Name: Scott Cubic Description: First off, let me say that this puzzle was extremely educational. As part of my job, I frequently have to interpret network traces. Most of the time, it's to diagnose an OSPF or BGP problem, a SAP TCP window size problem or some such fire drill. Occasionally, there have been cases where I've had to use DHCP or DNS traces to provide truly foresic information to authorities. I've learned to write code to interpret packet captures to save time and improve accuracy. This has always served me well, and for this puzzle, got me the answers to all of the questions in less than 15 minutes. All but question 6 ("What is the MD5 hash of the unpacked executable"). I've never had to actually unpack a packed virus, and that's where the education came in this time. I tried several methods, but no matter what I did, my extracted version of the virus executable ("file.exe") was unusuable. I couldn't find an extractor that would extract it correctly, and my attempts to extract it manually using ollydbg were equally unproductive. Eventually, I found a set of tools that helped me to extract the file. Tools I used included: - NetworkMiner-0.91 (http://networkminer.sourceforge.net/) - filealyzer v1.6 (http://www.safer-networking.org/en/filealyzer/index.html) I had never heard of NetworkMiner, but it will probably wind up replacing a lot of code that I've written over the years to analyze packet captures. In the past, I've written code like ppcap.pl (attached) to quickly scan large batches of pcap data for interesting artifacts. This code is easily modified for any specific cirumstance and can process a whole directory of capture files (when, for example, you've set a max capture file size and let the trace run all night) very quickly to identify files that might be interesting. Using such disposable code was fine for this puzzle until it came time to answer question 6. Using Wireshark to dump the original .exe from packet 108 was simple, but even after editing the result to remove all bytes before the "MZ" in the raw data, I could not produce a working .exe file, or a file that any one of a dozen unpacking tools could successfully unpack. That's when I discovered NetworkMiner (http://networkminer.sourceforge.net/). I was very impressed with this tool and have been promoting it to collegues since I found it. In fact, using just this tool, questions 1, 3, 4, and 7 can be answered just by opening the trace file and looking at the NetworkMiner output, as it will extract and reassemble any files or HTTP that it sees in the trace. Here's what I did to work out this puzzle: - Install NetworkMiner to C:\Program Files\NetworkMiner-0.91 - Open a Command Prompt window - Enter the command "cd C:\Program Files\NetworkMiner-0.91" - Enter the command "NetworkMiner.exe infected.pcap" At this point, the NetowrkMiner GUI opens. Click on the 'Files' tab, and you'll see all of the files that were downloaded during this trace. You can answer question 1 with the info in this tab, as you'll see the names of the two java applets in the 'Filename' column - namely, sdfg.jar and q.jar. You can also answer question 3 from this same screen, as you can see that the first URL that was seen was in frame 10, and it was '/true.php'. Remember that you have to reconstruct the rest of the URL, so look in the 'Source host' column to see that the hostname for this URL is 'nrtjo.eu', making the final URL 'http://nrtjo.eu/true.php'. Question 4 is answered by clicking on the 'Parameters' tab and noting that a value of '5942ba.....91ed' was supplied somewhere in the trace as a parameter of 'md5'. This was especially obvious with the clue supplied in the puzzle text that mentioned the last few octets of the MD5. Question 7 can be answered by looking at the 'Sessions' tab. There are only two hosts that 192.168.23.129 (Ms. moneyMany's system) established sessions with that we didn't see a DNS query for. The first is 65.55.195.250 (pkt 17), but that's an SSL connection to get certifcate information. The next is with 213.155.29.144 (pkt 275) on port 444. This session is established immediately after the FIN from the previous session with nrtjo.eu which downoaded the trojan - probably the first thing this malware does when it loads is to connect to this hardcoded IP address. Now we can close NetworkMiner and open Filealyzer. If you installed NetworkMiner as shown above, then you'll see that all of the files that appeared in the data streams in the infected.pcap trace were extracted and reconstructed in the path 'C:\Program Files\NetworkMiner-0.91\AssembledFiles\59.53.91.102\HTTP - TCP 80'. In the Filealyzer GUI, open the file in that path called "file.exe.octet-stream". You should receive a message that says "This file is UPX compressed. Do you want to decompress and open the decompressed file as well?". Click 'Yes', and you'll have two open Filealyzer windows - one for the compressed file, and one for the UPX decompressed file. Now we can answer questions 5 and 6; the file was packed with UPX, and the MD5 of our uncompressed version is clearly visible in the Filealyzer window. This leaves only question 2 to answer. It certainly seems that the answer is somewhere in the URL in packet 293, but is the answer 'ADMINISTRATOR, TKLABS-LZ or 1C7AEC1? The question can be answered quickly using Google - a search for 'gate.php guid' immediately returns a hit for 'http://www.malwareurl.com/listing.php?domain=freeways.in'. The information here shows that the logged in username was 'ADMINISTRATOR'. This link also indicates that this URL and domain are associated with the SpyEye trojan, and further web searches on 'SpyEye' produce numerous links that show that our trace shows Ms. Moneymany's machine being infected with some variant of SpyEye.