Slashdot Mirror

← Back to Stories (view on slashdot.org)

A New Challenge from Honeynet

Posted by timothy on from the steps-toward-justified-evisceration dept.

cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)

40 of 117 comments (clear)

  1. That's easy... by C60 · · Score: 2, Funny


    It's "ntldr" ... And boy is MS gunna be pissed.

    --
    Karma: 0 (But I wield a mean +10 Vorpal Apathy)
  2. The announcement by _typo · · Score: 3, Informative
    In case the archive becomes slashdotted here's the announcement:


    Last year the Honeynet Project sponsored the Forensic Challenge,
    a competition amongst the security community to study, analyze,
    and report on a computer hacked in the wild. The result was a
    complete forensic analysis of the hacked system. Both the analysis
    from different individuals and the the images of the hacked
    computer are shared and used to this day.

    This year we are continuing that tradition and are announcing the
    Reverse Challenge. The goal of this challenge is to develop reverse
    engineering skills amongst the security community. Your mission, if
    you should choose to accept, is to analyze and report on a binary
    captured in the wild. Your analysis will then be judged by a panel
    of experts, rated, and shared with the security community.

    This year we actually have prizes. Top prizes include licensed
    copies of IDA Pro, $200 Amazon gift certificate from DataRescue, and
    free pass to the Black Hat Briefings. As if that was not enough, the
    top 20 entries get a signed copy of the Honeynet book, Know Your Enemy
    (you know, the book the guy down the hall is using as a door stopper :).
    Judges include:

    - David Dittrich
    - K2
    - Halvar
    - Job de Haas
    - Niels Provos
    - Gera

    The challenge officially begins Monday, 06 May when we release the
    binary. You have between now and the 6th to get your tools ready,
    form teams if you wish, and stock up on the caffeinated beverage of
    choice. You will then have four weeks to complete your analysis and
    submit your report no later the 24:00 GMT, Friday, 31 May. Submissions
    will be judged and then released 01 July. You can learn more about the
    challenge now, and download the binary on 06 May, at

    http://project.honeynet.org/reverse/

    All question, concerns, and submissions should be sent to

    We hope that the community has fun with this, with the ultimate goal
    of learning and sharing. Let the games begin!

    --- The Honeynet Project

    PS, the person who hacked our Honeynet is not eligible to submit an entry,
    you know who you are. The question is, do we? .... :)

    --

    Pedro Côrte-Real.

  3. is it me.. by Husaria · · Score: 2, Interesting

    or are they just asking what the purpose of binary is? Reading from their challenge, that pretty much summing it up..or I could just need a nap

    --
    Slashdot Hypocrisy at work?
  4. get some sleep by b1tsh1ft0r · · Score: 3, Informative

    they are going to release a binary found in the wild

    in other words, a trojan, altered system binary from a rootkit, or the like

    we are supposed to determine what it is, what it does, what it doesn't do, that sort of thing. then write up our findings in a nice professional package for fun, fame and prizes

    --
    Will work for paycheck.
    1. Re:get some sleep by iabervon · · Score: 2

      I'd guess that it's some sort of exploit-wrapper or tool for examining the system, rather than a program that is supposed to look like something recognizable. Otherwise, some of the things they're asking aren't interesting questions.

    2. Re:get some sleep by bleckywelcky · · Score: 2, Insightful


      Actually, it's a compromise that Honeynet encountered, could not decipher, and decided to have some other poor saps do their work for them. If you find out what it is and what it does, but only provide scant information to Honeynet, you don't win the prize. It's sort of like some of those companies that sponsor hacking "contests". They challenge people to compromise a test bed they have set up, and whoever does wins some grand prize. The only catch is that you have to tell them anything and everything, to the last detail, that you did. If you simply only leave proof that you were successful, then you don't get the prize. These are cheap scams to outsource some work/research/testing that needs to be done, to the public for only the cost of a few prizes (even though they may be somewhat decent) for much less than it would take to hire someone professionally for $50k, $60k, or $70k a year.

