Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security

A New Challenge from Honeynet 117

Posted by timothy from the steps-toward-justified-evisceration dept.
cjpez writes: "The people at the Honeynet have issued another challenge on the Bugtraq mailing list. Instead of hacking into a box, though, this time your goal is to submit the best analysis of a binary file they'll post on Monday, May 6th. Think you're good at reverse engineering? Then try it out! They're even offering actual prizes, so you can get something besides the feeling of personal fulfillment for your trouble. The post hasn't quite made it to SecurityFocus' Bugtraq Archive yet, but I did find it at another Bugtraq archive in Germany (slashdottings abound!). The URL included in the email, http://project.honeynet.org/reverse/, doesn't seem to be active yet, so presumably we can assume it'll go up on Monday. The post fails to address other concerns, though: will the winner be in violation of the DMCA? :P The challenge was also issued, obviously enough, on SecurityFocus' Honeypot mailing list."" In a later note, he points out that the announcement has finally made it to the Bugtraq archive page." (And that URL is active now.)
This discussion has been archived. No new comments can be posted.

A New Challenge from Honeynet More

A New Challenge from Honeynet

Comments Filter:
  • Actually, Microsoft is bankrolling this competition. It's their way of getting clever programmers to self-register.

    This way, when it finishes buying up the U.S. Government and moves the nation's capital to Redmond, all potential [h|cr]ackers can be rounded up and interred in camps. Security holes in Windows will then be a thing of the past.

  • That's easy... (Score:2, Funny)

    by C60 ( 546704 )

    It's "ntldr" ... And boy is MS gunna be pissed.

  • The announcement (Score:3, Informative)

    by _typo ( 122952 ) on Thursday May 02, 2002 @05:57PM (#3453933) Homepage
    In case the archive becomes slashdotted here's the announcement:


    Last year the Honeynet Project sponsored the Forensic Challenge,
    a competition amongst the security community to study, analyze,
    and report on a computer hacked in the wild. The result was a
    complete forensic analysis of the hacked system. Both the analysis
    from different individuals and the the images of the hacked
    computer are shared and used to this day.

    This year we are continuing that tradition and are announcing the
    Reverse Challenge. The goal of this challenge is to develop reverse
    engineering skills amongst the security community. Your mission, if
    you should choose to accept, is to analyze and report on a binary
    captured in the wild. Your analysis will then be judged by a panel
    of experts, rated, and shared with the security community.

    This year we actually have prizes. Top prizes include licensed
    copies of IDA Pro, $200 Amazon gift certificate from DataRescue, and
    free pass to the Black Hat Briefings. As if that was not enough, the
    top 20 entries get a signed copy of the Honeynet book, Know Your Enemy
    (you know, the book the guy down the hall is using as a door stopper :).
    Judges include:

    - David Dittrich
    - K2
    - Halvar
    - Job de Haas
    - Niels Provos
    - Gera

    The challenge officially begins Monday, 06 May when we release the
    binary. You have between now and the 6th to get your tools ready,
    form teams if you wish, and stock up on the caffeinated beverage of
    choice. You will then have four weeks to complete your analysis and
    submit your report no later the 24:00 GMT, Friday, 31 May. Submissions
    will be judged and then released 01 July. You can learn more about the
    challenge now, and download the binary on 06 May, at

    http://project.honeynet.org/reverse/ [honeynet.org]

    All question, concerns, and submissions should be sent to

    We hope that the community has fun with this, with the ultimate goal
    of learning and sharing. Let the games begin!

    --- The Honeynet Project

    PS, the person who hacked our Honeynet is not eligible to submit an entry,
    you know who you are. The question is, do we? .... :)

  • is it me.. (Score:2, Interesting)

    by Husaria ( 262766 )
    or are they just asking what the purpose of binary is? Reading from their challenge, that pretty much summing it up..or I could just need a nap

    • get some sleep (Score:3, Informative)

      by b1tsh1ft0r ( 577198 )
      they are going to release a binary found in the wild

      in other words, a trojan, altered system binary from a rootkit, or the like

      we are supposed to determine what it is, what it does, what it doesn't do, that sort of thing. then write up our findings in a nice professional package for fun, fame and prizes
      • I'd guess that it's some sort of exploit-wrapper or tool for examining the system, rather than a program that is supposed to look like something recognizable. Otherwise, some of the things they're asking aren't interesting questions.

