A New Challenge from Honeynet

cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)

Tricky.

[Anti-Microsoft+Troll]

Actually, Microsoft is bankrolling this competition. It's their way of getting clever programmers to self-register.

This way, when it finishes buying up the U.S. Government and moves the nation's capital to Redmond, all potential [h|cr]ackers can be rounded up and interred in camps. Security holes in Windows will then be a thing of the past.

That's easy...

[C60]

It's "ntldr" ... And boy is MS gunna be pissed.

Re:Binary files

[freejamesbrown]

i hope it's some old amiga binary. m. http://www.pataphysics-lab.com

The announcement

[_typo]

In case the archive becomes slashdotted here's the announcement:

Last year the Honeynet Project sponsored the Forensic Challenge,
a competition amongst the security community to study, analyze,
and report on a computer hacked in the wild. The result was a
complete forensic analysis of the hacked system. Both the analysis
from different individuals and the the images of the hacked
computer are shared and used to this day.

This year we are continuing that tradition and are announcing the
Reverse Challenge. The goal of this challenge is to develop reverse
engineering skills amongst the security community. Your mission, if
you should choose to accept, is to analyze and report on a binary
captured in the wild. Your analysis will then be judged by a panel
of experts, rated, and shared with the security community.

This year we actually have prizes. Top prizes include licensed
copies of IDA Pro, $200 Amazon gift certificate from DataRescue, and
free pass to the Black Hat Briefings. As if that was not enough, the
top 20 entries get a signed copy of the Honeynet book, Know Your Enemy
(you know, the book the guy down the hall is using as a door stopper :).
Judges include:

- David Dittrich
- K2
- Halvar
- Job de Haas
- Niels Provos
- Gera

The challenge officially begins Monday, 06 May when we release the
binary. You have between now and the 6th to get your tools ready,
form teams if you wish, and stock up on the caffeinated beverage of
choice. You will then have four weeks to complete your analysis and
submit your report no later the 24:00 GMT, Friday, 31 May. Submissions
will be judged and then released 01 July. You can learn more about the
challenge now, and download the binary on 06 May, at

http://project.honeynet.org/reverse/

All question, concerns, and submissions should be sent to

We hope that the community has fun with this, with the ultimate goal
of learning and sharing. Let the games begin!

--- The Honeynet Project

PS, the person who hacked our Honeynet is not eligible to submit an entry,
you know who you are. The question is, do we? .... :)

Re:The announcement

[b1tsh1ft0r]

we are supposed to take this as verbatim from a poster named typo?

:)

is it me..

[Husaria]

or are they just asking what the purpose of binary is? Reading from their challenge, that pretty much summing it up..or I could just need a nap

get some sleep

[b1tsh1ft0r]

they are going to release a binary found in the wild

in other words, a trojan, altered system binary from a rootkit, or the like

we are supposed to determine what it is, what it does, what it doesn't do, that sort of thing. then write up our findings in a nice professional package for fun, fame and prizes

Re:get some sleep

[iabervon]

I'd guess that it's some sort of exploit-wrapper or tool for examining the system, rather than a program that is supposed to look like something recognizable. Otherwise, some of the things they're asking aren't interesting questions.

Re:get some sleep

[bleckywelcky]

Actually, it's a compromise that Honeynet encountered, could not decipher, and decided to have some other poor saps do their work for them. If you find out what it is and what it does, but only provide scant information to Honeynet, you don't win the prize. It's sort of like some of those companies that sponsor hacking "contests". They challenge people to compromise a test bed they have set up, and whoever does wins some grand prize. The only catch is that you have to tell them anything and everything, to the last detail, that you did. If you simply only leave proof that you were successful, then you don't get the prize. These are cheap scams to outsource some work/research/testing that needs to be done, to the public for only the cost of a few prizes (even though they may be somewhat decent) for much less than it would take to hire someone professionally for $50k, $60k, or $70k a year.

*Takes off tinfoil hat.*

Here's the binary, see if you can analyse it

[Salsaman]

! seineew era sreenigne tfosorciM

Actual link

[spood]

Not everybody serves their dot-org like slashdot. Here's the real link : WWW.honeynet.org.