      *Takes off tinfoil hat.*

  5. Here's the binary, see if you can analyse it by Salsaman · · Score: 4, Funny

    ! seineew era sreenigne tfosorciM

  6. Actual link by spood · · Score: 4, Informative

    Not everybody serves their dot-org like slashdot. Here's the real link : WWW.honeynet.org.

    Or maybe they were just trying to keep it from being slashdotted! :)

    --
    ---- Just another spud server.
  7. A file of ... by joe_bruin · · Score: 4, Funny

    a file of what? what's in it, random data? how do i know when i found it?

    i hope they dont use my method of hiding data:
    tar files
    bzip2 tar file
    xor it with my social security number
    hexdump to ascii file
    generate gif of the hex in the ascii file
    gpg encrypt gif
    gzip the gpg text (twice!)
    divide file into ints, swap endien-ness, reform
    uuencode the file
    hide contents in id3v2 tag of my "nofx" mp3s

    1. Re:A file of ... by spood · · Score: 3, Informative

      I know you're just clowning, but the binary is a tool uploaded to a honeynet server right after it was compromised and then executed on that machine.

      The goal of this contest is for the security community to examine tools that are "in the wild" and forensically analyse them to determine origin, function, skill of the creator, etc. and present the forensic methods used. The community can benefit from this open sharing of methodology so we can all be aware of our opponents in the ring.

      --
      ---- Just another spud server.
    2. Re:A file of ... by tswinzig · · Score: 2, Redundant

      i hope they dont use my method of hiding data:
      tar files
      bzip2 tar file
      xor it with my social security number
      hexdump to ascii file
      generate gif of the hex in the ascii file
      gpg encrypt gif
      gzip the gpg text (twice!)
      divide file into ints, swap endien-ness, reform
      uuencode the file
      hide contents in id3v2 tag of my "nofx" mp3s

      Holy shit!

      You do that, too?

      --

      "And like that ... he's gone."
    3. Re:A file of ... by nmtratman · · Score: 2, Informative
      Well, according to the honeynet page, it's a program of some sort. To quote, "the binary in question was downloaded, installed, and then ran on the compromised honeypot." Given this information, you'd probably want to be careful about running the binary. It was used on a infiltrated honeypot. Some suggestions about dealing with this project:
      • Don't run it on a work machine! Should be obvious.
      • If it's not your personal machine and you intend to run it, make sure that the owner is aware of possible consequences and has given full permission.
      • Don't run it on a critical machine. If it's a rootkit of some sort, or something more insidious, you don't want it destroying data. Preferably, you'd like the option to wipe the partition(s) and reinstall if it's nasty.
      I don't think the honeypot project would release a very dangerous file without some kind of warning. Still, a little precaution wouldn't hurt.
      --
      Car analogies work about as well as a Ford Pinto with a keg of beer in the passenger seat.
    4. Re:A file of ... by JonWan · · Score: 2

      You forgot to ROT 13 it twice.

    5. Re:A file of ... by Skevin · · Score: 2

      I just mv it to dev/null. I don't know anyone who can steal it from me at that point.

      Skevin

      --
      "Twice half-assed makes an ass whole." --Solomon K. Chang
    6. Re:A file of ... by Pinball+Wizard · · Score: 2
      just an FYI, that doesn't really delete your data, it just removes the pointer the OS used to find your data on the disk...the actual data is still there, and can easily be found.


      You could get a "shredder" type program if you really want to get rid of that data. Even that won't stop a determined FBI agent with an electron microscope. You could encrypt it, but then you might get prosecuted if you didn't hand over the key when asked.


      So, if you really have something to hide, a unique way of hiding it like the parent poster's just might be the best way to do it.

      --

      No, Thursday's out. How about never - is never good for you?

    7. Re:A file of ... by cheese_wallet · · Score: 3, Interesting

      I think you are wrong there. When you gzip or tar or gpg a file, it isn't actually operating on the original file, it creates a new one. Then it deletes the old one.

      So even if you encrypt all your files, there are probably still unencrypted versions that are findable on your drive.

      An encrypted file system might be away around this, or use some program to repeatedly write and erase random data to the "blank" portions of your disk.