      • Actually, it's a compromise that Honeynet encountered, could not decipher, and decided to have some other poor saps do their work for them. If you find out what it is and what it does, but only provide scant information to Honeynet, you don't win the prize. It's sort of like some of those companies that sponsor hacking "contests". They challenge people to compromise a test bed they have set up, and whoever does wins some grand prize. The only catch is that you have to tell them anything and everything, to the last detail, that you did. If you simply only leave proof that you were successful, then you don't get the prize. These are cheap scams to outsource some work/research/testing that needs to be done, to the public for only the cost of a few prizes (even though they may be somewhat decent) for much less than it would take to hire someone professionally for $50k, $60k, or $70k a year.

        *Takes off tinfoil hat.*

        • I disagree (Score:5, Informative)

          by BigDaddy ( 28409 ) on Thursday May 02, 2002 @11:55PM (#3455237)
          I think you misinterpret the the goals of the Honeypot project. These people aren't doing it to market some super system, but rather to provide information about actual cracking techniques to the Whitehat community. They regularly have "competitions" where people analyze various types of attacks. I don't think these usually have prizes. The Honeypot project then provides all the information they have, in addition to the information uncovered by the participants.

          Perhaps you take a look at their site and some of their previous work before you assume an ulterior motive. The Honeypot project provides some really interesting looks into the minds of the Blackhat community.

  • Here's the binary, see if you can analyse it (Score:4, Funny)

    by Salsaman ( 141471 ) on Thursday May 02, 2002 @06:08PM (#3454004) Homepage
    ! seineew era sreenigne tfosorciM

  • Actual link (Score:4, Informative)

    by spood ( 256582 ) on Thursday May 02, 2002 @06:09PM (#3454013) Homepage Journal
    Not everybody serves their dot-org like slashdot. Here's the real link : WWW.honeynet.org [honeynet.org].

    Or maybe they were just trying to keep it from being slashdotted! :)

  • A file of ... (Score:4, Funny)

    by joe_bruin ( 266648 ) on Thursday May 02, 2002 @06:12PM (#3454029) Homepage Journal
    a file of what? what's in it, random data? how do i know when i found it?

    i hope they dont use my method of hiding data:
    tar files
    bzip2 tar file
    xor it with my social security number
    hexdump to ascii file
    generate gif of the hex in the ascii file
    gpg encrypt gif
    gzip the gpg text (twice!)
    divide file into ints, swap endien-ness, reform
    uuencode the file
    hide contents in id3v2 tag of my "nofx" mp3s

    • Re:A file of ... (Score:3, Informative)

      by spood ( 256582 )
      I know you're just clowning, but the binary is a tool uploaded to a honeynet server right after it was compromised and then executed on that machine.

      The goal of this contest is for the security community to examine tools that are "in the wild" and forensically analyse them to determine origin, function, skill of the creator, etc. and present the forensic methods used. The community can benefit from this open sharing of methodology so we can all be aware of our opponents in the ring.

    • Re:A file of ... (Score:2, Redundant)

      by tswinzig ( 210999 )
      i hope they dont use my method of hiding data:
      tar files
      bzip2 tar file
      xor it with my social security number
      hexdump to ascii file
      generate gif of the hex in the ascii file
      gpg encrypt gif
      gzip the gpg text (twice!)
      divide file into ints, swap endien-ness, reform
      uuencode the file
      hide contents in id3v2 tag of my "nofx" mp3s

      Holy shit!

      You do that, too?

    • Re:A file of ... (Score:2, Informative)

      by nmtratman ( 49617 )
      Well, according to the honeynet page, it's a program of some sort. To quote, "the binary in question was downloaded, installed, and then ran on the compromised honeypot." Given this information, you'd probably want to be careful about running the binary. It was used on a infiltrated honeypot. Some suggestions about dealing with this project:
      • Don't run it on a work machine! Should be obvious.
      • If it's not your personal machine and you intend to run it, make sure that the owner is aware of possible consequences and has given full permission.
      • Don't run it on a critical machine. If it's a rootkit of some sort, or something more insidious, you don't want it destroying data. Preferably, you'd like the option to wipe the partition(s) and reinstall if it's nasty.
      I don't think the honeypot project would release a very dangerous file without some kind of warning. Still, a little precaution wouldn't hurt.
      • Suggestion, VMware (http://www.vmware.com/). Disable net access, don't use raw disks. Should work great.

