Page 4 of 6

More Contests!

Hello! Apologies for the lack of communications as of late, however new contests are coming soon. Expect regular contests and updates in the coming months, with the first contest of 2011 being posted some time next week.

Cheers!
Eric

2/9/2011 EDIT – Egads! It appears I spoke too soon. The next puzzle pcap’s are all done but a few things need to be done before the contest begins. Soon friends… -Eric

Defcon 2010

For all those attending DEFCON 2010, we’ll be hosting a puzzle contest starting Friday afternoon in the contest area. It’s a race against time; the first person to complete the puzzle wins a brand-new iPad. We’ll be posting the packet capture here after the contest for those of you who like the intellectual challenge. Contest description below… See you there!

Ann Dercover is on the run, and you’re hot on her trail as she travels around the globe hacking companies, stealing intellectual property, launching 0-day attacks and setting up sneaky backdoors. *You are the forensic investigator.* You’ve got a packet capture of Ann’s network traffic. Can you analyze Ann’s malicious traffic and solve the crime by Sunday? Prize: Win a brand-spanking new Apple iPad!

cheers!
Eric

Puzzle #6 Winners

Ann’s Aurora was one of our hardest contests yet. To get all the answers right, you had to carve out two Windows executable files, dissect Vick Timmes’ HTTP traffic, analyze malware, build a timeline and pinpoint connection open and close times to within a tenth of a second. Thanks to everyone who submitted an entry for Puzzle #6, “Ann’s Aurora,” and a special congratulations to the relatively small number of folks who submitted correct answers.

The winner of “Ann’s Aurora” is (*drumroll*)…. Wesley McGrew, for his fantastic new forensics tool, pcapline. Pcapline automatically parses a packet capture and generates an HTML report. Through your web browser, you can view a summary of all flows and drill down into each one. Pcapline automatically carves out all the files– not just the tiny GIFs embedded inside a single packet, but Windows executable files broken up throughout the packet capture. Wesley also included MD5sums in the report output.

Best of all, it’s simple to use– you just type “pcapline.py” and the evidence file name, and pcapline does the rest. Wesley has put a copy of the pcapline report output here:

http://mcgrewsecurity.com/codedump/evidence06.pcap_output/

Erik Hjelmvik, our Silver medalist, released a new version of Network Miner (.92) for Contest #6. We know a lot of you already know and love Network Miner, because in previous contests about half of the entries relied on Erik’s tool! For this contest, Erik noticed that Network Miner was not properly detecting the HTML transfers at the beginning of the pcap file, because the TCP handshake was missing. He added functionality so that Network Miner more intelligently figures out which host is the server, and which is the client, when the TCP handshake is missing. Thanks, Erik, for a shiny new release of your fantastic tool.

Leendert Pieter van Drimmelen built three utilities for this contest: stream_ts.py, which automatically displays TCP connection established/closed times; analyse_syn_packets.py, which calculates how often an IP or TCP field changes (it also accepts tshark filters); and pextract.c, which extracts PE files from packet captures or incoming traffic. Pextract also accepts BPF filters and tries to find executables that are XOR obfuscated. These are three small, sharp utilities which are good to have in your toolkit.

Eric Kollmann wrote three handy tools: mzcarver.exe (PE carving utility), contest6.pl (provides info about conversations), and contest6.exe (produces info about individual packets. You can limit by TCP flag and use BPFs). Nice work, Eric!

Jeff Wichman and Ruben Recabarren both created fantastic writeups, which you can read to get two detailed (and very different) methods for solving the contest. Iulian Anton also had a thorough narrative and created a couple of Perl utilities to assist with solving the contest. Candice Quates went “down the rabbit hole of javascript and exploit analysis,” and created trimexe.c, which extracts PE files from exported streams.

Thanks to the SANS Institute and the generosity of their vendor sponsors, the winners and finalists get to choose from the following list of prizes (winner picks first):

  • Lenovo Ideapad Netbooks (2 Netbooks – 1 netbook per winner )
    Apple iPad – Sponsored by NetWitness Corporation
  • Flip Video Recorder – Sponsored by MANDIANT Inc.
  • F-Response TACTICAL (1 licensed copy) – Sponsored by F-Response
  • Forensic Toolkit 3 (1 licensed copy) – Sponsored by AccessData Corp.
  • Digital Forensics Magazine Subscriptions: Free print subscription for 12 months for the winner, and 2 digital online subscriptions for Finalists. The winner will also receive the backlist issues (i.e. 1-3). – Sponsored by Digital Forensics Magazine
  • 2011 Digital Forensics/IR Summit Passes (3 passes – 1 pass per top three winners)

Many thanks to everyone who made this contest possible, including Rob Lee, Jeremy Scott, Jeff Murri, Brian Corcoran, Ryan Corvetti, Dennis Kirby, and the wonderful SANS A/V crew.

