Hackers of the Lost Ark Winning Answers

By: David Perez

Dear Mr. Jones,

I am writing this letter to you in the hope that it may be of some help to you in the investigation of this "Hackers of the Lost Ark" incident.


QUESTION 1 : What was the purpose of the attacker's "dir" and "find" commands?
==========

These were the two commands as shown in the command history:

  dir c:*.* /a:hsr-h-s-r /S > file.txt
  find /N "LostArk" file.txt

Here the attacker was searching for files containing the text "LostArk" in their file names, as in "LostArk.txt", which is the critical file we hope the attacker didn't find.

The first command creates a file named "file.txt" containing the names of a set of files. The specific set of files listed in file.txt is determined by the parameters of the dir command, as follows:

  dir      - Display a list of files and subdirectorys in a directory, including their last modification time and size along with their file names. This is a standard internal command of the WINIAC (Windows 2003 Server) shell interpreter (cmd.exe).

  c:*.*    - List all files (*.* is a wildcard matching any file name) in the current directory of logical drive C:.

Since the current directory after the execution of all commands is displayed in the prompt of the screenshot provided as being the root directory of the C drive ("C:\>") and none of the commands executed changed the current directory, we can safely deduce that the current directory at the time of the execution of all commands was "C:\", the root directory of the C drive. Therefore, this parameter was equivalent to "c:\*.*".

  /a:hsr-h-s-r   - Select only those files which do not have the hidden (h), system (s), and read-only (r) attributes set.

Attributes that the files must have are specified with single letters afther the "/a:" option. An "h" means files must have the hidden attribute set. An "s" means files must have the system attribute and so on. If more than one attribute is specified as in "hsr", then the file must have all attributes set to be listed. A minus sign right before an attribute letter indicates that files must NOT have that attribute set. Thus, "-h-s-r" indicates that files must not have any of those three attributes set.
The attacker did specify both combinations together: "hsr-h-s-r". This seems contradictory! One would think that no file would ever match this pattern because no file can have each attribute both set and unset at the same time! However, this search pattern is valid and it does match some files. In fact, this pattern is completely equivalent to "-h-s-r". This is because of the way the parameters are processed by the command. The programmer could have chosen other algorithms which could arguably be more logical, but he or she made the program to process them as follows (or in an equivalent manner). Initially all attributes are marked as "any" (any value of the attribute would match). Then, the attributes specified are processed sequentially. For each letter found without a minus sign preceeding it, mark that attribute as "set" (the attribute must be set for a file to match). For each letter found with a minus sign preceeding it, mark that attribute as "unset" (the attribute mus
 t not be set for a file to match). If a letter appears more than once, with and without the minus sign, only the last setting will be remembered by the system.

  /S     - Display files in the specified directory and all subdirectories, recursively.

  > file.txt - Redirects the output (list of file names) to a file named "file.txt". If "file.txt" does not exist, it is created. If it exists, it is truncated and its contents are replaced by the output of this command.


The second command (find), searches the contents of file "file.txt" and displays all lines containing the text "LostArk". The parameter "/N" tells the "find" program to also display the line number of each displayed line. The "find" command (find.exe) is a standard command that comes with Windows 2003 Server.

The combination of both commands would display the names (and modification time and size) of files and directories with all of the following characteristics:
     - the text "LostArk" is part of its name
     - the following attributes are NOT set: hidden, system and read-only
     - located in the C: logical drive

Since the attacker continued to look for the file containing the location of the Lost Ark ("LostArk.txt"), as it will be seen in the next commands, it may be safely assumed that this first attempt to locate the file was not successful.



QUESTION 2 : What was the purpose of the attacker's "strings" command?
==========

This was the "strings" command executed by the attacker:

  strings -s -a c:\ | find "9906753"

This is actually the combination of two commands: "strings" and "find", tied together by the "|" sign, which takes the output from the first command and sends it to the standard input of the second.

The "strings" command is not included in a standard installation of Windows 2003 Server. This command must have been installed into the system at some point either by the attackers (in a previous session) or by the system administrator, after all it is a very useful tool not only for attackers.

A copy of this tool can be downloaded from "http://www.sysinternals.com".
This is the explanation of its invokation by the attacker:

  strings   - Extracts and displays any string of ASCII and/or UNICODE characters longer than a certain threshold from a specified file or set of files.

  -s        - Recurse subdirectories

  -a        - Scan for ASCII strings only

  c:\       - Start searching at the root directory of the C: logical drive

This produces a list of all ASCII strings contained in all files of the C: logical drive, which is then piped into the standard input of the "find" command (because of the "|" sign).

