Forensic Challenge 2 (2010) – Browsers under attack

Challenge 2 – browsers under attack – (provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter) is to investigate a network attack but of a different kind.

Skill Level: Intermediate

The Challenge:

A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

  1. List the protocols found in the capture. What protocol do you think the attack is/are based on? (2pts)
  2. List IPs, hosts names / domain names. What can you tell about it – extrapolate? What to deduce from the setup? Does it look like real situations? (4pts)
  3. List all the web pages. List those visited containing suspect and possibly malicious javascript and who’s is connecting to it? Briefly describe the nature of the malicious web pages (6pts)
  4. Can you sketch an overview of the general actions performed by the attacker? (2pts)
  5. What steps are taken to slow the analysis down? (2pts)
  6. Provide the javascripts from the pages identified in the previous question. Decode/deobfuscate them too. (8pts)
  7. On the malicious URLs at what do you think the variable ‘s’ refers to? List the differences. (2pts)
  8. Which operating system was targeted by the attacks? Which software? And which vulnerabilities? Could the attacks been prevented? (4pts)
  9. What actions does the shellcodes perform? Please list the shellcodes (+md5 of the binaries). What’s the difference between them? (8pts)
  10. Was there malware involved? What is the purpose of the malware(s)? (We are not looking for a detailed malware analysis for this challenge) (4pts)

Sample Solution:
Forensic Challenge 2010_-_Challenge_2_-_Solution.docĀ – Sha1: d60270743b8aea425bab74041b776d7fef36f0af

This work by Nicolas Collery and Guillaume Arcas is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners (all tied for first place):

  • Franck Guenichot (France) – Franck’s submission – Sha1: c7786cdf4a166b3051190d752b43aa1daf42ca70
  • Mario Pascucci (Italy) – Mario’s subission – Sha1: f931b4e8295d804d8c6a1a17c14b0f0f13e8eba0
  • Rani Hod (Israel) – Rani’s subission – Sha1: 8f0dc2cc5785e3e41d3db493338c34190f589e7b
  • Vos (Russia)- Vos’s submission – Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6
suspicious-time.pcap298.73 KB
[your email]_Forensic Challenge 2010 – Challenge 2 – Submission Template.doc70 KB
[your email]_Forensic Challenge 2010 – Challenge 2 – Submission Template.odt20.12 KB
Franck_Guenichot_Forensic Challenge 2010_-_Challenge-2_-_Submission.pdf426.55 KB
Mario_Pascucci_Forensic_Challenge_2010-Challenge-2_-_Submission.pdf217.22 KB
Rani_Hod_Forensic Challenge 2010_-_Challenge-2_-_Submission.doc328 KB
vos_Forensic Challenge 2010 – Challenge-2_-_Submission.doc229 KB
Forensic Challenge 2010_-_Challenge_2_-_Solution.doc1.08 MB