A New Challenge from Honeynet 117
cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)
Tricky. (Score:1, Funny)
This way, when it finishes buying up the U.S. Government and moves the nation's capital to Redmond, all potential [h|cr]ackers can be rounded up and interred in camps. Security holes in Windows will then be a thing of the past.
Re:Binary files (Score:1)
Re:Binary files (Score:1)
Re:Binary files (Score:3, Insightful)
I mean, the people from the honeynet project are going to post the complete entries of the top 20 anyway, and one of the criteria they're going to use is how well documented (i.e. "good for learning") the entry is. 'Tis better to learn that way than to stumble through hundreds of "I got this far and then quit" entries on some quickly pieced together slash site.
I for one hope that I'll actually get off my ass and enter this one; I've analyzed a few of their forensics "scan of the month" but have never gotten around to submitting a writeup. (Expository writing always seems so draining)
That's easy... (Score:2, Funny)
It's "ntldr"
The announcement (Score:3, Informative)
Last year the Honeynet Project sponsored the Forensic Challenge,
a competition amongst the security community to study, analyze,
and report on a computer hacked in the wild. The result was a
complete forensic analysis of the hacked system. Both the analysis
from different individuals and the the images of the hacked
computer are shared and used to this day.
This year we are continuing that tradition and are announcing the
Reverse Challenge. The goal of this challenge is to develop reverse
engineering skills amongst the security community. Your mission, if
you should choose to accept, is to analyze and report on a binary
captured in the wild. Your analysis will then be judged by a panel
of experts, rated, and shared with the security community.
This year we actually have prizes. Top prizes include licensed
copies of IDA Pro, $200 Amazon gift certificate from DataRescue, and
free pass to the Black Hat Briefings. As if that was not enough, the
top 20 entries get a signed copy of the Honeynet book, Know Your Enemy
(you know, the book the guy down the hall is using as a door stopper
Judges include:
- David Dittrich
- K2
- Halvar
- Job de Haas
- Niels Provos
- Gera
The challenge officially begins Monday, 06 May when we release the
binary. You have between now and the 6th to get your tools ready,
form teams if you wish, and stock up on the caffeinated beverage of
choice. You will then have four weeks to complete your analysis and
submit your report no later the 24:00 GMT, Friday, 31 May. Submissions
will be judged and then released 01 July. You can learn more about the
challenge now, and download the binary on 06 May, at
http://project.honeynet.org/reverse/ [honeynet.org]
All question, concerns, and submissions should be sent to
We hope that the community has fun with this, with the ultimate goal
of learning and sharing. Let the games begin!
--- The Honeynet Project
PS, the person who hacked our Honeynet is not eligible to submit an entry,
you know who you are. The question is, do we?
Re:The announcement (Score:1)
:)
is it me.. (Score:2, Interesting)
get some sleep (Score:3, Informative)
in other words, a trojan, altered system binary from a rootkit, or the like
we are supposed to determine what it is, what it does, what it doesn't do, that sort of thing. then write up our findings in a nice professional package for fun, fame and prizes
Re:get some sleep (Score:2)
Re:get some sleep (Score:2, Insightful)
Actually, it's a compromise that Honeynet encountered, could not decipher, and decided to have some other poor saps do their work for them. If you find out what it is and what it does, but only provide scant information to Honeynet, you don't win the prize. It's sort of like some of those companies that sponsor hacking "contests". They challenge people to compromise a test bed they have set up, and whoever does wins some grand prize. The only catch is that you have to tell them anything and everything, to the last detail, that you did. If you simply only leave proof that you were successful, then you don't get the prize. These are cheap scams to outsource some work/research/testing that needs to be done, to the public for only the cost of a few prizes (even though they may be somewhat decent) for much less than it would take to hire someone professionally for $50k, $60k, or $70k a year.
*Takes off tinfoil hat.*
I disagree (Score:5, Informative)
Perhaps you take a look at their site and some of their previous work before you assume an ulterior motive. The Honeypot project provides some really interesting looks into the minds of the Blackhat community.
Here's the binary, see if you can analyse it (Score:4, Funny)
Actual link (Score:4, Informative)
Or maybe they were just trying to keep it from being slashdotted!
Re:easy (Score:2)
Re:easy (Score:2)
A file of ... (Score:4, Funny)
i hope they dont use my method of hiding data:
tar files
bzip2 tar file
xor it with my social security number
hexdump to ascii file
generate gif of the hex in the ascii file
gpg encrypt gif
gzip the gpg text (twice!)
divide file into ints, swap endien-ness, reform
uuencode the file
hide contents in id3v2 tag of my "nofx" mp3s
Re:A file of ... (Score:3, Informative)
The goal of this contest is for the security community to examine tools that are "in the wild" and forensically analyse them to determine origin, function, skill of the creator, etc. and present the forensic methods used. The community can benefit from this open sharing of methodology so we can all be aware of our opponents in the ring.
Re:A file of ... (Score:2, Redundant)
tar files
bzip2 tar file
xor it with my social security number
hexdump to ascii file
generate gif of the hex in the ascii file
gpg encrypt gif
gzip the gpg text (twice!)
divide file into ints, swap endien-ness, reform
uuencode the file
hide contents in id3v2 tag of my "nofx" mp3s
Holy shit!
You do that, too?
Re:A file of ... (Score:1)
Re:A file of ... (Score:2, Informative)
Re:A file of ... (Score:1)
Then again IANASE (I am not a security expert).
Re:A file of ... (Score:2)
Re:A file of ... (Score:1)
I've never used it but always wanted to try. Anybody's got experience with UML?
