Star Hacks, Episode V: The Empire Hacks Back

| April 23, 2006

And the Curtain Falls

Thanks to all who participated. Winners will be announced soon.

digg this story

Discuss in Forums {mos_smf_discuss:May 06 – Star Hacks, Episode V: The Empire Hacks Back}

Hello and welcome to our First Challenge!  This is Ed Skoudis from Intelguardians, and I’ll be hosting a hacker challenge every other month, written by me or one of my friends.  You’ll get to match wits with computer attackers in each of these scenarios, demonstrating your elite skills in protecting systems from bad guys.  Although each challenge is based on a goofy theme from a movie or TV, each illustrates vital lessons from real-world attacks.

This is not an easy challenge, but then again, you will be competing with the best security minds from around the world. Are you ready to have your name in lights!

Feel free to discuss the scenario in the forums but PLEASE do not post your answers.
You wouldn't want someone else winning your prize, would you?

coreimpact2c.gif
Skillz Sponsored by Core Security Technologies

The challenge I’ve baked up for this month is based on the second Star Wars movie, The Empire Strikes Back, and ties up a few loose ends from the movie, namely:

  1. What is Darth Vader doing while sitting inside of that black egg-shaped pod thingy?

  2. Why does the Millennium Falcon hyper drive keep failing?

  3. How does R2D2 find out that the Empire had disabled the Falcon’s hyper drive, and how did the Empire pull that off?

Read the challenge, answer the questions, and you qualify to win a fine prize!  We’ll be giving away three signed copies of my latest book, called Counter Hack Reloaded, co-written by Tom Liston.

So, sit back, relax, and read our challenge:

A long time ago in a galaxy far, far away….

(With all respect to George Lucas.)

 

Episode V
THE EMPIRE HACKS BACK

 

It is a dark time for the Rebellion.  Although the Death Star has been destroyed, Imperial troops have driven the Rebel forces from their hidden base and pursued them across the galaxy.

The evil lord Darth Vader, obsessed with finding young Luke Skywalker, has dispatched thousands of remote probes into the far reaches of space….

It was likewise a dark time for Darth Vader.  With the recent destruction of the Death Star, his boss, the Emperor, was breathing down his neck, demanding ever more.  “Running a galactic empire is not all it’s cracked up to be,” Vader ruminated from within his giant, black, serrated, egg-shaped pod aboard an Imperial Destroyer, where he brooded over his recent setbacks.   Unfortunately, he just couldn’t concentrate, given the constant interruptions of his annoying underlings reporting yet more bad news.

“Lord Vader,” interrupted a peon commander trembling with fear, “I regret to inform you that the Millennium Falcon has escaped!  We cannot find it anywhere.  Oh, and…”  The commander paused, almost choking with terror, “The Imperial soda machine is entirely out of Diet Coke, my Lord.”

In the face of such a grave crisis, Vader exploded, “You have failed me for the last time, Commander!”  He then used the dark side of the force to strangle his liege.

The only thing Vader had going for him was those remote probes deployed into the far reaches of space, for, you see, not all of the probes were physical.  Indeed, Vader had deployed a vast bot-net to over 500,000 machines throughout the galaxy, which he controlled from the privacy of his egg-shaped pod.  Using this software, which he called the “Vader Bot”, Darth completely controlled the half-a-million Windows 2000, XP, and 2003 machines he had infected.  His Vader Bot was always executed with a command line of “vaderbot.exe -d” for deamon mode, and it is always run under the user name “vader”, an account Darth had added to the admin group on each infected system.  The Vader Bot consisted of ten identical cooperating processes initially all called “vaderbot.exe”.  These bot processes worked together for resilience, so that if any of the processes were killed, the remaining vaderbot processes would spawn new ones. That way ten would always be running.

One of these victim machines was a Windows 2003 Server on board the Millennium Falcon, the ship used by our Rebel heroes to try to escape Vader.  This server controlled the Falcon’s hyper drive, a crucial component needed to jump into hyperspace.  The Vader Bot killed the hyperdrive.exe process on the Falcon to prevent the Rebel heroes from escaping the clutches of the Empire.  Any time hyperdrive.exe was started again, the Vader Bot would quickly shut it down before the ship could make a jump.

With the repeated failures to jump into hyperspace, Han Solo, the commander of the Millennium Falcon, assigned C3P0 the job of fixing the hyper drive.  C3P0, a protocol droid and master of human-cyborg relations, was more experienced with Linux machines than Windows.  C3P0 analyzed the problem for over an hour, before telling Han Solo, “Sir, I don’t know where your ship learned to communicate, but it has the most peculiar dialect.  I believe it is saying that the power coupling on the negative axis has been polarized.  Either that, or something keeps killing the hyperdrive.exe process.”  With C3P0’s inability to fix the problem, the crew of the Falcon decided to sneak away to Cloud City for repairs, unaware that Vader had seized control of Cloud City.

After a daring escape from Cloud City, the droid R2D2 rejoined the crew of the Millennium Falcon with important new information.  While R2D2 was connected to the computer network of Cloud City, he had sniffed bot control traffic going to the Vader Bot instance running on the Falcon’s hyper drive computer.  R2 knew that Vader himself had used his bot to kill the hyperdrive.exe process! 

Unfortunately, given the bucket-of-bolts nature of the Millennium Falcon, the hyper drive controller’s monitor screen was dead, eliminating the possibility of GUI access to the box.  But, once on board the Falcon, R2D2 jacked into the ship’s network and used SSH to get a command prompt on the hyperdrive’s Windows 2003 system. 

And, there, my friend, is where you come in.  You must use your Jedi Kung Fu skills to advise R2D2 how to kill the Vader Bot, using only command-shell access.  Making your problem even more difficult is this major limitation – this plot is occurring in a galaxy a long time ago and far, far away*, so you cannot download any third-party tools, such as the amazing SysInternals suite of applications written by Jedi Master Mark Russinovich or even the Windows Resource Kits.  You can only use command-line tools built-into Windows 2003 Server to answer the following questions:

1) How can R2D2 kill all of the processes named “vaderbot.exe” with a single command?

2) Unfortunately, as the last vaderbot.exe process is about to be killed, it spawns a group of new Vader Bot processes, but each with a new name, called “vaderbot0.exe”, “vaderbot1.exe”, “vaderbot2.exe”, and so on up to “vaderbot9”.  How can you kill all of these processes based on their process name in one command?

3) Unfortunately, as the last Vader Bot numbered process (“vaderbot9”) is about to be killed, it generates a whole bunch of new Vader Bot processes, with apparently random names, such as QnV5I.exe, ENvdW.exe, 50ZXI.exe, gSGFj.exe, ayBSZ.exe, WxvYW.exe, RlZCw.exe, gUGxl.exe, YXNlI.exe, and finally, Q==.exe.  How can you kill all of these processes in one command without knowing their Process IDs?

4) And yes again unfortunately, as the last apparently random-named bot process is about to be killed, it generates one more process for Vader Bot, named smss.exe.  How can you kill this final Vader Bot process in a single command without knowing its Process ID?

5) Finally, instead of spawning separate processes, the Vader Bot could have used other techniques to survive on the machine, continuing to run in light of R2D2’s process-killing assault.  Please describe techniques for malware (or even non-malicious code) to continue running without having to spawn new processes.

May the force be with you, always!!

Please send all answers to skillz0506@ethicalhacker.net with the 'Subject: Skillz Submission' by May 31, 2006 to be eligible for one of three signed copies of Ed's book Counter Hack Reloaded as a prize.  The prizes will be awarded as follows:

  • one book to the best technical answer.

  • one book will go to the most creative answer that is also technically correct.

  • And, even if you cannot answer all of the questions, send in answers for any of those that you can get, because we’ll be drawing one winner at random from all submitted answers that are partially correct and awrad them a signed copy as well.

* You may be thinking that it is impossible for a Windows 2003 system to find its way into a galaxy a long time ago and far, far away.  But, you would be underestimating the power of the dark side of the force… oops… I mean Microsoft’s marketing prowess.

Category: Skillz

Comments are closed.