Or maybe they were just trying to keep it from being slashdotted! :)

A file of ...

[joe_bruin]

a file of what? what's in it, random data? how do i know when i found it?

i hope they dont use my method of hiding data:
tar files
bzip2 tar file
xor it with my social security number
hexdump to ascii file
generate gif of the hex in the ascii file
gpg encrypt gif
gzip the gpg text (twice!)
divide file into ints, swap endien-ness, reform
uuencode the file
hide contents in id3v2 tag of my "nofx" mp3s

Re:A file of ...

[spood]

I know you're just clowning, but the binary is a tool uploaded to a honeynet server right after it was compromised and then executed on that machine.

The goal of this contest is for the security community to examine tools that are "in the wild" and forensically analyse them to determine origin, function, skill of the creator, etc. and present the forensic methods used. The community can benefit from this open sharing of methodology so we can all be aware of our opponents in the ring.

Re:A file of ...

[tswinzig]

i hope they dont use my method of hiding data:
tar files
bzip2 tar file
xor it with my social security number
hexdump to ascii file
generate gif of the hex in the ascii file
gpg encrypt gif
gzip the gpg text (twice!)
divide file into ints, swap endien-ness, reform
uuencode the file
hide contents in id3v2 tag of my "nofx" mp3s

Holy shit!

You do that, too?

Re:A file of ...

[nmtratman]

Well, according to the honeynet page, it's a program of some sort. To quote, "the binary in question was downloaded, installed, and then ran on the compromised honeypot." Given this information, you'd probably want to be careful about running the binary. It was used on a infiltrated honeypot. Some suggestions about dealing with this project:

• Don't run it on a work machine! Should be obvious.
• If it's not your personal machine and you intend to run it, make sure that the owner is aware of possible consequences and has given full permission.
• Don't run it on a critical machine. If it's a rootkit of some sort, or something more insidious, you don't want it destroying data. Preferably, you'd like the option to wipe the partition(s) and reinstall if it's nasty.

I don't think the honeypot project would release a very dangerous file without some kind of warning. Still, a little precaution wouldn't hurt.

Re:A file of ...

[JonWan]

You forgot to ROT 13 it twice.

Re:A file of ...

[Skevin]

I just mv it to dev/null. I don't know anyone who can steal it from me at that point.

Skevin

Re:A file of ...

[Pinball+Wizard]

just an FYI, that doesn't really delete your data, it just removes the pointer the OS used to find your data on the disk...the actual data is still there, and can easily be found.

You could get a "shredder" type program if you really want to get rid of that data. Even that won't stop a determined FBI agent with an electron microscope. You could encrypt it, but then you might get prosecuted if you didn't hand over the key when asked.

So, if you really have something to hide, a unique way of hiding it like the parent poster's just might be the best way to do it.

Re:A file of ...

[togtog]

Suggestion, VMware (http://www.vmware.com/). Disable net access, don't use raw disks. Should work great.

Then again IANASE (I am not a security expert).

Re:A file of ...

[wings]

Doesn't everyone?

Re:A file of ...

[cheese_wallet]

I think you are wrong there. When you gzip or tar or gpg a file, it isn't actually operating on the original file, it creates a new one. Then it deletes the old one.

So even if you encrypt all your files, there are probably still unencrypted versions that are findable on your drive.

An encrypted file system might be away around this, or use some program to repeatedly write and erase random data to the "blank" portions of your disk.

Re:A file of ...

[Medevo]

On Windows systems there are many 'shredder' tools such as Norton Wipespace that go along and 0 fill all the unused space on a machine

And when you delete a file what happens is the files entry in the rootsector is removed, the rootsector has a list of all files on the drive (that the OS knows about) and where they are. It can also hold other information such as in FAT32 filesystems the official filesize is 8.3 (a clone of fat16) but using a 'comment' sector of the root and other 245 or so odd bytes are stored.

