Your challenge is to analyze a binary captured in the wild.
Last Modified: 03 May, 2002, 10:45 CDT
Every day, incident handlers across the globe are faced with compromised systems, running some set of unknown programs, providing some kind of unintended service to an intruder who has taken control of someone else's -- YOUR, or your client's, or customer's -- computers. To most, the response is a matter of "get it back online ASAP and be done with it." This usually leads to an inadequate and ineffective response, not even knowing what hit you, with a high probability of repeated compromise.
On the law enforcement side, they are hampered by a flood of incidents and a lack of good data. A victim trying to keep a system running or doing a "quickie" job of cleanup usually means incidents are underreported and inadequate handling of the evidence leads to no evidence, or tainted evidence. There has to be a better way to meet the needs of incident handlers and system administrators, as well as law enforcement, if Internet crime is going to be managed and not run amok. One possible answer is effective analysis skills -- widespread knowledge of tools and techniques -- to preserve data, analyze it, and produce meaningful reports to your organization's management, to other incident response teams and system administrators, and to law enforcement.
Enter the Honeynet Project. One of the primary goals of the Honeynet Project is to find order in chaos by letting the attackers do their thing, and allowing the defenders to learn from the experience and improve. The latest challenge is the Reverse Challenge. Just like the Forensic Challenge, we're opening it up to anyone who wants to join in.
The Reverse Challenge is an effort to allow incident handlers around the world to all look at the same binary -- a unique tool captured in the wild -- and to see who can dig the most out of the tool and communicate what they've found in a concise manner. This is a nonscientific study of tools, techniques, and procedures applied to post-compromise incident handling. The challenge is to have fun, to solve a common real world problem, and for everyone to learn from the process. If what I've said already isn't enough to get you interested, the Honeynet is offering signed copies of their popular Know Your Enemy book for the 20 best submissions.
All we are going to tell you about the binary is this; Sometime in 2002 a Honeynet system was compromised, and the binary in question was downloaded, installed, and then ran on the compromised honeypot. Its now your mission -- should you choose to accept it! -- to identify how the tool works, its purpose, and to show your methods for analysis. We don't expect that everyone undertaking the challenge can or will address all of the following items, but the list below of questions and deliverables is provided as a guideline for what to produce and what to focus on. The following points should be addressed in your answers.html document.
To simplify and to normalize the results, assume that your annual salary is $70,000 and that there are no user-related costs. (If you work as a team, break out hours by person, but all members should use the same annual salary. Please also include a brief description of each investigator's number of years of experience in the fields of system administration, programming, and security, just to help us compare the number of hours spent with other entrants).
To summarize (and standardize) the deliverables, please produce the following in .html format:
File Contents --------------------------------------------------------------------- index.html Index of files/directories submitted (including any not listed below) timestamp.html Timestamp of MD5 checksums of all files listed and submitted (dating when produced -- see deadline information below) summary.html The summary for a non-technical audience, such as management or media. advisory.html Advisory for a technical audience, such as administrators and incident handlers within your organization. analysis.html Details showing how you obtained your analysis, showing tools and methods used. answers.html Answers to the questions listed above. costs.html Incident cost-estimate. files.tar Any other files produced during analysis and/or excerpts (e.g., strings output or disassembly listings) from analysis.
http://www.zeltser.com/sans/gcih-practical/revmalw.html
No matter what tools/methods you choose, please make sure you explain them in your analysis and cite references to resources (e.g., RFCs, CERT or SANS "how to" documents) to help others learn by example. Don't forget: this is a Honeynet Project brainchild, so learning is what it's all about. And fun. It's all about learning and fun. Oh yeah, and security. Learning, fun, AND security. ;)
Submissions will be judged by a panel of experts and winners selected and announced on Monday, 01 July, 2002. All decisions of the judges are final (no recounts or legal challenges by teams of grossly overpaid lawyers will be tolerated!). The judges include (but not limited to):
Good luck, and have fun!
--- The Honeynet Project