The Honeynet Project

Folks, its a frosty Tuesday morning in Seattle and the deadline for submissions to the forensic challenge 2010/2 "browsers under attack" has passed. We received a total of 34 for submissions from folks all over the world. Nicolas from the Singapore chapter will be judging the submissions in the next few days. We will announce the top three winners on Monday, 22nd of March 2010. Alongside, we will post their submissions as well as our sample solution. Since we were using a web form for this challenge, we will not acknowledge receipt of each submission. If you are unsure whether submission was successful, please email forensicchallenge2010@honeynet.org and we can check the submission database.) Also, if you have any suggestions on how to improve the forensic challenge, please let us know. Christian Seifert Chief Communications Officer The Honeynet Project PS: Forensic Challenge 2010/3 is currently being prepared. In this challenge, a memory dump needs to be analyzed...so a bit different from our past couple of challenges that focus on network traces....I hope to see many submissions on it. We expect to post it Tuesday, 23rd of March 2010...

We have decided to extend the submission deadline for our second forensic challenge - "browsers under attack" to Monday, 8th of March 2010. This gives you another week to participate in our latest challenge. Subsequently, the announcement of the results will also move another week to Monday, 22nd of March 2010. I have contacted all the folks that have already submitted their solution to us about this change. They, of course, have the opportunity to resubmit their solution, if they so wish, until the new submission deadline on the 8th. (If you have submitted and did not receive an email from me, please contact us at forensicchallenge2010@honeynet.org) Challenge 2 focuses on browser attacks and can be accessed at Forensic Challenge 2010/2. The top 3 submissions will be awarded prizes.

Last year the Honeynet Project entered Google Summer of Code (http://socghop.appspot.com/gsoc/program/home/google/gsoc2009) for the first time. We received 9 Google funded student places and also funded 3 more places of our own, all of whom successfully completed their projects in a wide range of areas of open source security R&D. You can find out more in our Google SoC 2009 section of our website (https://www.honeynet.org/gsoc).

Challenge 2 of the Honeynet Project Forensic Challenge has just been posted. The challenge has been provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter and is titled browsers under attack.

Submission deadline is March 1st and results will be released on Monday, March 15th 2010. Small prizes will be awarded to the top three submissions.

Have fun!

I am very pleased to announce the winners to the 1st Honeynet Project Forensic Challenge 2010 - pcap attack trace. We had a total of 91 submissions and the top three submissions are true rock star submissions. The winners are:

• 1st Place: Ivan Rodriguez Almuina (Switzerland)
• 2nd Place: Franck Guenichot (France)
• 3rd Place: Tareq Saade (USA)

Congratulations to the winners!!! Each winner will receive a signed book from one of our Honeynet Project authors.

A sample solution (created by Tillmann, Markus, Hugo and Cameron) is available on the forensic challenge web site at FC 2010 - Challenge 1 - Pcap attack trace. On that page you will also find the submissions of the three winners. Tillmann, who single handedly judged all submissions, will be summarizing highlights from various submissions in a blog post shortly.

All folks that have submitted a solution should have received an email with information about their individual score as well as placement.

Nicolas Collery from the Singapore Honeynet Chapter and Guillaume Arcas are finalizing the second forensic challenge.The challenge will be 'browsers under attack' and I personally am very excited about this challenge. I hope we will receive many submissions from all who participated in challenge 1 (and hopefully more.) I will post to our web site honeynet.org in the next few days.

Thanks again - looking forward to the next challenge!
Christian

Monday, February 1st, the submission deadline for challenge 1 of the Forensic Challenge 2010 has passed. We have received 88 submissions and Tillmann who has been judging them mentioned there were some excellent submissions in the mix. Tillmann will be highlighting some answers when we announce the results on the 15th of February. I have acknowledged receipt of each submission received via email. If you have not received a confirmation mail from me, please contact me at forensicchallenge2010@honeynet.org and I will check whether we have received it. Christian

Glastopf: On January the 22nd I met Sven. Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf. During his work he will rewrite the current Glastopf unstable version, but when he will be finished the new version will have at least the same features like the previous version. The goals are: A much better modular structure, this means there is one core which directs every request to the modules. They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker. There will be a much better classification of incoming attacks and the rules used for this will be totally detached from the source code to distribute them easily between different sensors. I will post some details as soon as we started the work. This also means that we will freeze the current unstable version to put all effort into the new version.

• Chicago Chapter

We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

Forensic Challenge 2010 Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.

Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:

A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

Sample Solution:
Forensic Challenge 2010 - Scan 1 - Solution_final.pdf Sha1: 7482a4d020cddde845344f8b02e05012

The Winners:

1. Ivan Rodriguez Almuina (Switzerland) - Ivan's submission - Sha1: 988d675a83ab8a4d6487ef69b16b3cfd41d1c7d6
2. Franck Guenichot (France) - Franck's submission - Sha1: c951552faf6118a352cc33a9b001350df9050575
3. Tareq Saade (USA) - Tareq's subission - Sha1: 969e73527a2c7a1b27e6b36f4cfa324fd8a66e94

I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.

It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.

The first challenge (of several for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details...

Christian Seifert

Chief Communications Officer
The Honeynet Project

Folks, I would like to inform you all about our recent activities that we are attempting to achieve. First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary). We will use the blog for posting about our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)

• Italian Chapter

Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots.

We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

Paper Abstract
Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is difficult to identify with traditional analysis methods.

In the first paper of our new Know Your Tools series, Sebastien Tricaud from the French Honeynet Project Chapter and Victor Amaducci from the University of Campinas, focus on Picviz. After a brief overview on parallel coordinates, Picviz architecture, and installation procedure, three real-world examples are presented that illustrate how to identify attacks from large amounts of data: Picviz is used to analyze SSH logs, Apache access logs and network traffic. With these examples, it is demonstrated how Picviz can find attacks that previously have been hidden.

Recent additions to Picviz GUI have been made by Victor Amaducci under the mentorship of Sebastien Tricaud as part of the Google Summer of Code program 2009. The most recent version of Picviz is freely available for download from its project site at http://www.wallinfire.net/picviz and support can be sought from the Picviz mailing list at http://www.wallinfire.net/cgi-bin/mailman/listinfo/picviz..

• French Chapter