A way to get around the normal FBI or investagtor problems searching in your disks without getting in trouble (for not giving pword) is to get a laptop that has security hard drives. These drives will only work when connected to that computers BIOS. And you can do your work on the laptop, take the hard drive out, and hide the laptop until problems blow over

Medevo

Re:A file of ...

[Wolfier]

Yup. I'm about to suggest VMWare / FreeMware...it should be the safest - however, stepping through the program with gdb is not such an unsafe idea as it seems.

Re:A file of ...

[wortelslaai3434]

How about User Mode Linux?

I've never used it but always wanted to try. Anybody's got experience with UML?

Re:A file of ...

[SLi]

How about User Mode Linux?

I gave it a try a couple of days ago as a way to test the root filesystem on a boot floppy. I was surprised by it's simple usage, you just compile the binary and run it like ./linux ubd0=root.fs, and your root.fs will be available on the UML kernel's /dev/ubd0 which can be mounted as the root. It just works.

On Debian, even easier. Just 'apt-get install user-mode-linux' && linux ubd0=root.fs and off you go.

Re:A file of ...

[Medevo]

That could also work

but it would get expensive in HD-costs,

if security is that inportant to you no measure could be considered to be 'good enought'

Medevo

Re:easy

[aozilla]

PS, the person who hacked our Honeynet is not eligible to submit an entry, you know who you are. The question is, do we? .... :)

Re:easy

[larien]

Damn, you've found out their sekrit plot to uncover the cracker!

Reverse engineering for beginners...

[slipgun]

Anyone know where I can find a newbie's guide to reverse engineering? Although I've done a bit of low level programming, I never got beyond the basics, and all I've done recently is modify the 'START' string in explorer.exe using ultraedit-32.

Re:Reverse engineering for beginners...

[cp4]

Here's an interesting link. Not necessarily a guide though.

Re:Reverse engineering for beginners...

[ewhac]

Fravia's Pages of Reverse Engineering aren't too shabby an introduction. However, their focus is on DOS-based systems, not UNIX.

Schwab

Re:Reverse engineering for beginners...

[Wolfier]

Hehe, I have an article there too ;) Wow, never thought it'd be mirrored so widely. It's sad that www.fravia.org went away, though.

Fellow reversers, wanna join force cracking up this honeypot thing?

Re:Reverse engineering for beginners...

[Wolfier]

Reverse engineering binaries sounds difficult, but in fact it is just a fancy name for "analyze program with debugger", i.e. tracing, stepping, examining memory etc.

There are many tools for Unix and Windows, on unix we have nm, file, strings, gdb, perl, etc. (basically everything in the GNU binutils!!) On Windows the choice is a bit limited but they are also the best - softice, boundschecker, windbg, debug, regmon, filemon, IDA pro, w32dasm.

I learned reverse engineering in the Apple ][ era, but it is equally fun to learn it now!

Re:Reverse engineering for beginners...

[wortelslaai3434]

You missed the (at least in my opinion) the first quick & dirty one:

strace

IANAD (ebugger), but strace has helped me solve LOTS of problems, where everything else is over my head.

Re:Reverse engineering for beginners...

[Wolfier]

oh, this too ;) but if you have a good enough debugger, strace is not necessary - and, you know, I'm not going to let a program just run if I don't know what it will do...stopping the proggie when you see something bad happening on strace's output is probably too late...

The reverse engineered source....

printf("B"); printf("E"); printf(" "); printf("S"); printf("U"); printf("R"); printf("E"); printf(" "); printf("T"); printf("O"); printf(" "); printf("D"); printf("R"); printf("I"); printf("N"); printf("K"); printf(" "); printf("Y"); printf("O"); printf("U"); printf("R"); printf("O"); printf(" "); printf("O"); printf("V"); printf("A"); printf("L"); printf("T"); printf("I"); printf("N"); printf("E"); printf("/n");

Re:The reverse engineered source....

[QuodEratDemonstratum]

printf("/n");

That's \n, moron.

Only if you want a '\n' displayed.
If you want "/n" displayed then "/n" is correct.

Re:The reverse engineered source....

[Carbonite]

Get a frickin life! Who the hell corrects syntax in a joke?

How about

[nixterino]

executing it (assuming it's executable)?

Re:How about

[Bob+McCown]

How about executing it

fdisk

how...

[GreenPhreak]

This seems like a really cool contest to raise awareness on security matters. This feels kind of like an ACM problem, except less programming and probably a lot more real-world experience. Anyway, I've never tried to figure out what binary files do...I always refer to source files. Are there many tools available for looking at or figuring out what binaries do? Any reference pages? (the one linked on the article page isn't very helpful). Can someone provide more information about forensics with binaries? Thank you.

wouldn't it be great

[mo]

Wouldn't it be great if it turns out to be the newest format forIndivBox.key

Easy

If you look hard enough it occurs somewhere in the digits of Pi written in base 256.

Fastest way.

[JonWan]

Just open the file in Outlook. That will narrow down the possibilites.

Quite a challenge.

[Hiro+Antagonist]

This looks to be an interesting challenge; I believe the entire idea is analyizing the binary (which is a program) without actually running the thing; then, designing methods to check for network activity and such that this particular binary would generate. In addition, you get bonus points for correctly quantifying the skill level of the coder who produced said binary.

It's much the same way as anaylizing a captured worm/virii; you need to figure out what it does, how to detect it, how to block/eradicate it, and also try and establish a profile of the originator of the worm/virii.

Re:Quite a challenge.

[Glorat]

Actually, I'm sure the engineer would have to run it if only in a debugger to work out what is happening. This thing may well be a "pseudo-trojan" so it may be a case of running it under VMWare to see what happens.

Finals Week

[fuzz6y]

Releasing such a challenge on Monday of finals week is pure, unmitigated evil. So much for my grades. . .

Sacrificial Lamb..

[pennsol]

I've got a p233 running win98 i'd load this thing on just to see it Die...WUHHAHAHAHA

I have a premonition

[VaXXi]

Anyone wants to bet that 96% of all submitted solutions will be output of this:

[root@localhost /root] wget http://project.honeynet.org/reverse/some_binary_fi le

[root@localhost /root] file some_binary_file

? (heh)

Anyone else find this funny?

[dimator]

Rule #6: The person who hacked the box is NOT eligible

Bar too high...

[vovin]

# Only one entry per household, please. Must be sentient to enter. Sorry, no Ginsu Knives come with this offer!

Guess I need not waste my time ;->

The Main Honeynet URL

[emkman]

while honeynet.org and www.honeynet.org are (still) down, the main project page can be reached here

I know what it is....

[rusty+spoon]

It can only be a picture of Big Billg himself, which of course scares the living daylights out of the tin hat linux weenies whose only purpose in life is to make their box the most secure (and then use their DOB as their PIN number), whilst at the same time downloading pr0n using a custom written shell script executed using cron.

When do I get my prize?

;-)

Wow. He should get bonus points ...

[MarkedMan]

...for obscure movie reference....What movie has an anti-climatic moment when the main character gets his long lusted-after secret decoder ring only to find the hidden message is just a crass advertisement for Ovaltine? And the answer is.... A Christmas Story

Re:Binary files

[xmedar]

Yeah, you suddenly find it's self modifying code for Itanium complete with undocumented API calls to Win64, or possibly worse, self modifying code for a Connection Machine or other massively parrallel boxen, my bet is that the binary file will be the same size as the database for the Human Genome project, now do they use MySQL 3 or 4??

mmmmm....valtine.

[cheebie]

You misspelled the message. It's supposed to be "BE SURE TO DRINK
EURO VALTINE." American valtine is watered down, mass produced swill,
completely inferior to quality German or Swiss valtine. However, the
recent craft valtining movement is beginning to change that. I had an
excellent wheat valtine from Pennsylvania the other night.

00:00 != 24:00

[Mana+Mana]

You will then have four weeks to complete your analysis and submit your report no later the 24:00 GMT [...]

