You are viewing ijish

Past findings on FOI2009.zip (update: and more)

Note: This blog post will be continually updated with links to my latest findings on the CRU cyber-attack. See the end of the post.

The old original International Journal Inactivism blog, in which I wrote on my early findings regarding the CRU cyber-attack, was "suspended" for a while, but it's now back up. During the suspension, I took the opportunity to summarize on this blog the main findings on the FOI2009.zip file released by the attacker; here they are:

Time zones [original write-ups at IJI]

All except 3 files in FOI2009.zip are recorded as being packaged under time zone settings -0500 and -0400, where -0400 is probably daylight saving time.

(As for the anomalous 3 files -- l00311.rw, l00321.rw, and l00331.rw, under FOIA/documents/briffa-treering-external/ecat/yamal/rw/82/ -- a commenter Jason Petry pointed out that it's probably only because the resulting 'local time' of the files would come before 1 Jan 1980, and that's something which the .zip file structure can't handle.)

The .zip file itself contains 2 smaller .zip files:

  • mbh98-osborn.zip, whose members are also all in the -0500/-0400 time zone;
  • russia.zip, which gives no time zone information.

A graph and a complete list of file times in FOI2009.zip are available.

Mysterious extra bytes, or perhaps not so mysterious [original write-up at IJI]

In FOI2009.zip, all Microsoft Word document (.doc) files have sizes which are multiples of 256 -- except for 5 files:

  • FOIA/documents/magicc-tomike.doc (35,341 bytes)
  • FOIA/documents/potential-funding.doc (25,613 bytes)
  • FOIA/documents/sealevel_params.doc (34,317 bytes)
  • FOIA/documents/uea-tyndall-shell-memo.doc (23,053 bytes)
  • FOIA/documents/unit-proposal.doc (30,221 bytes)
When the file sizes are divided by 256, the remainder is exactly 13. And the 13 bytes at the end of each of the 5 files look like these:
000075E0   00 00 00 00  00 00 00 00  ........
000075E8   00 00 00 00  00 00 00 00  ........
000075F0   00 00 00 00  00 00 00 00  ........
000075F8   00 00 00 00  00 00 00 00  ........
00007600   73 68 2D 33  2E 31 24 20  sh-3.1$ 
00007608   65 78 69 74  0A           exit.
An anonymous friend of Anna commented,
"Looks like the attacker used some method of breaking into the machine where the file was stored (or where it was accessible over the network), ran something like "cat file.doc" and on his local machine ran a screen capture program to capture the results. Exiting the interactive shell on the compromised machine left the residue in the result that the attacker was too lazy to remove. This is expecially likely to be the case if normal .doc files are a multiple of 256 bytes."

Updates