Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Reverse Challenge: Winners Announced

Posted by timothy on from the snoitalutargnoc dept.

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

5 of 186 comments (clear)

  1. Forgive my naiveness but by jsse · · Score: 1, Redundant

    What is the use of protocol 11?

    Would it be harmful if I just block it off?

    How may I do the blocking with ipchains and iptables?

    Thanks

  2. Re:Forgive my naiveness but by SpatchMonkey · · Score: 2, Redundant

    Some links to it:

    RFC 741 - Specifications of Network Voice Protocol (from November 1977!)
    Protocol Number Assignments

  3. Re:Is it really NVP? by mamba-mamba · · Score: 1, Redundant


    It is some kind of old-fashioned NVP that really isn't used right now. Check this out:
    Detection
    =========

    Any network traffic using an unusual protocol should be suspect. This tool
    uses protocol 11, but could easily be recompiled to use another protocol.
    As protocol 11 is not currently used, any network traffic using this
    protocol should be assumed to be communication between handlers and agents
    of this tool. The signature for detecting agent / handler communication
    was described in the previous section.

    Note that the source address of a packet from handler -> agent should not
    be assumed to be the actual address of the handler. The source address in
    the IP header is most likely to be spoofed. Similarly, data from agent ->
    handler is often faked to increase the difficulty of tracing the attacker's
    whereabouts.

    To hide from casual detection, the agent changes its process name to
    [mingetty].
    This is the standard getty for RedHat, and Slackware versions pre 7.0.

    To detect a running agent on a system, netstat can be used to determine
    if any processes are using protocol 11. The following command and
    response shows a running agent process.

    # netstat -pan | grep raw | grep :11
    raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

    If found, all instances of mingetty should be killed (to ensure that
    children are caught as well). This will kill valid mingetty processes
    as well, but they will be respawned by the init process.

    # ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

    The system should immediately be taken off the network and analysed to
    determine how the attacker gained root access.
    Have a nice day.

    MM
    --
    --
    By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
  4. DMCA violation by anthony_dipierro · · Score: 1, Redundant

    We all know that reverse engineering without the permission of the copyright holder is a violation of the DMCA, and doing so "willfully and for purposes of commercial advantage or private financial gain," such as to win a contest like this one is a criminal offense. Since it's a criminal offense, the victim (the copyright holder) doesn't even have to step up and admit that s/he's the copyright holder.

    Sounds like a good test case.

  5. magic wide by LotsOfBlankSpaceHere · · Score: 0, Redundant

    Introduction Every day, incident handlers across the globe are faced with compromised systems, running some set of unknown programs, providing some kind of unintended service to an intruder who has taken control of someone else's -- YOUR, or your client's, or customer's -- computers. To most, the response is a matter of "get it back online ASAP and be done with it." This usually leads to an inadequate and ineffective response, not even knowing what hit you, with a high probability of repeated compromise. On the law enforcement side, they are hampered by a flood of incidents and a lack of good data. A victim trying to keep a system running or doing a "quickie" job of cleanup usually means incidents are underreported and inadequate handling of the evidence leads to no evidence, or tainted evidence. There has to be a better way to meet the needs of incident handlers and system administrators, as well as law enforcement, if Internet crime is going to be managed and not run amok. One possible answer is effective analysis skills -- widespread knowledge of tools and techniques -- to preserve data, analyze it, and produce meaningful reports to your organization's management, to other incident response teams and system administrators, and to law enforcement. Enter the Honeynet Project. One of the primary goals of the Honeynet Project is to find order in chaos by letting the attackers do their thing, and allowing the defenders to learn from the experience and improve. The latest challenge is the Reverse Challenge. Just like the Forensic Challenge, we're opening it up to anyone who wants to join in.