The Honeynet Project

“Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS” (taken from Dionaea homepage). Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here. TIP now exploits this feature receiving and storing such logs (really thanks to Markus Koetter for his help and support).

A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented (and sometimes awful) hacks. For this reason I decided it was time to patch (and sometimes rewrite from scratch) such code. These posts will describe how the new DOM emulation code will work. The patch is not available right now since I'm testing the code but plans exists to commit it in the PHoneyC SVN in the next days.

Challenge 3 - Banking Troubles - (provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell'Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter) is to investigate a memory image of an infected virtual machine.

The challenge has been completed on May 12th 2010.
Skill Level: Difficult

The Challenge:

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation.

1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
9. Are there any related registry entries associated with the payload? (4pts)
10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)

Download:

hn_forensics.tgz Sha1: 8178921fd065ad2de9c6738fe062d2b37402c04a

Sample Solution:

Forensic_Challenge_3_-_Banking_Troubles_Solution.pdf - Sha1: 986752a9aa4b832951dfa6319cb5e16256a9b3c9



This work by Josh Smith, Matt Cote, Angelo Dell'Aera and Nicolas Collery is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:

1. Mario Pascucci (Italy) - Mario's submission - Sha1: ad6e08bd0bff8a65e5ea8865e63addf9d6324212
2. Tyler Hudak (USA) - Tyler's submission - Sha1: 226e15990dac263402670d5976c8b63f241864c7
3. Carl Pulley (UK)- Carl's submission - Sha1: 2d20203403cf33bd565dbf81a54dbe414a17a597

Share:

Forensic Challenge 2010

Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

Sample Solution:
Forensic Challenge 2010 - Scan 1 - Solution_final.pdf Sha1: 7482a4d020cddde845344f8b02e05012

This work by Tillmann Werner is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:

1. Ivan Rodriguez Almuina (Switzerland) - Ivan's submission - Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6
2. Franck Guenichot (France) - Franck's submission - Sha1: c951552faf6118a352cc33a9b001350df9050575
3. Tareq Saade (USA) - Tareq's subission - Sha1: 969e73527a2c7a1b27e6b36f4cfa324fd8a66e94

What is TIP? TIP stands for Tracking Intelligence Project. In my most beautiful dreams, TIP should be an information gathering
framework whose purpose is to autonomously collect Internet threat
trends. It's entirely written in Python using Twisted and bound to the Django framework in order to abstract the underlying database and to easily build a web interface to the data.