HOLA 2
Hackers of the Lost Ark Winning Answers
By: John Tennyson
1) The DIR and FIND comands' purpose was to find files whose filename contains LostArk however, the parameters of the DIR command are somewhat of a mistake.
/A:hsr-h-s-r seems to be an attempt to list all files including those which are hidden, system and readonly but ends up just listing normal files, it even ends up excluding read only files which a normal DIR would not do... Evidence as follows from a Win2k3 system:
•C:\WINDOWS>dir /a:s bootstat.*
Volume in drive C has no label.
Volume Serial Number is 3490-49C9
•Directory of C:\WINDOWS
•06/16/2004 02:46 AM 2,048 bootstat.dat
1 File(s) 2,048 bytes
0 Dir(s) 4,902,424,576 bytes free
•C:\WINDOWS>dir /a:hsr-h-s-r bootstat.*
Volume in drive C has no label.
Volume Serial Number is 3490-49C9
•Directory of C:\WINDOWS
•File Not Found
•C:\WINDOWS>dir /a:r W*
Volume in drive C has no label.
Volume Serial Number is 3490-49C9
•Directory of C:\WINDOWS
•04/07/2004 12:38 PM <DIR> Web
04/07/2004 12:38 PM 749 WindowsShell.Manifest
1 File(s) 749 bytes
1 Dir(s) 4,902,424,576 bytes free
•C:\WINDOWS>dir /a:hsr-h-s-r W*
Volume in drive C has no label.
Volume Serial Number is 3490-49C9
•Directory of C:\WINDOWS
•04/07/2004 12:40 PM 477 win.ini
06/16/2004 01:55 PM 188,560 Windows Update.log
03/25/2003 08:00 AM 256,192 winhelp.exe
03/25/2003 08:00 AM 272,896 winhlp32.exe
04/07/2004 08:16 AM <DIR> WinSxS
04/07/2004 12:40 PM 240 wmsetup.log
04/07/2004 12:39 PM 316,640 WMSysPr9.prx
05/26/2004 10:00 AM 754 WORDPAD.INI
7 File(s) 1,035,759 bytes
1 Dir(s) 4,902,424,576 bytes free
•C:\WINDOWS>
In addtion the find is case sensitive and shows line numbers (the /N).
2) strings is a non-normal W2k3 command from the unix world that was either installed by an administrator or the hackers to detect text strings within binary files. The -a option to strings checks the whole file including non-initialized and non-loaded sections and past EOF. [It actually means to search for ASCII strings -- Ed]. This is usefull if either the text was hidden in a binary file, referenced by a binary file or in a text file which has a false end of file. They were searching for the identification number of the ark (presumably they had obtained the txt file found with the previous commands through some other method (backoriface, ftp, etc)) and found out the id number.
3) lads is a non-standard W2k3 command that was downloaded by either an administrator or the hackers to scan NTFS alternate data streams for information. They are looking for additional information with LostArk in the name that can be attached to files and dirctories in NTFS. This information could be attached to anything and it would not show up in normal operation. The find command here is case sensitive.
4) dd is a non-standard W2k3 command from the unix world that was either installed by an administrator or the hackers. dd does a binary copy of data, they appear to be presumably attempting to get a full dump of the PhysicalMemory which can then be used for passwords, or other open or encoded information that may be cached in memory. However "standard" ports of dd do not function this way in a W2k3 world, so this may be a custom port. (cygwin dd, etc does not)
5)
As mentioned in the answer to #1 they failed in searching for hidden, system and read-only files so an addition DIR C:\*.* /a:h /S >> file2.txt followed by DIR C:\*.* /a:s /S >> file2.txt and DIR C:\*.* /a:r /S >> file.txt and the comparable find /N "LostArk" file2.txt would be useful.
In addition all three finds (the first one, the one from the lads command and this one) could be re-run with the /I to ignore the case of "LostArk".
In addition, common compression tools pkzip, rar, cab, gzip, etc... could be utilized to check for contents of compressed files.
Also more difficult would be either a programmatical or manual review of graphics and postscript/pdf and word doc files for references to the arc, etc. After downloading any non-standard fonts as the information can be drawn (either raster or vector) or a simple custom font can be utilized.
A grep-like utility could be utilized to scan for case-insensitive versions of both LostArc and 9906743
Common early obfuscation techniques could be run on (XOR, simple ciphers) both "LostArk" and "9906753" and plugged into a grep-like utility to scan for simple ciphers.
By using all the other previously mentioned find/grep methods, Jones or Indiana could be searched for since presumably there may be a record of who did the original retrieval and maybe cross-references to other files or documents that could lead to mor information.
A passive network sniffer could be set up and traffic watched to see what information the attackers have so that it could be acted upon (presuming of course that you trust that your response time will be faster than the attackers).
The non-allocated and bad disk space could be scanned for occurances of LostArk and 9906753 and Jones and Indiana for possibly deleted or obfuscated files (it has been known to occur where sectors will be marked bad and used by low-level functions to hide data.
The swap/virtual memory files could be scanned using binary grep and/or strings (presumably with the system hard-crashed to a cd boot) to scan for non-physical memory references to LostArk and 9906753 and Jones and Indiana.
New Jersy could bring in additional experts because no matter how thorough a person is they can always miss something. In addition the proper channels would need to be notified in case there is someone in the chain of command that happesn to know about the arc and would be able to move to protect it quicker.
In addition people in the appropriate places of power form that era and their successors if still alive could be interviewed.
And that's all I can think of :)
--
John Tennyson
Sr. Systems Programmer
