Forensic Challenge 2010
Challenge 2 - browsers under attack - (provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter) is to investigate a network attack but of a different kind.
Submission deadline has passed. Results will be released on Monday, March 22nd 2010. (For inquiries you can contact firstname.lastname@example.org) Small prizes will be awarded to the top three submissions.
Skill Level: Intermediate
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
- List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
- List IPs, hosts names / domain names. What can you tell about it - extrapolate? What to deduce from the setup? Does it look like real situations? (4pts)
- Can you sketch an overview of the general actions performed by the attacker? (2pts)
- What steps are taken to slow the analysis down? (2pts)
- On the malicious URLs at what do you think the variable 's' refers to? List the differences. (2pts)
- Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
- What actions does the shellcodes perform? Please list the shellcodes (+md5 of the binaries). What's the difference between them? (8pts)
- Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this challenge) (4pts)
suspicious-time.pcap Sha1: 1f10c8a4996fafa80d47202881a17796941fd337
Forensic Challenge 2010_-_Challenge_2_-_Solution.doc - Sha1: d60270743b8aea425bab74041b776d7fef36f0af
This work by Nicolas Collery and Guillaume Arcas is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
The Winners (all tied for first place):
- Franck Guenichot (France) - Franck's submission - Sha1: c7786cdf4a166b3051190d752b43aa1daf42ca70
- Mario Pascucci (Italy) - Mario's subission - Sha1: f931b4e8295d804d8c6a1a17c14b0f0f13e8eba0
- Rani Hod (Israel) - Rani's subission - Sha1: 8f0dc2cc5785e3e41d3db493338c34190f589e7b
- Vos (Russia)- Vos's submission - Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6