frame   frame
SANS Logo SANS Homepage SANS Bookstore SANS Reading Room SANS Portal
  border   border  
ISC Logo   Infocon: GREEN      
border Permanent Handler on Duty on This Page: Pedro Bueno  
  • "Never believe anything until it has been officially denied." - Claud Cockburn

    • SECTION I - MALWARE ANALYSIS - PART 6 - Feb 2006
       

    BEFORE CONTINUE _ PLEASE READ THIS DISCLAIMER!

    The following file is a REAL piece of MALWARE! - If you decide to go further, please note that I WILL NOT be responsible for any damage that it may cause in your system!

    Yes, I am back!! Happy new year to all of you...!:)

    Okay! Now, some explanaitions about our little malware:

    First, it IS a real malware!

    Malware name and md5: d0ae8d57b4c1eb4cc6507fcf0c130883 *shelll.zip

    Download it here! ( Password = infected)

    About our little malware...

    This system is a Linux box...everything was calm until the ISP received a report about this machine being scanning other machines...

    Our great guys from the Incident Response Team was called again...

    What follows bellow are some real data from the compromised machine.

    Netstat.txt

    Psaux.txt

    secure.txt

    passwd.txt

    Unfortunately, as you can see, not much useful information was found on the machine, so, your mission, if you decide to accept :) is to answer the following questions, regarding this incident:

    1. Are these files packed? If so, which packer?

    2 (a & b). (a) Without running the applications, identify what the malware can/will do, then (b)run the applications and identify addtitional details evident when the applications are run.

    3. Now, using any methods available to you, which changes, if any, will the malware make on the system ?

    4. Now, what are the purpose of the malware? Are they related?

    5. Why didnt the 'shelll' or the 'cmd' applications show up at the ps aux ?

    6. Do you have any clues of how the machine was compromised?

    7. About the 'shelll' and cmd.gif file, what useful information could you get?

    Bonus Questions:

    8. Using all your creative mind, please, describe the possible attack scenario... :-)

    9. Based on this attack, which security measures would you recommend to this linux box owner?

    PS. When running, this malware can do malicious activities in your network and on the Internet!

    Did you take a look at my personal malware zoo? :)

    Thanks!

    Pedro Bueno ( pbueno //%// isc. sans. org)  - Ah! The answers must be submitted until Mar 10 ! Ah, again...dont forget to submit on PDF format... 

    RESULTS

    I can tell you...it is really nice to review the answers!

    All the answers posted here got most of the correct answers and the correlation applied were also really good!

    One important thing to notice is that you didnt have some informations to work with, like a live system, to perform forensics on it, so you had to work with these informations only, so you didnt know with which tools they were collected (trojaned or not), if it used to have a web server running on it or not, etc...but sometimes when doing Incident Response, you will have to deal with these situations as well...I guarantee...;-), and thats the why you all did a really good job!

    Ok, lets go to the top 3 first:

    1. Zach Jansen

    2. Rudolph Pereira

    3. Neil Desai

    The following names also got some great points:

    Congratulations to all of you that got your time to complete this Quiz and I hope that you had fun with it!

    Again, any suggestions for the quizes, let me know!

    Pedro Bueno ( pbueno //&&//  isc. sans. org )