,341 bytes)
  • FOIA/documents/potential-funding.doc (25,613 bytes)
  • FOIA/documents/sealevel_params.doc (34,317 bytes)
  • FOIA/documents/uea-tyndall-shell-memo.doc (23,053 bytes)
  • FOIA/documents/unit-proposal.doc (30,221 bytes)

In fact, when you divide the sizes of these files by 256, you get a remainder of exactly 13. Let’s take a look at the last few bytes of the file FOIA/documents/unit-proposal.doc. They look like these:

000075C0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000075D0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000075E0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
000075F0   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00007600   73 68 2D 33  2E 31 24 20  65 78 69 74  0A           sh-3.1$ exit.

The other 4 files are similar. So, somehow a shell prompt and a shell command (of 13 bytes) were appended to a .doc file. I don’t know what would cause this, but it certainly doesn’t look normal to me.

Footnotes

  1. And to those who don’t celebrate Christmas: Happy Holidays! πŸ™‚
Advertisements

1 Comment »

  1. “Looks like the attacker used some method of breaking into the machine
    where the file was stored (or where it was accessible over the network),
    ran something like “cat file.doc” and on his local machine ran a screen
    capture program to capture the results. Exiting the interactive shell
    on the compromised machine left the residue in the result that the
    attacker was too lazy to remove. This is expecially likely to be the
    case if normal .doc files are a multiple of 256 bytes.”

    Comment by Anna — 2009/12/27 @ 05:44 | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: