Feeling Lucky - What we know about Lucky 5

[Dante]

[Unknown Quantity]

[Dante]

So these side effects really concern me. I've been trying to translate them to something more comprehensible

Some are suspiciously similar to V1a.gra* (?!):

headache
facial flushing
upset stomach
bluish vision
blurred vision
light sensitivity
"disclosures"(?) continuing more than 4 hours

Others:

abnormal changes to thought and behavior
lowering of inhibitions (e.g., aggressiveness and extroversion) similar to effects product by alcohol
visual-auditory hallucinations
bizarre behavior, agitation, depersonalization
unusual moods and behaviors (e.g., urges to play games of chance or sexual urges)
hallucinations; lucid dreaming (especially in hypnotic individuals)
alcohol and other depressants increase risk of hallucinations
amnesia, anxiety, and other neuropsychological symptoms can occur
can worsen pressures and suicidal thoughts; intentional over-doses possible in people prone to these thoughts


Assuming this isn't a sick Stu joke, I can't help but think that some of this describes B.A. and Bryce and Kevin very well.

* BBS Spam blocker didn't like me using the real name. I couldn't figure out why I wasn't being allowed to post and figured that Art had a hand in that.

[JimmyMcForum]

I've got some people at my home forum looking at this. If they come up with anything, I will pass it along.

[Unfictionrose]

As I have no intention of installing this on my machine and no way to investigate it. I will just point out that BA's Craigslist are full of the word "lucky." Something we've mentioned before.

Also - lucky was the password or username on something on the server.

Although how we should find lucky5 from that...I don't know. Good job StuR I guess.

Is this forensic evidence??
_________________
Servers aren't part of the collective unconscious. ~HPHack

DC had us give B.A. the finger. I don't think you can get much more explicit than that! ~Y2K

[Sinyx]

[Dante]

Yea, but if even half these side effects are true, the question is, how in the heck does a piece of software -- even a malicious piece of software -- produce things like lucid dreaming and amnesia?

I have the feeling that Art is going to call bullshit on this.

[Unknown Quantity]

[Unfictionrose]

[Biff]

That EULA is...interesting.

I wonder if Yogh used BabelSquid for the ElderGod to English translation.

[Econjen]

[Sinyx]

[Dante]

[Twee]

[Mapmaker]

I've pretty much dissected the executable and I understand a bunch of what it does. It is somewhat pwn3d, as it were (although I haven't gone through it all). I'll post more when I get the chance (and don't worry, even if I go oogy-boogy, there are others around whom I've told my findings).

EDIT: I have put the more technical parts of the explanation in {brackets}.

OK, here's the scoop. I used a decompiler to get to the source code of the program. I'll spare you some of the details - registry checks, error correction, yadda yadda, and get to the point. I haven't finished reading the code, so I don't know what the payload is. But I know how it decides who to target.

So every five minutes while the code is running, you "get lucky". What does this mean? Well, first let's note a few things. With the install comes a copy of the prayer (lucky.dat). Second, the computer knows what day it is.

The program then proceeds to calculate several variables, the most important of which is "lucky5" and "lucky5ip". Lucky5 is a five-character snippet of the prayer. It is not chosen at random, however. (I don't know where the logic is, but it isn't random.)

So lucky5. First the program calculates how many 28-day cycles (which roughly correspond to the lunar calendar) it has been since an auspicious day: October 31, 1999. Some may remember that as the day of the sad events in the cave. This is hard-coded into the program. So once it calculates how long it's been (both in full 28-day cycles and how long it's been since the last 28-day cycle began), it uses that information to extract the five-character piece from the file. Note then that the lucky5 changes daily.

{For those of you who are really interested, if X is the number of days since 10/31/1999, then set lunar_cycles to X/28 rounded down, and lunar_offset to (X modulo 28 ) + 1. Then the program selects the 5-character "lucky5" by taking the five characters starting from the character lunar_cycles+2 characters from the lunar_offset-1 space. Yeah, it doesn't make sense to me either.}

Extremely notable are the five-character lucky5s from two dates: December 16, 2006, and June 27, 2007, the days of "supplication" on SentryOutpost and Kevin's computer, respectively. The lucky5s then were "Xé:3a" and "ÇT1Óa", which we learned were passwords in their infection.

So we have the lucky5. Now the lucky5ip. The program generates an IP address + port in a separate algorithm using the lucky5 for the day as well as the variables based on the number of days from 10-31-99 mentioned above. (Meaning the lucky5ip changes daily as well).

{It generates it basically by ROTating information. It starts with the lucky5. Each character is converted to its Unicode value. Thus Xé:3a becomes 88-233-58-51-97. The first four digits will become the IP address, and the last the port. To each of these digits, lunar_offset and lunar_cycles is added. For December 16, 2006, they were 28 and 92, respectively. Thus 88-233-58-51-97 becomes 208-353-178-171-217. If any of the first four numbers is greater than 256, subtract 256. Thus it becomes 208-97-178-171-217. There's some if-clause so that sometimes 5000 is added to the port value. I believe it was in this case.}

So what do we get for the lucky5ips for these days? December 16, 2006 is 208.97.178.171:5217, and June 27, 2007 is 68.209.174.80:222. Both are the IP address and ports attacked. Attacked with what? I'm not sure yet. I haven't gotten to that part of the code. But it's suspicious, eh?

Most of the time the thing is spewing code into unassigned IP-space or multicasting space. I'm working on figuring out what the next several days will hold in that respect.