To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


Forensic Challenge 2010/3 - "banking troubles" - and the winners are ....

Josh, Angelo, Matt and Nicolas finished evaluating the submissions for FC2010/3 banking troubles. Again, lots of great submissions! We had a total of 22 and the top performers for FC2010/3 are:

  1. Mario Pascucci (Italy)
  2. Tyler Hudak (USA)
  3. Carl Pulley (UK)

Congratulations to the winners and all the folks that participated in the challenge - this was not an easy one. Each winner will receive a signed book from one of our Honeynet Project authors. We have posted the submissions of the winners and sample solution on the FC2010/3 web page. All participants should have also received an email today with information about their individual score as well as placement. Read more »

How can we improve the Forensic Challenge?

Folks, the submission deadline for the Forensic Challenge 3 – “Banking Troubles” has passed. We have received 22 submissions and will be announcing results on Wednesday, May 12th 2010. With the 3rd challenge coming to an end, we would love to get your feedback on the challenges: Which challenge did you enjoy in particular and why? Do you have any suggestions on how to improve the challenge? Is there a particular challenge you would like to see in the future? Send your feedback to [email protected]

Honeynet Annual Workshop has kicked off

The 2010 Honeynet Workshop has kicked off, in the wonderful surroundings of UNAM, Mexico City. Many thanks to our hosts!

A Breeze of Storm

Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I did some work on how to take down Storm back then, so the rumors about a new version caught our interest. Read more »

GSoC 2010 Student Selection is Public

After a few slow days for student applicants everywhere, and some difficult decisions on the final slot allocations for our mentors, the long wait is finally over and the GSoC 2010 official student selections are public. The Honeynet Project are very excited to have received 17 GSoC slots this year (up from 9 last year), so many thanks to Google for their fantastic support again this year. Read more »

Forensic Challenge 2010/3 - "Banking Troubles" - submission deadline extended to Monday, 26th of April 2010

Folks, we have decided to extend the submission deadline of the Forensic Challenge 2010/3 - "Banking Troubles" for another week (deadline is now April 26th 2010.) Seems like this challenge is a bit tougher and we would like to give you all the opportunity to submit your results. For those folks that have already submitted, you can resubmit via the web form in case you would like to make changes to your solution. The Forensic Challenge 2010/3 can be accessed here:

Google Summer of Code 2010 Student Application Deadline Closed

Student applications for Google Summer of Code 2010 closed at 19:00 UTC tonight, with the usual last minute rush of submissions (but thankfully no timezone confusion this time). We had thought that receiving three student applications in the final minute, including one with 8.4 seconds to spare was cutting it close, but Plan9 apparently had one lucky applicant with 1.23 seconds remaining on the clock! That must set a new GSoC record... ;-) Read more »

Google Summer of Code 2010 Updated Ideas Page and Student Applications Open

On March 29th Google officially began accepting applications from students for Google Summer of Code 2010, which the Honeynet Project is very exicted to be participating in again this year as a mentoring organisation. We've recently updated our project ideas page and mentor information and students have until 19:00 UTC on Friday April 9th to apply (you can either chose one of our ideas or propose your own). Read more »

Forensic Challenge 2010/3 - "Banking Troubles" has been posted

Challenge 3 of the Honeynet Project Forensic Challenge - titled "Banking Troubles" - is now online and we invite you to participate. Challenge 3 - provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell'Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter - is a bit different from our previous challenges in that we do not ask you to analyze a pcap network trace, but rather a memory image from a virtual machine. This should make for an interesting challenge!

Submission deadline is April 18th and results will be released on Wednesday, May 5th 2010. Small prizes will be awarded to the top three submissions.



Read more »

Challenge 3 of the Forensic Challenge 2010 - Banking Troubles

Challenge 3 - Banking Troubles - (provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell'Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter) is to investigate a memory image of an infected virtual machine.

The challenge has been completed on May 12th 2010.
Skill Level: Difficult

The Challenge:

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation.

  1. List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
  2. List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
  3. List any suspicious URLs that may be in the suspected process’s memory. (2pts)
  4. Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
  5. Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
  6. If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
  7. List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
  8. If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
  9. Are there any related registry entries associated with the payload? (4pts)
  10. What technique was used in the initial exploit to inject code in to the other processes? (6pts)

hn_forensics.tgz Sha1: 8178921fd065ad2de9c6738fe062d2b37402c04a

Sample Solution:
Forensic_Challenge_3_-_Banking_Troubles_Solution.pdf - Sha1: 986752a9aa4b832951dfa6319cb5e16256a9b3c9

This work by Josh Smith, Matt Cote, Angelo Dell'Aera and Nicolas Collery is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:

  1. Mario Pascucci (Italy) - Mario's submission - Sha1: ad6e08bd0bff8a65e5ea8865e63addf9d6324212
  2. Tyler Hudak (USA) - Tyler's submission - Sha1: 226e15990dac263402670d5976c8b63f241864c7
  3. Carl Pulley (UK)- Carl's submission - Sha1: 2d20203403cf33bd565dbf81a54dbe414a17a597


Syndicate content