Thanks most of all to everyone out there who participated. See you next time! 🙂


WINNERS:

Wesley McGrew

Finalists:

Erik Hjelmvik
Leendert Pieter van Drimmelen
Eric Kollmann
Jeff Wichman
Ruben Recabarren
Iulian Anton
Candice Quates

Semifinalists:

Francesco Acchiappati
Mark Hillick
Richard Shawn O’Connell
Ashish, Garima, Vikrant
Jon Larimer

Correct Answers:

Andy Patrick
Brian Sommers
Candice Quates
Carlos Pérez López
David Rodriguez
Eric Kollmann
Erik Hjelmvik
Francesco Acchiappati
Hsiang-Jen Shih
Iulian Anton
Jeremy Scott
Jon Larimer
Kazunori Kojima
Leendert Pieter van Drimmelen
Mark Hillick
Masashi Fujiwara
Peter Chong
Rakesh Mukundan
Richard Shawn O’Connell
Ruben Recabarren
Seth Leone & Ryan Sommers
Takuro Uetori
Wesley McGrew
Winter Faulk
Yogesh Khatri
Zoher Anis

Puzzle #6 Answers

Here are the answers to Puzzle #6: Ann’s Aurora. Thanks to everyone who played!

(Note: There were a lot of questions about rounding for questions 4, 5, 8 and 10. Due to the confusion, we accepted both mathematically correct rounding and answers that were simply truncated to the nearest tenth.)

Answer 1: http://10.10.10.10:8080/index.php
Answer 2: vEI
Answer 3a: index.phpmfKSxSANkeTeNrah.gif
Answer 3b: df3e567d6f16d040326c7a0ea29a4f41
Answer 4: 1.3 seconds (will also accept 1.2)
Answer 5: 87.6 seconds (will also accept 87.5)
Answer 6a: Windows executable
Answer 6b: b062cb8344cd3e296d8868fbef289c7c
Answer 7a: Every third packet
Answer 7b: Every packet
Answer 7c: Every 10-15 seconds
Answer 8: 123.7 (will also accept 123.6)
Answer 9: b062cb8344cd3e296d8868fbef289c7c
Answer 10: 198.4

Contest #6 HINT!

Hi everyone,

Just wanted to put out a little hint for Puzzle #6: Ann’s Aurora. Over half the entries so far have had questions #6b and #9 wrong (with everything else right)! Carving files can be tricky, and here are some tips.

  • The answers to #6b and #9 are the SAME. Yes! If you get two different answers, go back and double check your work. They should match up.
  • You can’t just run a file carving tool like foremost on the entire pcap and expect to carve out the file correctly. This is because foremost will identify the file type by its magic number, but it doesn’t remove the packet headers and reassemble the data. If you use foremost on the whole packet capture to carve out the files, the files you carve out will actually contain bits and pieces of TCP protocol data, etc. (Those of you who came up with MD5sums of “00bf222f746c43589307839e16f91520” and “d0af8e4f2c22f2d01b3da890a3e57ce4”– these are WRONG! Try again.)
  • To manually carve out the files, you will need to reassemble the TCP stream in the correct order, separate out ONE side of the conversation, extract the raw packet data, and then carve the PE file out of that. It’s not as hard as it sounds– you can do this with Wireshark pretty easily.

All right, I’ve probably said too much 🙂 Hope that helps you track down Ann’s sneaky activities. Have fun!

Puzzle #5 Winners

By Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.

We are very grateful to everyone who submitted answers to our Puzzle #5: Ms. Moneymany’s Mysterious Malware. Congratulations to everyone who provided correct answers to this network forensics puzzle with a malware twist.

Don Jackson submitted the solution that we picked as the winner of this contest. We were very impressed with the thoroughness of his description, with the attention to detail, and with the focus on network-related aspects of the incident. Reading Don’s solution made us feel like we are looking over the shoulder of the forensic analyst, as he formed theories and looked for evidence to substantiate or disprove them. Great job, Don, and congratulations on winning the Lenovo Ideapad netbook!

We also wanted to mention several other solutions that ranked close to the top:

We were impressed by the in-depth dive yulyul2003 took when looking at the inner-workings of the malicious executable. Though this level of detail was a bit outside the scope of this puzzle, we liked the analysis yulyul2003 performed of the infection and rootkit-related functionality of the specimen. This solution also provides excellent details regarding the infection mechanism.

