As I'm now in Berkeley starting my career as a Ph.D in computer security. I don't have time maintaining this blog and the modified version of micolog. Please find my new homepage here: http://www.cs.berkeley.edu/~kevinchn/
Kevin Zhijie Chen
Challenge 1 of the Forensic Challenge 2010 - pcap attack trace
Mon, 01/18/2010 - 06:18 — christian.seifert
Forensic Challenge 2010
Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) email@example.com no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.
Skill Level: Intermediate
A network trace with attack data is provided. Analyze and answer the following questions:
- Which systems (i.e. IP addresses) are involved? (2pts)
- What can you find out about the attacking host (e.g., where is it located)? (2pts)
- How many TCP sessions are contained in the dump file? (2pts)
- How long did it take to perform the attack? (2pts)
- Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
- Can you sketch an overview of the general actions performed by the attacker? (6pts)
- What specific vulnerability was attacked? (2pts)
- What actions does the shellcode perform? Pls list the shellcode. (8pts)
- Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
- Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
- Do you think this is a manual or an automated attack? Why? (2pts)
According to Prof. Guofei Gu's Computer Security Conference Ranking and Statistic
(cd /path/to/src && tar cf - .) | (cd /path/to/dst && tar xpf -)
I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:
Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.
As Geng and his partner is still working on the DOM simulation of PHoneyC (Project #2), I will do more test and write an overall introduction to the ideas and structure of the new PHoneyC after merging in his final commit.
NOTICE: The DOM simulation part of PHoneyC in the svn may change a lot in the following days, so please checkout revision 1433 of the for a stable version.
Here is the current installation manual, you can also find it in the README file:
Compile the modules:
NOTE: Don't need to have root privilege when running make install.
PYTHONPATH=lib/python python main.py URL-you-what-to-examine
2. Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit
3.Microsoft Office Web Components (OWX10.Spreadsheet) (owc10.dll) 0Day
Another wave of drive-by downloads storm is around the corner~
|Info:||See <https://www.honeynet.org/gsoc/project1> for project details.|
|Author:||Zhijie Chen (Joyan) <firstname.lastname@example.org>|
|Acknowledgments:||Jose Nazario, Jianwei Zhuge, Georg Wicherski, The Honeynet Chinese Chapter|
|Description:||Mid-term Report on PHoneyC GSoC project 1. This report describes what I have done on the PHoneyC's libemu integration for shellcode and heapspray detection during the first half of the GSoC. Till now, the main ideas on this feature has been fast-implemented (actually I mean poor coding style) and the whole flow works well, with some code rewriting and performance optimization needed in the future.|
PHoneyC is a low-interaction honeyclient written by Jose Nazario. The shellcode (SC for short) and heapspray (HS for short) detection module for PHoneyC is listed on the GSoC this year and I feel lucky to be chosen to implement it. This report is the main idea about how to detect SC/HS in PHoneyC and how to build and run this version of PHoneyC. Note that this module (I call it honeyjs) is far from complete currently and this report is only for midterm evaluation. So it is possible that the way to build and run it won't work in the future. As for the introduction to PHoneyC, I think I'd better quote what the original developer said in his paper 'PhoneyC: A Virtual client Honeypot':
This paper presents PhoneyC, a honeyclient tool that can provide visibility into new and complex client-side attacks. PhoneyC is a virtual honeyclient, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.
My approach to detection shellcode and heapspray can be simply described as:
Also there are some optimizations such as mal-value hash table to avoid duplicate check to the same value and dataflow tracking (e.g. the concatenation of a mal-string (string that contains shellcodes) with any other string will result in a mal-string). The above is all I have done in the first half of this GSoC, and the python module I implemented is named honeyjs.
Z. Chen (Joyan)