Feeds

Winner declared in hacker-tracker challenge

Sleuth solves 35-min hack in only 35 hours

  • alert
  • submit to reddit

Remote control for virtualized desktops

Shortly after midnight on November 8th, a shadowy computer intruder slipped into a particular Linux machine in Illinois where he covertly installed a simple back door to ease his return. The intruder came back at 8:30 in the morning, and briefly crept around within the captured system before vanishing into cyberspace. In all, the incident lasted about half-an-hour.

Reconstructing what the intruder did during those thirty minutes took German programmer Thomas Roessler thirty-five hours. Roessler's painstaking digital detective work made him the winner of a unique anti-hacking contest, the results of which were announced Tuesday.

The Honeynet Project's Forensic Challenge invited aspiring cyber sleuths to match wits with a real computer criminal by piecing together the evidence left in the wake of a hack attack on one of the Project's honeypots, a deliberately vulnerable machine designed to lure opportunistic intruders.

Contestants were given a snippet of the intrusion detection system log from the night of the penetration, along with mountable images of the hacked computer's disk drive. The mission: uncover such details as the technique used to crack the system, the type of malicious code the intruder used once inside, and as much as possible about the perpetrator's identity--then write it up into a well organized report.

"The person that does the best job of making a high level view that can be easily broken down wins," says challenge organizer Dave Dittrich, a computer security expert at the University of Washington. The challenge's purpose was "to try and help the security community produce reports that help law enforcement... Something that speeds up the process of determining what crime occurred, who has venue and jurisdiction."

Costly Investigation

The contest began in January, and entries were due on February 19th. There were thirteen entries in all, says Dittrich, and almost all the contestants uncovered details that the others missed.

Each contestant spent an average of thirty-four hours on the challenge, highlighting the toll a computer intrusion can take in investigation costs, Dittrich says.

Roessler resurrected deleted files, dived into the computer's swap space, and performed various feats of Linux prestidigitation to summon up a clear timeline of the intruder's actions -- beginning with the attacker's entry through a well-known vulnerability in rpc.statd, continuing through his use of pre-fab backdoors and Trojan horses to cover his tracks, and ending in his unsuccessful attempt to set up a robotic presence on IRC, the Internet chat system.

A panel of judges rated entries on a point system, and the judging was close, says Dittrich, particularly among the top seven contestants. "Everybody did a slightly different thing, focused on different areas," Dittrich says. "[Roessler] won basically because of the technical skills that he showed, and the quality of the presentation of the material."

All thirteen contestants received a copy of McGraw-Hill's Hacking Exposed, a $28 value, and the top three winners won t-shirts. All the entries are on the Honeynet Project web site, where together they provide an intriguing thirteen different views of the same intrusion.

As for the ultimate mystery in the cyber whodunit, the contestants did uncover evidence of the intruder's identity, says Dittrich. But there are no plans to go after the culprit.

"The whole purpose of this intrusion seemed to be to set up [an IRC bot]," says Dittrich. "Something like this, I normally would not spend thirty-five hours on."

© 2001 SecurityFocus.com, all rights reserved.

Remote control for virtualized desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?