Eugenio Delfa created a handy tool called castflow for carving PCAP files, which he used to extract files from the network traffic capture. Eugenio also performed some behavioral analysis of the malicious executable in the lab–we appreciated seeing these details in his write-up.

Iñaki Rodríguez showcased the use of tshark for analyzing network traffic–very nice. We also liked the use of Snort by dn1nj4 to examine the network traffic capture for signs of malicious activity.

Thanks to everyone who participated in this puzzle!

Winner:

Don Jackson (wins a Lenovo Netbook)

Finalists:

Bashar Ewaida
Christian North
dn1nj4
Eric Kollmann
Eugenio Delfa
Iñaki Rodríguez
Mark Hillick
Scott Cubic
yulyul2003

Correct:

Ahmed Adel Mohamed
Alan Tu
Ashish, Garima, Vikrant
Bobby
Candice Quates
Chet Kress
Dave Eilert
Don Jackson (winning submission)
Gaurav
Jeff Wichman
Joe Creasey
Masashi Fujiwara
Matt Erasmus
Param Singh
Parin
Peter Chong
Scott Cubic
Shane Kennedy
Takuro Uetori
Tareq Saade
Victor Ant Torre
Winter Faulk

Puzzle #6: Ann’s Aurora

Our latest puzzle was written by Sherri Davidoff, Eric Fulton and Jonathan Ham.

Hi! Recently we were challenged by SANS Fellow Rob Lee (author of “Computer Forensics” 508) to create a puzzle based on an Advanced Persistent Threat (APT). We thought this was a great idea! So this month we are doing a special release through the SANS Institute based on APT. SANS is sponsoring some especially cool prizes– check out the full puzzle and writeup here:

http://computer-forensics.sans.org/challenges/

The contest is a client-side attack based on Operation Aurora. This packet capture contains a full recording of a real Windows system getting exploited via the same mechanism that was used to exploit Google. Ann spear-phishes a developer, who clicks on a link and connects to her malicious web server. Then she configures the victim to make outbound persistent connection attempts to her server so that she can retain access and reconnect in the future.

We hope you have fun with this puzzle! We certainly had fun creating it. 🙂 To submit your answers, just use the Official Submission Form, as usual.

The Puzzle

Ann Dercover is after SaucyCorp’s Secret Sauce recipe. She’s been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike…

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann’s exploit, build a timeline, and submit your evidence including…

  1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)
  2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?
  3. Vick’s computer made a second HTTP request for an object.

    1. What was the filename of the object that was requested?
    2. What is the MD5sum of the object that was returned?
  4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  6. In packet 17, the malicious server sent a file to the client.

    1. What type of file was it? Choose one:

      • Windows executable
      • GIF image
      • PHP script
      • Zip file
      • Encrypted data
    2. What was the MD5sum of the file?
  7. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:

    1. How often does the TCP initial sequence number (ISN) change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    2. How often does the IP ID change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
    3. How often does the source port change? (Choose one.)

      • Every packet
      • Every third packet
      • Every 10-15 seconds
      • Every 30-35 seconds
      • Every 60 seconds
  8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)
  9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?
  10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

Here is your evidence file: evidence06.pcap

  • MD5 (evidence06.pcap) = efac05c50c0ae92bf0818e98763920bd
  • SHA256 (evidence06.pcap)= fa5fc1ffad525688626c301372b37e101efcbbbd124f9781f5701648e6a02be3

Prizes!

SANS worked with several vendors to put together a generous prize package for this contest. Rob writes, “This year we are offering multiple overall prizes. Some of these prizes have been offered by sponsoring vendors that support future digital forensics research, analysis, and the spirit of the competition. The winning team or individual will have their first choice at the prize list. Win in first place? First to choose your prize.” Here’s the list:

Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first. Full terms of use are available here.

Deadline is 6/27/10 (11:59:59PM UTC-11) (In other words, if it’s still 6/27/10 anywhere in the world, you can submit your entry.)

Please use the Official Submission Form to submit your answers.

Warning: When answering this puzzle, remember that you will be working with real-world malicious software. Be careful not to infect yourself! Use an isolated system, which you will be able to reinstall at the end of your investigation.

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the evidence recovery. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under an approved Open Source License. All responses should be submitted as PLAIN TEXT. Microsoft Word documents, PDFs, etc will NOT be reviewed.

Feel free to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified.

