Re: Linux Kernel Exploits / ABFrag

In-Reply-To: <20021018184346.B44C5425C@xxxxxxxxxxxxxxxxxxxxx>


>I smell Burneye !! ..... what do you guys think ?

If you download the ABfrag file from 
http://www.linuxsecurity.com/articles/intrusion_detection_article-
5933.html, and view or run strings on the file, you will see the burneye 
signature in the file header:

TEEE burneye - TESO ELF Encryption Engine

I'm wondering if there is any way to determine the burneye options used by 
analyzing the encrypted file? I doubt it, but does anyone have any 
experience with this?

Looks like we need to get brute forcing that password (could be nearly 
impossible), or perhaps find a good reverse engineer. I recall reading 
material by Dave Dittrich about trying to reverse engineer the x2 SSH 
exploit that had been protected with burneye. I also came across an 
article somewhere, perhaps on the teso website, that talked about the 
sorry state of the "white hat" reverse engineers. Personally, I could not 
reverse engineer myself out of a wet paper bag.

I'm very curious to learn more about this exploit, and would enjoy seeing 
the IDS activity discussed in the first message in this thread. Do we have 
enough to make a snort signature? Did you get an image of the systems 
memory at the time of the exploit? Perhaps there is a snowballs chance in 
hell that the password used to run the executable could be recovered.


Curt Wilson
Netw3 Security
www.netw3.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com