 |
 |
|
SANS Homepage | SANS Bookstore | SANS Reading Room | SANS Portal |
 |
 |
||||
|
Infocon: GREEN |
 |
|||
 |
Permanent Handler on Duty on This Page: Pedro Bueno |
 |
|||
| Trends | Top 10 | Reports | Contact | About | INFOCon | Presentations | Links |
print
|
|
"Humankind cannot stand very much reality." - TS Eliot
BEFORE CONTINUE _ PLEASE READ THIS DISCLAIMER! The following file is a REAL piece of MALWARE! - If you decide to go further, please note that I WILL NOT be responsible for any damage that it may cause in your system! Okay! Now, some explanaitions about our little malware: First, it IS a real malware! It was captured on a compromised machine. Malware name and md5: ecd45b584f7a1e50bb044646f4abb0be - cretzu.exe-orig-ecd45b584f7a1e50bb044646f4abb0be Download it here! ( Password = infected) About our little malware... A user called the help desk complaining that his computer was too slow, after following the basic IR procedures, the Incident Response Team was called. What follows bellow are some real data from the compromised machine. C:\Documents and Settings\malware>netstat -an Also, bellow is a screenshot of the TaskManager:
The Incident Response Team was called to check his computer and found the cretzu compacted file in his computer. Your mission, if you decided to accept :) is to answer the following questions, regarding this incident: 1. Is this file packed? If so, which packer? 2. Without running the file, is it possible to identify what this malware can and will do? 3. Now, using any methods available to you, which changes, if any, will this malware do in the system, among new files and registry entries...? 4. Now, what is the purpose of this malware? 5. When will this malware be triggered/start? 6. Can you explain the netstat output? 7. What about the TaskManager screenshot? What useful information can you get? 8. About the creztu file, please explain each of the files that it contain! :) Bonus Questions: 9. Which other information about the channel can you provide? 10. How would you call this Malware and describe what this category of
malware do. Thanks! Pedro Bueno ( pbueno //%// isc. sans. org) - Ah! The answers must be submitted until Dec 17 ! Ah, again...dont forget to submit on PDF format... -->RESULTS!!! - Dec 20/2005!
Total downloads of our malware: 204! Total visits to our Quiz 5 page: 2476! so, from 2476 visits to our Quiz 5, only 204 decided to download it! And bellow is a list of 5 people who got some good points! Top 3: Next 2: Very good!!! I would recommend that each of the submiters, the readers and the top 5 people, to read each one of the five listed above, because each one had a different approach, excellent correlations and really good ideas! Well...now I will take some days off...and will return on January 9, to post new Quizes! I would like to receive feedback from the Quizes already posted, as well, suggestions for the next ones! Thanks a lot guys! It was really fun and I wish you all happy christmas and a really great new year!!! Pedro Bueno ( pbueno //&&// isc. sans. org) |
Link to ISC |
© 2002-2005 The SANS Institute SANS Web Privacy Policy: www.sans.org/privacy.php |
Contact
|