Re:A file of ... (Score:1)
I gave it a try a couple of days ago as a way to test the root filesystem on a boot floppy. I was surprised by it's simple usage, you just compile the binary and run it like
On Debian, even easier. Just 'apt-get install user-mode-linux' && linux ubd0=root.fs and off you go.
Re:A file of ... (Score:2)
Re:A file of ... (Score:2)
Skevin
Re:A file of ... (Score:2)
You could get a "shredder" type program if you really want to get rid of that data. Even that won't stop a determined FBI agent with an electron microscope. You could encrypt it, but then you might get prosecuted if you didn't hand over the key when asked.
So, if you really have something to hide, a unique way of hiding it like the parent poster's just might be the best way to do it.
Re:A file of ... (Score:3, Interesting)
So even if you encrypt all your files, there are probably still unencrypted versions that are findable on your drive.
An encrypted file system might be away around this, or use some program to repeatedly write and erase random data to the "blank" portions of your disk.
Re:A file of ... (Score:2, Interesting)
And when you delete a file what happens is the files entry in the rootsector is removed, the rootsector has a list of all files on the drive (that the OS knows about) and where they are. It can also hold other information such as in FAT32 filesystems the official filesize is 8.3 (a clone of fat16) but using a 'comment' sector of the root and other 245 or so odd bytes are stored.
A way to get around the normal FBI or investagtor problems searching in your disks without getting in trouble (for not giving pword) is to get a laptop that has security hard drives. These drives will only work when connected to that computers BIOS. And you can do your work on the laptop, take the hard drive out, and hide the laptop until problems blow over
Medevo
Re:A file of ... (Score:1)
but it would get expensive in HD-costs,
if security is that inportant to you no measure could be considered to be 'good enought'
Medevo
Don't do that!! (Score:3, Informative)
The file will still be there, only it will be called
Re:Don't do that!! (Score:1)
2. devfs would prevent this from happening
3. you're not running as (gasp!) root are you??
Re:Don't do that!! (Score:2)
2. If it's available
3. Don't ask me about the time I forgot I was root and blew away
Reverse engineering for beginners... (Score:2, Interesting)
Re:Reverse engineering for beginners... (Score:4, Informative)
Re:Reverse engineering for beginners... (Score:3, Informative)
Fravia's Pages of Reverse Engineering [cjb.net] aren't too shabby an introduction. However, their focus is on DOS-based systems, not UNIX.
Schwab
Re:Reverse engineering for beginners... (Score:2)
Fellow reversers, wanna join force cracking up this honeypot thing?
Re:Reverse engineering for beginners... (Score:3, Interesting)
There are many tools for Unix and Windows, on unix we have nm, file, strings, gdb, perl, etc. (basically everything in the GNU binutils!!) On Windows the choice is a bit limited but they are also the best - softice, boundschecker, windbg, debug, regmon, filemon, IDA pro, w32dasm.
I learned reverse engineering in the Apple ][ era, but it is equally fun to learn it now!
Re:Reverse engineering for beginners... (Score:1)
strace
IANAD (ebugger), but strace has helped me solve LOTS of problems, where everything else is over my head.
Re:Reverse engineering for beginners... (Score:1)
The reverse engineered source.... (Score:4, Funny)
Re:The reverse engineered source.... (Score:1)
If you want "/n" displayed then "/n" is correct.
Re:The reverse engineered source.... (Score:1)
Wow. He should get bonus points ... (Score:1)
mmmmm....valtine. (Score:1)
EURO VALTINE." American valtine is watered down, mass produced swill,
completely inferior to quality German or Swiss valtine. However, the
recent craft valtining movement is beginning to change that. I had an
excellent wheat valtine from Pennsylvania the other night.
How about (Score:1)
Re:How about (Score:1)
fdisk
how... (Score:4, Interesting)
wouldn't it be great (Score:2)
Easy (Score:1, Funny)
Fastest way. (Score:4, Funny)
Quite a challenge. (Score:5, Informative)
It's much the same way as anaylizing a captured worm/virii; you need to figure out what it does, how to detect it, how to block/eradicate it, and also try and establish a profile of the originator of the worm/virii.
Re:Quite a challenge. (Score:2)
Finals Week (Score:4, Funny)
Sacrificial Lamb.. (Score:1)
I have a premonition (Score:1)
[root@localhost
[root@localhost
? (heh)
Anyone else find this funny? (Score:4, Funny)
Bar too high... (Score:2, Funny)
Guess I need not waste my time ;->
The Main Honeynet URL (Score:1)
I know what it is.... (Score:1)
When do I get my prize?
;-)
00:00 != 24:00 (Score:1)
Re:00:00 != 24:00 (Score:1)
Re:00:00 != 24:00 (Score:1)
So, don't whip out an ISO spec or an RFC to bolster what everyone, and their parking court judge will interpret as non-sense.
Example. You're standing one 11:59:59PM moment on Friday night for your honey to arrive. You look up an instant later as s/he arrives, and yell out: You made it, it's 12:00:00PM!
No way, Babe! ^ That's lunch time. Not midnight. You'd be talking nonsense, and the parking meter maid will slap you with a ticket, and the traffic court judge, as I said, will find against you. Look it up, there are court cases on just this very subject. Why do you think traffic signs around the 12AM and 12PM hour are no more, and read like so: ... up to 11:59PM; or street cleaning begins at 11:59AM? To avoid the kind of confusion you fell into, or that is created in most people.
As I said originally, the Pooh guys should have simply said, = 23:59 UTC/GMT/Zulu/Universal Time Coordinated/Universal Coordinated Time. Pax.
Why it's pr0n, of course... (Score:1)
10 bucks says that it's going to be the goatse.cx jpg
ZDNET (Score:2)
Dumb and Dumber (Score:1)
Not the first time they've done this.. (Score:2)