Your boss John went to a BYOD conference lately. Yeah, he’s that kind of security guy… After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn’t make much sense out of “random” payloads yet. Today, Pete didn’t come to work. Five minutes ago, he sent a company-wide mail with a total of four words: “Fuck you, I quit.“. What has happened!?

Forensic Challenge 13 – “A Message in a Bottle Picture“ (provided by the PNW Chapter)

Skill Level: Intermediate Background

Communication using hidden channels (steganography) is one way to protect that communication from third parties. You are a law enforcement agent in the forensics unit. In a recent raid, the agency has been able to obtain the three attached packages of images from a suspected command and control server. These images could potentially contain hidden messages that will be relayed to a powerful botnet army that could destroy earth. Obviously a high priority item! While your colleagues try to reverse the botnet code, you are tasked with analyzing the images directly and extract the hidden messages.

Forensic Challenge 12 – “Hiding in Plain Sight"

(provided by the Alaska Chapter under the leadership of Lucas McDaniel)

Skill Level: Intermediate 

Background You belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened. This challenge is a combination of several entry- to intermediate-level tasks of increasing difficulty focusing on authentication, information hiding, and cryptography. Participants will benefit from entry-level knowledge in these fields, as well as knowledge of general linux operations, kernel modules, a scripting language, and reverse engineering. Not everything may be as it seems. Innocuous files may turn out to be malicious so take precaution when dealing with any files from this challenge. 

Challenge 11 - Dive Into Exploit (provided by Georg Wicherski from Giraffe Chapter)

Skill Level: Advanced

1. What vulnerability is being exploited in the given packet capture? Can you identify the exploit?
2. How does the first stage load the second stage?
3. Elaborate the cryptographic security (or absence thereof) of the second stage. How does it load the third stage?
4. How does the third stage load the last stage? Please reconstruct the original last stage before being loaded.
5. Where is the secret message located and what does it say?
6. Please explain why an attacker might deliver his payload in this way.

Only submissions answering all six questions correctly will be considered. The most accurate submission wins. If there is no correct submission within two months since this challenge has been posted, the challenge will be
closed without a winner.

Challenge 10 - Attack Visualization (provided by Ben Reardon from Australia Chapter)

Skill Level: Intermediate

Forensic Challenge 10 takes us back in time, to revisit one of last year’s popular Forensic Challenges (FC5). Although this time around, the goal is to create a visual representation of the attack.

There are no right or wrong answers here, and we are keen to see what can create! If you are constrained by any guidelines, or have ideas that are “out of the box” – that’s fine, we want you to use your imagination and have fun.

Challenge 9 - Mobile Malware 

(provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter)

Skill Level: Intermediate

With the number of smartphone users growing exponentially (1.6 billion mobile devices units sold in 2010, 19% were smartphones) mobile devices are becoming an attractive platform for cybercriminals. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.

Challenge 8 - Malware Reverse Engineering

(provided by Angelo Dell’Aera and Guido Landi from the Sysenter Honeynet Project Chapter)

Skill Level: Difficult

The challenge is about reversing a malware sample and deciphering and analyzing its configuration. Please consider this is a real sample captured in the wild so you must be extremely careful in analyzing it.

Questions:

1. Provide the common name for the malware family and version (1 point)
2. Describe the mechanism used by the sample in order to be able to restart itself at the next reboot (2 points)
3. Describe how the malware injects itself in the running system. How many threads does it spawns and which is their role? (8 points)
4. Describe the API hooking mechanism used by the sample (3 points)
5. What is the purpose of the HttpSendRequest hook? Detail how it works (6 points)
6. What is the purpose of the NtQueryDirectoryFile hook? Detail how it works (3 points)
7. What is the purpose of the NtVdmControl hook? Detail how it works (4 points)
8. What is the purpose of the InternetReadFile hook? Detail how it works (4 points)
9. What is the purpose of the InternetWriteFile hook? Detail how it works (4 points)
10. Describe the mechanism used by the sample in order to load the external plugins (3 points)
11. Extract the decrypted configuration file used by this sample (6 points)
    11a Analyze the plugin ddos.dll and detail its inner working (3 points)
    11b Analyze the plugin customconnector.dll and detail its inner working (6 points)
    11c Analyze the plugin ccgrabber.dll and detail its inner working (6 points)

Bonus question
12. Write a code which allows automating the decryption of the configuration file

Challenge 7 - Forensic Analysis of a Compromised Server - (provided by Guillaume Arcas from the French Honeynet Project Chapter, Hugo Gonzales from the Mexican Honeynet Project Chapter, Julia Cheng from the Taiwan Honeynet Project Chapter)

Pls submit your solution using the submission template below by March 30th 2011

Results will be announced around the third week of April. For any questions and inquiries, please contact [email protected].

Skill Level: Beginner

Challenge 6 - Analyzing Malicious Portable Destructive Files - (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) presents a typical attack using a malicious pdf file.

Submission deadline has passed. Results have been posted below. For any questions and inquiries, please contact [email protected].

Skill Level: Intermediate

The Challenge:

PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is functionality that has been built into many exploit kits. As users are less cautious opening PDF files, the malicious PDF file has become quite a successful attack vector.
The network traffic captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which a unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.

Challenge 5 - Log Mysteries - (provided by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, Sebastien Tricaud from the French Chapter) takes you into the world of virtual systems and confusing log data. In this challenge, figure out what happened to a virtual server using all the logs from a possibly compromised server.

The questions are a more open ended than past challenges. To score highly, we recommend to answer the following way: