Winner declared in hacker-tracker challenge
Sleuth solves 35-min hack in only 35 hours
Shortly after midnight on November 8th, a shadowy computer intruder slipped into a particular Linux machine in Illinois where he covertly installed a simple back door to ease his return. The intruder came back at 8:30 in the morning, and briefly crept around within the captured system before vanishing into cyberspace. In all, the incident lasted about half-an-hour.
Reconstructing what the intruder did during those thirty minutes took German programmer Thomas Roessler thirty-five hours. Roessler's painstaking digital detective work made him the winner of a unique anti-hacking contest, the results of which were announced Tuesday.
The Honeynet Project's Forensic Challenge invited aspiring cyber sleuths to match wits with a real computer criminal by piecing together the evidence left in the wake of a hack attack on one of the Project's honeypots, a deliberately vulnerable machine designed to lure opportunistic intruders.
Contestants were given a snippet of the intrusion detection system log from the night of the penetration, along with mountable images of the hacked computer's disk drive. The mission: uncover such details as the technique used to crack the system, the type of malicious code the intruder used once inside, and as much as possible about the perpetrator's identity--then write it up into a well organized report.
"The person that does the best job of making a high level view that can be easily broken down wins," says challenge organizer Dave Dittrich, a computer security expert at the University of Washington. The challenge's purpose was "to try and help the security community produce reports that help law enforcement... Something that speeds up the process of determining what crime occurred, who has venue and jurisdiction."
The contest began in January, and entries were due on February 19th. There were thirteen entries in all, says Dittrich, and almost all the contestants uncovered details that the others missed.
Each contestant spent an average of thirty-four hours on the challenge, highlighting the toll a computer intrusion can take in investigation costs, Dittrich says.
Roessler resurrected deleted files, dived into the computer's swap space, and performed various feats of Linux prestidigitation to summon up a clear timeline of the intruder's actions -- beginning with the attacker's entry through a well-known vulnerability in rpc.statd, continuing through his use of pre-fab backdoors and Trojan horses to cover his tracks, and ending in his unsuccessful attempt to set up a robotic presence on IRC, the Internet chat system.
A panel of judges rated entries on a point system, and the judging was close, says Dittrich, particularly among the top seven contestants. "Everybody did a slightly different thing, focused on different areas," Dittrich says. "[Roessler] won basically because of the technical skills that he showed, and the quality of the presentation of the material."
All thirteen contestants received a copy of McGraw-Hill's Hacking Exposed, a $28 value, and the top three winners won t-shirts. All the entries are on the Honeynet Project web site, where together they provide an intriguing thirteen different views of the same intrusion.
As for the ultimate mystery in the cyber whodunit, the contestants did uncover evidence of the intruder's identity, says Dittrich. But there are no plans to go after the culprit.
"The whole purpose of this intrusion seemed to be to set up [an IRC bot]," says Dittrich. "Something like this, I normally would not spend thirty-five hours on."
© 2001 SecurityFocus.com, all rights reserved.
Sponsored: RAID: End of an era?