Puzzle #6: Ann’s Aurora

Our latest puzzle was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Hi! Recently we were challenged by SANS Fellow Rob Lee (author of “Computer Forensics” 508) to create a puzzle based on an Advanced Persistent Threat (APT). We thought this was a great idea! So this month we are doing a special release through the SANS Institute based on APT. SANS is sponsoring some especially cool prizes– check out the full puzzle and writeup here:

http://computer-forensics.sans.org/challenges/

The contest is a client-side attack based on Operation Aurora. This packet capture contains a full recording of a real Windows system getting exploited via the same mechanism that was used to exploit Google. Ann spear-phishes a developer, who clicks on a link and connects to her malicious web server. Then she configures the victim to make outbound persistent connection attempts to her server so that she can retain access and reconnect in the future.

We hope you have fun with this puzzle! We certainly had fun creating it. 🙂 To submit your answers, just use the Official Submission Form, as usual.

The Puzzle


Ann Dercover is after SaucyCorp’s Secret Sauce recipe. She’s been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike…

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann’s exploit, build a timeline, and submit your evidence including…

  1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)
  2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?
  3. Vick’s computer made a second HTTP request for an object.

    1. What was the filename of the object that was requested?
    2. What is the MD5sum of the object that was returned?
  4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  6. In packet 17, the malicious server sent a file to the client.

    1. What type of file was it? Choose one:

      • Windows executable
      • GIF image
      • PHP script
      • Zip file
      • Encrypted data
    2. What was the MD5sum of the file?
  7. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:

    1. How often does the TCP initial sequence number (ISN) change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    2. How often does the IP ID change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    3. How often does the source port change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
  8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
  10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Here is your evidence file: evidence06.pcap

  • MD5 (evidence06.pcap) = efac05c50c0ae92bf0818e98763920bd
  • SHA256 (evidence06.pcap)= fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3

Prizes!

SANS worked with several vendors to put together a generous prize package for this contest. Rob writes, “This year we are offering multiple overall prizes. Some of these prizes have been offered by sponsoring vendors that support future digital forensics research, analysis, and the spirit of the competition. The winning team or individual will have their first choice at the prize list. Win in first place? First to choose your prize.” Here’s the list:

Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first. Full terms of use are available here.

Deadline is 6/27/10 (11:59:59PM UTC-11) (In other words, if it’s still 6/27/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission Form to submit your answers.

Warning: When answering this puzzle, remember that you will be working with real-world malicious software. Be careful not to infect yourself! Use an isolated system, which you will be able to reinstall at the end of your investigation.

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under an approved Open Source License. All responses should be submitted as PLAIN TEXT. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified.

The contest materials are copyrighted. The files are for personal use only. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back to the original site at sans.org. Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit). Exceptional submissions may also be used as examples and tools in the Network Forensics course, with full attribution. By submitting your answer to this puzzle, you agree that your code submissions will be freely published under the GPL license, and your solution’s text will be licensed according to the Creative Commons v3 “Attribution” License. All authors will receive full credit for their work.

Deadline is 6/27/10 (11:59:59PM UTC-11). Here’s the Official Submission Form. Good luck!!

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.

Share and Enjoy:
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • Slashdot
  • Suggest to Techmeme via Twitter
  • Technorati

2 Comments

  1. Can someone double-check and confirm the file hashes listed at http://computer-forensics.sans.org/challenges/#evidence are correct for evidence06.zip

    I’ve downloaded it several times, with different browsers, and keep getting this hash:
    MD5: 2745E619E845BDEF6012FA42C1F6AA6E

    Instead of the expected hash:
    MD5: efac05c50c0ae92bf0818e98763920bd

  2. sherri

    May 29, 2010 at 10:51 am

    f4s: That’s the MD5sum for the pcap inside the zip file (evidence06.pcap), not the zip file itself. Try unzipping it and check the hash of the pcap file.

Leave a Reply

Your email address will not be published.

*