The contest materials are copyrighted. The files are for personal use only. You are welcome to publish full solutions after the deadline, but please use proper attributions and link back to the original site at sans.org. Contest materials may not be used for any commercial purposes whatsoever, including marketing, without explicit written permission. If you are interested in using the contest materials for purposes besides your own personal use, please ask first.

Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit). Exceptional submissions may also be used as examples and tools in the Network Forensics course, with full attribution. By submitting your answer to this puzzle, you agree that your code submissions will be freely published under the GPL license, and your solution’s text will be licensed according to the Creative Commons v3 “Attribution” License. All authors will receive full credit for their work.

Deadline is 6/27/10 (11:59:59PM UTC-11). Here’s the Official Submission Form. Good luck!!

Copyright 2010, Lake Missoula Group, LLC. All rights reserved.

Puzzle #5 Closed

Hi folks,

Puzzle #5 is now closed! Thank you all for your entries. The answers and winners will be up soon. Stay tuned for Puzzle #6, which comes out next week… 🙂

Puzzle #5: Ms. Moneymany’s Mysterious Malware

Our latest forensics puzzle has a malware twist to it, and was written by Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.

The puzzle:

It was a morning ritual. Ms. Moneymany sipped her coffee as she quickly went through the email that arrived during the night. One of the messages caught her eye, because it was clearly spam that somehow got past the email filter. The message extolled the virtues of buying medicine on the web and contained a link to the on-line pharmacy. “Do people really fall for this stuff?” Ms. Moneymany thought. She was curious to know how the website would convince its visitors to make the purchase, so she clicked on the link.

The website was slow to load, and seemed to be broken. There was no content on the page. Disappointed, Ms. Moneymany closed the browser’s window and continued with her day.

She didn’t realize that her Windows XP computer just got infected.

You are the forensic investigator. You possess the network capture (PCAP) file that recorded Ms. Moneymany’s interactions with the website. Your mission is to understand what probably happened to Ms. Moneymany’s system after she clicked the link. Your analysis will start with the PCAP file and will reveal a malicious executable.

Here is the network capture file for this puzzle. The MD5 hash of this PCAP file is c09a3019ada7ab17a44537b069480312. Please use the Official Submission Form to submit your answers.

Answer the following questions:

1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
2. What was Ms. Moneymany’s username on the infected Windows system?
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?

Prize: Lenovo Ideapad S10-2 netbook

Deadline is 5/13/10 (11:59:59PM UTC-11) (In other words, if it’s still 5/13/10 anywhere in the world, you can submit your entry.)

Consider using an automated tool for extracting file artifacts (web pages, executable files, etc) embedded in the network capture file. Doing this manually tends to be slow and error-prone.

Also, note that to complete a comprehensive analysis of this incident, we should examine the malicious executable that found its way onto Ms. Moneymany’s system. That task is outside the scope of this particular puzzle, but we may look at it in a later puzzle.

Warning:

When answering this puzzle, remember that you will be working with real-world malicious software. Be careful not to infect yourself! Use an isolated system, which you will be able to reinstall at the end of your investigation.

About Your Solution:

Use the Official Submission form to submit your solution. All responses should be submitted as plain text. Microsoft Word documents, PDFs, etc will not be reviewed.

When grading your solutions, we will not just look for correct answers, but will also look at the explanation of how you derived your answers. The winning solution will stand out due to its elegance, insights, and readability. In the event of a tie, the entry submitted first will receive the prize.

You are welcome to collaborate with other people and discuss ideas back and forth. You can even submit as a team (there will be only one prize). However, please do not publish the answers before the deadline, or you (and your team) will be automatically disqualified.

By submitting your answer to this puzzle, you agree to license your solution’s text according to the Creative Commons v3 “Attribution” License.

Coding is always encouraged. We love to see well-written, easy-to-use tools which automate even small sections of the analysis process. Graphical and command-line tools are all eligible. You are welcome to build upon the work of others, as long as their work has been released under a license that allows free derivative works.

Exceptional solutions may be incorporated into the SANS Network Forensics Investigative Toolkit (SNIFT kit) and/or Reverse-Engineering Malware course materials. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Reverse-Engineering Malware or Network Forensics course. All authors will receive full credit for their work.

Getting started with malware analysis:

If you’re interested in malware analysis, here are a few resources to help you get started:

• Building a Malware Analysis Toolkit Using Free Tools
• Using VMware for Malware Analysis
• Introduction to Malware Analysis Webcast

Final Note

Lenny Zeltser holds the copyright for this puzzle. He thanks Anand Sastry, Sherri Davidoff and Slava Frid for their feedback when creating this puzzle.