        Then again IANASE (I am not a security expert).
        • Yup. I'm about to suggest VMWare / FreeMware...it should be the safest - however, stepping through the program with gdb is not such an unsafe idea as it seems.
        • How about User Mode Linux [sourceforge.net]?

          I've never used it but always wanted to try. Anybody's got experience with UML?

          • How about User Mode Linux?

            I gave it a try a couple of days ago as a way to test the root filesystem on a boot floppy. I was surprised by it's simple usage, you just compile the binary and run it like ./linux ubd0=root.fs, and your root.fs will be available on the UML kernel's /dev/ubd0 which can be mounted as the root. It just works.

            On Debian, even easier. Just 'apt-get install user-mode-linux' && linux ubd0=root.fs and off you go.
    • You forgot to ROT 13 it twice.
    • I just mv it to dev/null. I don't know anyone who can steal it from me at that point.

      Skevin
      • just an FYI, that doesn't really delete your data, it just removes the pointer the OS used to find your data on the disk...the actual data is still there, and can easily be found.


        You could get a "shredder" type program if you really want to get rid of that data. Even that won't stop a determined FBI agent with an electron microscope. You could encrypt it, but then you might get prosecuted if you didn't hand over the key when asked.


        So, if you really have something to hide, a unique way of hiding it like the parent poster's just might be the best way to do it.

        • Re:A file of ... (Score:3, Interesting)

          by cheese_wallet ( 88279 )
          I think you are wrong there. When you gzip or tar or gpg a file, it isn't actually operating on the original file, it creates a new one. Then it deletes the old one.

          So even if you encrypt all your files, there are probably still unencrypted versions that are findable on your drive.

          An encrypted file system might be away around this, or use some program to repeatedly write and erase random data to the "blank" portions of your disk.

        • Re:A file of ... (Score:2, Interesting)

          by Medevo ( 526922 )
          On Windows systems there are many 'shredder' tools such as Norton Wipespace that go along and 0 fill all the unused space on a machine

          And when you delete a file what happens is the files entry in the rootsector is removed, the rootsector has a list of all files on the drive (that the OS knows about) and where they are. It can also hold other information such as in FAT32 filesystems the official filesize is 8.3 (a clone of fat16) but using a 'comment' sector of the root and other 245 or so odd bytes are stored.

          A way to get around the normal FBI or investagtor problems searching in your disks without getting in trouble (for not giving pword) is to get a laptop that has security hard drives. These drives will only work when connected to that computers BIOS. And you can do your work on the laptop, take the hard drive out, and hide the laptop until problems blow over

          Medevo

      • Don't do that!! (Score:3, Informative)

        by multipartmixed ( 163409 )
        > I just mv it to dev/null.

        The file will still be there, only it will be called /dev/null, and you won't have a /dev/null special file anymore, which can break a LOT of stuff. (mmap(/dev/null, bunch_o_bytes) is a common way to allocate memory, for example). If you DO blow away your /dev/null, you need to know the maj/min numbers for that device and recreated it with mknod.
        • 1. MAKEDEV will fix it (although it might be more than just fixing the device file if it broke), no need to memorize the numbers
          2. devfs would prevent this from happening
          3. you're not running as (gasp!) root are you??
          • 1. Usually, yeah. devfsadm on some SYSV (e.g Solaris 8) will too.

            2. If it's available

            3. Don't ask me about the time I forgot I was root and blew away /dev/lpr on my BSDI 2.0.1 box. (long time ago ;-)
  • Anyone know where I can find a newbie's guide to reverse engineering? Although I've done a bit of low level programming, I never got beyond the basics, and all I've done recently is modify the 'START' string in explorer.exe using ultraedit-32.

  • The reverse engineered source.... (Score:4, Funny)

    by Anonymous Coward on Thursday May 02, 2002 @06:17PM (#3454061)
    printf("B"); printf("E"); printf(" "); printf("S"); printf("U"); printf("R"); printf("E"); printf(" "); printf("T"); printf("O"); printf(" "); printf("D"); printf("R"); printf("I"); printf("N"); printf("K"); printf(" "); printf("Y"); printf("O"); printf("U"); printf("R"); printf("O"); printf(" "); printf("O"); printf("V"); printf("A"); printf("L"); printf("T"); printf("I"); printf("N"); printf("E"); printf("/n");
  • executing it (assuming it's executable)?