The purpose of the "find" command, as it has already been explained, is to search for and display strings containing a specified text. In this case, it searches the standard input (the strings provided by the "strings" command) looking for the text "9906753" and displays any strings found containing that text, if any.

Since the attacker hadn't been successful in the search for the file named "LostArk.txt" he or she tried a different approach: somehow the attacker knew that "LostArk.txt" would contain the label "9906753" (the identification number of the Lost Ark) and was trying to find those contents directly.

However, the attacker continued to search for it with further commands so most probably he or she wasn't successful this time either.



QUESTION 3 : What was the purpose of the attacker's "lads" command?
==========

This was the "lads" command executed by the attacker:

  lads c:\ /S | find "LostArk"

This is yet another combination of two commands: "lads" and our good old friend "find".

The "lads" command, as was the case with the "strings" command, is not included with Windows 2003 Server and must have been installed in the system beforehand.

A copy of this tool can be downloaded from "http://www.heysoft.de".

This is the explanation of its invokation by the attacker:

  lads  - Lists files with alternate data streams (ADS).

Information about alternate data streams (ADS) can be found in many places around the internet with the help of any search engine. A good and concise summary is provided by the author of "lads" at "http://heysoft.de/nt/ntfs-ads.htm".

  c:\   - Start searching for files with ADS at the root directory of the C: logical drive

  /S    - Recurse subdirectories

This produces a list of all files stored in alternate data streams, which once again is piped into the standard input fo the "find" command.

In this case the "find" command searches for the string "LostArk". This would list only those files stored in ADS with the text "LostArk" in their name. If the file "LostArk.txt" was stored in ADS in the C: drive it would show up.

However, once again, the attacker continues the search with the next command, which suggests that he or she wasn't successful this time either.


QUESTION 4 : What was the purpose of the attacker's "dd" command?
==========

This was the "dd" command executed by the attacker:

  dd if=\\.\PhysicalMemory conv=noerror

The "dd" command, again, is not included with Windows 2003 Server and must have been installed in the system beforehand.

A copy of this tool can be downloaded from "http://users.erols.com/gmgarner/forensics/".

This is the explanation of its invokation by the attacker:

  dd  - Makes a binary copy from the source (standard input or specified with "if", see below) to the destination (standard output or specified with "of").

  if=\\.\PhysicalMemory  - Specifies the source for the copy. The path name "\\.\PhysicalMemory" is a special device file name that refers to the contents of the physical memory (RAM) of the server.

  conv=noerror  - Ignores any read error and continues copying the rest of the source.

In this case, the command is probably truncated. If the attacker included some extra parameters which are not shown in the history window (F7) because that window has a fixed width and anything beyond that width is simply not shown. Most probably, the attacker piped the output to another "find" command searching for the identification number as he or she did with the strings command.

This would give the attacker the contents of the "LostArk.txt" file should it be located in memory by any chance.

However, the file would only be in memory if it had been read before. Assuming nobody had found and read the file before the attacker, and that the system doesn't have a RAM disk configured, the probability of its contents being in memory are almost null. Most probably, we were lucky and the sysadmin unplugged the system from the network before the attacker could find the supersecret location of the Lost Ark!


QUESTION 5 : Where else might the file be hidden on the system, and how would the attacker (as well as New Jersey Jones) find it?
==========

I bet the file is stored in plain sight (no hidden or similar attribute, not stored in ADS, not RAM disk, etc.), just in a different logical drive ("D:" for example). :-)

The attacker and Mr.Jones could find it simply typing:

   dir <DRIVE_LETTER>:\*.* /s | find "LostArk.txt"

for each <DRIVE_LETTER> active in the system.

Another possibility is that the file was compressed inside a ZIP file, for example. In this case it could be found like this:

   strings -s c:\ | find "LostArk"

because the contents of the file would be compressed and therefore not directly readable, but file names are stored in pure ASCII inside the ZIP files.

A third possibility is that the file was stored in C:, with at least one of the following attributes set: hidden, system or read-only (that would have avoided the dir and find commands), with its contents stored in UNICODE format instead of ASCII (that would have avoided the "strings -a" command), not stored in ADS (that would have avoided the "lads" command"), and not having been read before (that would have avoided the "dd" command).

Interestingly enough, a variation of the third case is also possible: even if the contents of the file were ASCII, if the line containing the identification number "9906753" was the last line of the file and was not terminated with a carriage return, then the "strings" command would also miss it.


Yours faithfully,
David Perez.