I am forced to mention that with source code available, I don't think it will be very long before someone adds a byte / changes the encryption / et al in order to better hide the trojan. -----Original Message----- From: Technical Incursion Countermeasures [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 14, 1999 7:42 AM To: Jen Cc: [EMAIL PROTECTED] Subject: Re: BO2K At 18:33 13/07/99 -0700, you wrote: >Okay, maybe I should have narrowed the question ... I'm pretty aware of >where to get copies of BO2K, and where to go for info. What I was asking >was how in particular does one detect something that could come in many >different forms (since source code is being released)? Preventative >measures are good, but I'm also interested in contigency measures. Hi Jen, from the ISSALERT... "The format of the BO2k packets is [Length (4 bytes)][Data that is 'Length' long] By looking for a series of packets that contain a 4 byte length (in little-endian byte order), followed by that length of data, you can detect all BO2k packets, regardless of the encryption used. This format is used on both the TCP and UDP transports. To decrypt the packets using the XOR encryption, XOR the 4 bytes starting at offset 4 with the value 0x3713C3CD (0xCDC31337 in little-endian order). This will give you the XOR encryption key, which is generated from the XOR key configured by the user. You can then XOR that 4 byte key with the rest of the packet -- XOR it with the 4 bytes at offset 8, 12, 16, etc. This will reveal a packet structure that is described in the BO2k source code. " So you could pick up the packets using your IDS. If you were willing to spend the time you could also setup your IDS to ignore the protocols allowed on your network and alarm on the rest - though this assumes you are running a very tightly managed network - ie no M$ machines with their buckets of broadcasted protocols... A possibly better contingency is to switch over to using an Application Proxy firewall. The speed is not really a problem anymore what with PIII machines available now - so you could go that route and effectively block all unauthorised traffic... There are centrally managed tools for system level IDS - ISS has a couple as do the other manufacturers.. Remember though - they need quite a bit of fine tuning and a reasonable level of manpower to make them work well - you should do some serious planing prior as ad hoc installions at this scale are sure to make you unpopular.. Cheers, Bret Watson Technical Incursion Countermeasures [EMAIL PROTECTED] http://www.ticm.com/ ph: (+61)(041) 4411 149(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security Call for papers Vol 3 Issue 2 http://www.ticm.com/info/insider/index.html - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