  • how... (Score:4, Interesting)

    by GreenPhreak ( 60944 ) on Thursday May 02, 2002 @06:28PM (#3454120)
    This seems like a really cool contest to raise awareness on security matters. This feels kind of like an ACM problem, except less programming and probably a lot more real-world experience. Anyway, I've never tried to figure out what binary files do...I always refer to source files. Are there many tools available for looking at or figuring out what binaries do? Any reference pages? (the one linked on the article page isn't very helpful). Can someone provide more information about forensics with binaries? Thank you.

  • Wouldn't it be great if it turns out to be the newest format forIndivBox.key [cryptome.org]

  • Easy (Score:1, Funny)

    by Anonymous Coward
    If you look hard enough it occurs somewhere in the digits of Pi written in base 256.

  • Fastest way. (Score:4, Funny)

    by JonWan ( 456212 ) on Thursday May 02, 2002 @06:48PM (#3454221)
    Just open the file in Outlook. That will narrow down the possibilites.

  • Quite a challenge. (Score:5, Informative)

    by Hiro Antagonist ( 310179 ) on Thursday May 02, 2002 @06:51PM (#3454235) Journal
    This looks to be an interesting challenge; I believe the entire idea is analyizing the binary (which is a program) without actually running the thing; then, designing methods to check for network activity and such that this particular binary would generate. In addition, you get bonus points for correctly quantifying the skill level of the coder who produced said binary.

    It's much the same way as anaylizing a captured worm/virii; you need to figure out what it does, how to detect it, how to block/eradicate it, and also try and establish a profile of the originator of the worm/virii.
    • Actually, I'm sure the engineer would have to run it if only in a debugger to work out what is happening. This thing may well be a "pseudo-trojan" so it may be a case of running it under VMWare to see what happens.

  • Finals Week (Score:4, Funny)

    by fuzz6y ( 240555 ) on Thursday May 02, 2002 @06:52PM (#3454243)
    Releasing such a challenge on Monday of finals week is pure, unmitigated evil. So much for my grades. . .
  • I've got a p233 running win98 i'd load this thing on just to see it Die...WUHHAHAHAHA
  • Anyone wants to bet that 96% of all submitted solutions will be output of this:

    [root@localhost /root] wget http://project.honeynet.org/reverse/some_binary_fi le

    [root@localhost /root] file some_binary_file

    ? (heh)

  • Anyone else find this funny? (Score:4, Funny)

    by dimator ( 71399 ) on Thursday May 02, 2002 @07:09PM (#3454324) Homepage Journal
    Rule #6: The person who hacked the box is NOT eligible

  • Bar too high... (Score:2, Funny)

    by vovin ( 12759 )
    # Only one entry per household, please.
    Must be sentient to enter. Sorry, no Ginsu Knives come with this offer!

    Guess I need not waste my time ;->

  • while honeynet.org and www.honeynet.org are (still) down, the main project page can be reached here [honeynet.org]
  • It can only be a picture of Big Billg himself, which of course scares the living daylights out of the tin hat linux weenies whose only purpose in life is to make their box the most secure (and then use their DOB as their PIN number), whilst at the same time downloading pr0n using a custom written shell script executed using cron.

    When do I get my prize?

    ;-)
  • You will then have four weeks to complete your analysis and submit your report no later the 24:00 GMT [...]
    There is no such hour. There is an infinitesimal amount of time between 23:59 and 00:00, but no 24:00 hour, ask any military guy/gal. They would've been better served by saying instead, ``no later the 23:59.''
    • There are actually 60 seconds between those. Granted, it's not A LOT of time, but I wouldn't call it infinitesimal...

  • 10 bucks says that it's going to be the goatse.cx jpg

  • I'm sure someone has noted by now that ZDNet is carrying this story. On ZDNet it was posted at 4PM. It seems quite possible to me that they picked it up because it was running on Slashdot - it's much more a geek story than an enterprise-techie one. The media getting their news from Slashdot? - a disturbing prospect, and totally circular. What shall we read, dear Liza?

  • Any x86 machine code to C 'compilers' out there?
  • Read the challenge and results [honeynet.org] from last year. Great stuff!

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close