It is a dark time for the Rebellion.  Although the Death Star has been destroyed, Imperial troops have driven the Rebel forces from their hidden base and pursued them across the galaxy.

The evil lord Darth Vader, obsessed with finding young Luke Skywalker, has dispatched thousands of remote probes into the far reaches of space….

It was likewise a dark time for Darth Vader.  With the recent destruction of the Death Star, his boss, the Emperor, was breathing down his neck, demanding ever more.  “Running a galactic empire is not all it’s cracked up to be,” Vader ruminated from within his giant, black, serrated, egg-shaped pod aboard an Imperial Destroyer, where he brooded over his recent setbacks.   Unfortunately, he just couldn’t concentrate, given the constant interruptions of his annoying underlings reporting yet more bad news.

“Lord Vader,” interrupted a peon commander trembling with fear, “I regret to inform you that the Millennium Falcon has escaped!  We cannot find it anywhere.  Oh, and…”  The commander paused, almost choking with terror, “The Imperial soda machine is entirely out of Diet Coke, my Lord.”

In the face of such a grave crisis, Vader exploded, “You have failed me for the last time, Commander!”  He then used the dark side of the force to strangle his liege.

The only thing Vader had going for him was those remote probes deployed into the far reaches of space, for, you see, not all of the probes were physical.  Indeed, Vader had deployed a vast bot-net to over 500,000 machines throughout the galaxy, which he controlled from the privacy of his egg-shaped pod.  Using this software, which he called the “Vader Bot”, Darth completely controlled the half-a-million Windows 2000, XP, and 2003 machines he had infected.  His Vader Bot was always executed with a command line of “vaderbot.exe -d” for deamon mode, and it is always run under the user name “vader”, an account Darth had added to the admin group on each infected system.  The Vader Bot consisted of ten identical cooperating processes initially all called “vaderbot.exe”.  These bot processes worked together for resilience, so that if any of the processes were killed, the remaining vaderbot processes would spawn new ones. That way ten would always be running.

One of these victim machines was a Windows 2003 Server on board the Millennium Falcon, the ship used by our Rebel heroes to try to escape Vader.  This server controlled the Falcon’s hyper drive, a crucial component needed to jump into hyperspace.  The Vader Bot killed the hyperdrive.exe process on the Falcon to prevent the Rebel heroes from escaping the clutches of the Empire.  Any time hyperdrive.exe was started again, the Vader Bot would quickly shut it down before the ship could make a jump.

With the repeated failures to jump into hyperspace, Han Solo, the commander of the Millennium Falcon, assigned C3P0 the job of fixing the hyper drive.  C3P0, a protocol droid and master of human-cyborg relations, was more experienced with Linux machines than Windows.  C3P0 analyzed the problem for over an hour, before telling Han Solo, “Sir, I don’t know where your ship learned to communicate, but it has the most peculiar dialect.  I believe it is saying that the power coupling on the negative axis has been polarized.  Either that, or something keeps killing the hyperdrive.exe process.”  With C3P0’s inability to fix the problem, the crew of the Falcon decided to sneak away to Cloud City for repairs, unaware that Vader had seized control of Cloud City.

After a daring escape from Cloud City, the droid R2D2 rejoined the crew of the Millennium Falcon with important new information.  While R2D2 was connected to the computer network of Cloud City, he had sniffed bot control traffic going to the Vader Bot instance running on the Falcon’s hyper drive computer.  R2 knew that Vader himself had used his bot to kill the hyperdrive.exe process! 

Unfortunately, given the bucket-of-bolts nature of the Millennium Falcon, the hyper drive controller’s monitor screen was dead, eliminating the possibility of GUI access to the box.  But, once on board the Falcon, R2D2 jacked into the ship’s network and used SSH to get a command prompt on the hyperdrive’s Windows 2003 system. 

And, there, my friend, is where you come in.  You must use your Jedi Kung Fu skills to advise R2D2 how to kill the Vader Bot, using only command-shell access.  Making your problem even more difficult is this major limitation – this plot is occurring in a galaxy a long time ago and far, far away*, so you cannot download any third-party tools, such as the amazing SysInternals suite of applications written by Jedi Master Mark Russinovich or even the Windows Resource Kits.  You can only use command-line tools built-into Windows 2003 Server to answer the following questions:

1) How can R2D2 kill all of the processes named “vaderbot.exe” with a single command?

2) Unfortunately, as the last vaderbot.exe process is about to be killed, it spawns a group of new Vader Bot processes, but each with a new name, called “vaderbot0.exe”, “vaderbot1.exe”, “vaderbot2.exe”, and so on up to “vaderbot9”.  How can you kill all of these processes based on their process name in one command?

3) Unfortunately, as the last Vader Bot numbered process (“vaderbot9”) is about to be killed, it generates a whole bunch of new Vader Bot processes, with apparently random names, such as QnV5I.exe, ENvdW.exe, 50ZXI.exe, gSGFj.exe, ayBSZ.exe, WxvYW.exe, RlZCw.exe, gUGxl.exe, YXNlI.exe, and finally, Q==.exe.  How can you kill all of these processes in one command without knowing their Process IDs?

4) And yes again unfortunately, as the last apparently random-named bot process is about to be killed, it generates one more process for Vader Bot, named smss.exe.  How can you kill this final Vader Bot process in a single command without knowing its Process ID?

5) Finally, instead of spawning separate processes, the Vader Bot could have used other techniques to survive on the machine, continuing to run in light of R2D2’s process-killing assault.  Please describe techniques for malware (or even non-malicious code) to continue running without having to spawn new processes.

May the force be with you, always!!

 

Fuente: The Ethical hacker network