There is no such hour. There is an infinitesimal amount of time between 23:59 and 00:00, but no 24:00 hour, ask any military guy/gal. They would've been better served by saying instead, ``no later the 23:59.''

Re:00:00 != 24:00

[aWalrus]

There are actually 60 seconds between those. Granted, it's not A LOT of time, but I wouldn't call it infinitesimal...

Re:00:00 != 24:00

[Mana+Mana]

Zulu time is still zulu time! Zulu time is the term used by the Western/NATO militaries to signify UTC {nee, GMT}; also it is the phonetic term used in military alphabetic phonetics. To wit, alpha, bravo, charlie ... zulu.

So, don't whip out an ISO spec or an RFC to bolster what everyone, and their parking court judge will interpret as non-sense.

Example. You're standing one 11:59:59PM moment on Friday night for your honey to arrive. You look up an instant later as s/he arrives, and yell out: You made it, it's 12:00:00PM!

No way, Babe! ^ That's lunch time. Not midnight. You'd be talking nonsense, and the parking meter maid will slap you with a ticket, and the traffic court judge, as I said, will find against you. Look it up, there are court cases on just this very subject. Why do you think traffic signs around the 12AM and 12PM hour are no more, and read like so: ... up to 11:59PM; or street cleaning begins at 11:59AM? To avoid the kind of confusion you fell into, or that is created in most people.

As I said originally, the Pooh guys should have simply said, = 23:59 UTC/GMT/Zulu/Universal Time Coordinated/Universal Coordinated Time. Pax.

I disagree

[BigDaddy]

I think you misinterpret the the goals of the Honeypot project. These people aren't doing it to market some super system, but rather to provide information about actual cracking techniques to the Whitehat community. They regularly have "competitions" where people analyze various types of attacks. I don't think these usually have prizes. The Honeypot project then provides all the information they have, in addition to the information uncovered by the participants.

Perhaps you take a look at their site and some of their previous work before you assume an ulterior motive. The Honeypot project provides some really interesting looks into the minds of the Blackhat community.

Why it's pr0n, of course...

[Spamhead]

10 bucks says that it's going to be the goatse.cx jpg

ZDNET

[electroniceric]

I'm sure someone has noted by now that ZDNet is carrying this story. On ZDNet it was posted at 4PM. It seems quite possible to me that they picked it up because it was running on Slashdot - it's much more a geek story than an enterprise-techie one. The media getting their news from Slashdot? - a disturbing prospect, and totally circular. What shall we read, dear Liza?

Dumb and Dumber

[totierne]

Any x86 machine code to C 'compilers' out there?

Don't do that!!

[multipartmixed]

> I just mv it to dev/null.

The file will still be there, only it will be called /dev/null, and you won't have a /dev/null special file anymore, which can break a LOT of stuff. (mmap(/dev/null, bunch_o_bytes) is a common way to allocate memory, for example). If you DO blow away your /dev/null, you need to know the maj/min numbers for that device and recreated it with mknod.

Re:Don't do that!!

[sydneyfong]

1. MAKEDEV will fix it (although it might be more than just fixing the device file if it broke), no need to memorize the numbers
2. devfs would prevent this from happening
3. you're not running as (gasp!) root are you??

Re:Don't do that!!

[multipartmixed]

1. Usually, yeah. devfsadm on some SYSV (e.g Solaris 8) will too.

2. If it's available

3. Don't ask me about the time I forgot I was root and blew away /dev/lpr on my BSDI 2.0.1 box. (long time ago ;-)

Re:Binary files

[fizbin]

Why bother?

I mean, the people from the honeynet project are going to post the complete entries of the top 20 anyway, and one of the criteria they're going to use is how well documented (i.e. "good for learning") the entry is. 'Tis better to learn that way than to stumble through hundreds of "I got this far and then quit" entries on some quickly pieced together slash site.

I for one hope that I'll actually get off my ass and enter this one; I've analyzed a few of their forensics "scan of the month" but have never gotten around to submitting a writeup. (Expository writing always seems so draining)

Not the first time they've done this..

[snake_dad]

Read the challenge and results from last year. Great stuff!