    8. Re:A file of ... by Medevo · · Score: 2, Interesting

      On Windows systems there are many 'shredder' tools such as Norton Wipespace that go along and 0 fill all the unused space on a machine

      And when you delete a file what happens is the files entry in the rootsector is removed, the rootsector has a list of all files on the drive (that the OS knows about) and where they are. It can also hold other information such as in FAT32 filesystems the official filesize is 8.3 (a clone of fat16) but using a 'comment' sector of the root and other 245 or so odd bytes are stored.

      A way to get around the normal FBI or investagtor problems searching in your disks without getting in trouble (for not giving pword) is to get a laptop that has security hard drives. These drives will only work when connected to that computers BIOS. And you can do your work on the laptop, take the hard drive out, and hide the laptop until problems blow over

      Medevo

    9. Re:A file of ... by Wolfier · · Score: 2

      Yup. I'm about to suggest VMWare / FreeMware...it should be the safest - however, stepping through the program with gdb is not such an unsafe idea as it seems.

  8. Re:easy by aozilla · · Score: 2

    PS, the person who hacked our Honeynet is not eligible to submit an entry, you know who you are. The question is, do we? .... :)

    --
    ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
  9. Re:easy by larien · · Score: 2

    Damn, you've found out their sekrit plot to uncover the cracker!

  10. Reverse engineering for beginners... by slipgun · · Score: 2, Interesting

    Anyone know where I can find a newbie's guide to reverse engineering? Although I've done a bit of low level programming, I never got beyond the basics, and all I've done recently is modify the 'START' string in explorer.exe using ultraedit-32.

    --
    SpamNet - a spam blocker that really works
    1. Re:Reverse engineering for beginners... by cp4 · · Score: 4, Informative

      Here's an interesting link. Not necessarily a guide though.

    2. Re:Reverse engineering for beginners... by ewhac · · Score: 3, Informative

      Fravia's Pages of Reverse Engineering aren't too shabby an introduction. However, their focus is on DOS-based systems, not UNIX.

      Schwab

      --
      Editor, A1-AAA AmeriCaptions
    3. Re:Reverse engineering for beginners... by Wolfier · · Score: 2

      Hehe, I have an article there too ;) Wow, never thought it'd be mirrored so widely. It's sad that www.fravia.org went away, though.

      Fellow reversers, wanna join force cracking up this honeypot thing?

    4. Re:Reverse engineering for beginners... by Wolfier · · Score: 3, Interesting

      Reverse engineering binaries sounds difficult, but in fact it is just a fancy name for "analyze program with debugger", i.e. tracing, stepping, examining memory etc.

      There are many tools for Unix and Windows, on unix we have nm, file, strings, gdb, perl, etc. (basically everything in the GNU binutils!!) On Windows the choice is a bit limited but they are also the best - softice, boundschecker, windbg, debug, regmon, filemon, IDA pro, w32dasm.

      I learned reverse engineering in the Apple ][ era, but it is equally fun to learn it now!

  11. The reverse engineered source.... by Anonymous Coward · · Score: 4, Funny

    printf("B"); printf("E"); printf(" "); printf("S"); printf("U"); printf("R"); printf("E"); printf(" "); printf("T"); printf("O"); printf(" "); printf("D"); printf("R"); printf("I"); printf("N"); printf("K"); printf(" "); printf("Y"); printf("O"); printf("U"); printf("R"); printf("O"); printf(" "); printf("O"); printf("V"); printf("A"); printf("L"); printf("T"); printf("I"); printf("N"); printf("E"); printf("/n");

  12. how... by GreenPhreak · · Score: 4, Interesting

    This seems like a really cool contest to raise awareness on security matters. This feels kind of like an ACM problem, except less programming and probably a lot more real-world experience. Anyway, I've never tried to figure out what binary files do...I always refer to source files. Are there many tools available for looking at or figuring out what binaries do? Any reference pages? (the one linked on the article page isn't very helpful). Can someone provide more information about forensics with binaries? Thank you.

    --
    I drink to prepare for a fight; tonight I'm very prepared. -Soda Popinksi
  13. wouldn't it be great by mo · · Score: 2

    Wouldn't it be great if it turns out to be the newest format forIndivBox.key

  14. Fastest way. by JonWan · · Score: 4, Funny

    Just open the file in Outlook. That will narrow down the possibilites.

