Challenge 2 – browsers under attack – (provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter) is to investigate a network attack but of a different kind.
Skill Level: Intermediate
The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:
- List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
- List IPs, hosts names / domain names. What can you tell about it – extrapolate? What to deduce from the setup? Does it look like real situations? (4pts)
- List all the web pages. List those visited containing suspect and possibly malicious javascript and who’s is connecting to it? Briefly describe the nature of the malicious web pages (6pts)
- Can you sketch an overview of the general actions performed by the attacker? (2pts)
- What steps are taken to slow the analysis down? (2pts)
- Provide the javascripts from the pages identified in the previous question. Decode/deobfuscate them too. (8pts)
- On the malicious URLs at what do you think the variable ‘s’ refers to? List the differences. (2pts)
- Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
- What actions does the shellcodes perform? Please list the shellcodes (+md5 of the binaries). What’s the difference between them? (8pts)
- Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this challenge) (4pts)
Sample Solution:
Forensic Challenge 2010_-_Challenge_2_-_Solution.docĀ – Sha1: d60270743b8aea425bab74041b776d7fef36f0af
This work by Nicolas Collery and Guillaume Arcas is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
The Winners (all tied for first place):
- Franck Guenichot (France) – Franck’s submission – Sha1: c7786cdf4a166b3051190d752b43aa1daf42ca70
- Mario Pascucci (Italy) – Mario’s subission – Sha1: f931b4e8295d804d8c6a1a17c14b0f0f13e8eba0
- Rani Hod (Israel) – Rani’s subission – Sha1: 8f0dc2cc5785e3e41d3db493338c34190f589e7b
- Vos (Russia)- Vos’s submission – Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6
| Attachment | Size |
|---|---|
| suspicious-time.pcap | 298.73 KB |
| [your email]_Forensic Challenge 2010 – Challenge 2 – Submission Template.doc | 70 KB |
| [your email]_Forensic Challenge 2010 – Challenge 2 – Submission Template.odt | 20.12 KB |
| Franck_Guenichot_Forensic Challenge 2010_-_Challenge-2_-_Submission.pdf | 426.55 KB |
| Mario_Pascucci_Forensic_Challenge_2010-Challenge-2_-_Submission.pdf | 217.22 KB |
| Rani_Hod_Forensic Challenge 2010_-_Challenge-2_-_Submission.doc | 328 KB |
| vos_Forensic Challenge 2010 – Challenge-2_-_Submission.doc | 229 KB |
| Forensic Challenge 2010_-_Challenge_2_-_Solution.doc | 1.08 MB |