  15. Quite a challenge. by Hiro+Antagonist · · Score: 5, Informative

    This looks to be an interesting challenge; I believe the entire idea is analyizing the binary (which is a program) without actually running the thing; then, designing methods to check for network activity and such that this particular binary would generate. In addition, you get bonus points for correctly quantifying the skill level of the coder who produced said binary.

    It's much the same way as anaylizing a captured worm/virii; you need to figure out what it does, how to detect it, how to block/eradicate it, and also try and establish a profile of the originator of the worm/virii.

    --

    --
    I Hit the Karma Cap, and All I Got Was This Lousy .sig.
    1. Re:Quite a challenge. by Glorat · · Score: 2

      Actually, I'm sure the engineer would have to run it if only in a debugger to work out what is happening. This thing may well be a "pseudo-trojan" so it may be a case of running it under VMWare to see what happens.

  16. Finals Week by fuzz6y · · Score: 4, Funny

    Releasing such a challenge on Monday of finals week is pure, unmitigated evil. So much for my grades. . .

    --
    If you're going to be elitist, it would help to be elite.
  17. Anyone else find this funny? by dimator · · Score: 4, Funny

    Rule #6: The person who hacked the box is NOT eligible

    --
    python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
  18. Bar too high... by vovin · · Score: 2, Funny
    # Only one entry per household, please. Must be sentient to enter. Sorry, no Ginsu Knives come with this offer!

    Guess I need not waste my time ;->

  19. I disagree by BigDaddy · · Score: 5, Informative
    I think you misinterpret the the goals of the Honeypot project. These people aren't doing it to market some super system, but rather to provide information about actual cracking techniques to the Whitehat community. They regularly have "competitions" where people analyze various types of attacks. I don't think these usually have prizes. The Honeypot project then provides all the information they have, in addition to the information uncovered by the participants.

    Perhaps you take a look at their site and some of their previous work before you assume an ulterior motive. The Honeypot project provides some really interesting looks into the minds of the Blackhat community.

    --
    You can't get a blue screen on a black and white monitor.
  20. ZDNET by electroniceric · · Score: 2

    I'm sure someone has noted by now that ZDNet is carrying this story. On ZDNet it was posted at 4PM. It seems quite possible to me that they picked it up because it was running on Slashdot - it's much more a geek story than an enterprise-techie one. The media getting their news from Slashdot? - a disturbing prospect, and totally circular. What shall we read, dear Liza?

  21. Don't do that!! by multipartmixed · · Score: 3, Informative

    > I just mv it to dev/null.

    The file will still be there, only it will be called /dev/null, and you won't have a /dev/null special file anymore, which can break a LOT of stuff. (mmap(/dev/null, bunch_o_bytes) is a common way to allocate memory, for example). If you DO blow away your /dev/null, you need to know the maj/min numbers for that device and recreated it with mknod.

    --

    Do daemons dream of electric sleep()?
    1. Re:Don't do that!! by multipartmixed · · Score: 2

      1. Usually, yeah. devfsadm on some SYSV (e.g Solaris 8) will too.

      2. If it's available

      3. Don't ask me about the time I forgot I was root and blew away /dev/lpr on my BSDI 2.0.1 box. (long time ago ;-)

      --

      Do daemons dream of electric sleep()?
  22. Re:Binary files by fizbin · · Score: 3, Insightful

    Why bother?

    I mean, the people from the honeynet project are going to post the complete entries of the top 20 anyway, and one of the criteria they're going to use is how well documented (i.e. "good for learning") the entry is. 'Tis better to learn that way than to stumble through hundreds of "I got this far and then quit" entries on some quickly pieced together slash site.

    I for one hope that I'll actually get off my ass and enter this one; I've analyzed a few of their forensics "scan of the month" but have never gotten around to submitting a writeup. (Expository writing always seems so draining)

  23. Not the first time they've done this.. by snake_dad · · Score: 2

    Read the challenge and results from last year. Great stuff!

    --
    karma capped .sig seeking available Slashdot poster for long-term relationship.