Feeds

Winner declared in hacker-tracker challenge

Sleuth solves 35-min hack in only 35 hours

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Shortly after midnight on November 8th, a shadowy computer intruder slipped into a particular Linux machine in Illinois where he covertly installed a simple back door to ease his return. The intruder came back at 8:30 in the morning, and briefly crept around within the captured system before vanishing into cyberspace. In all, the incident lasted about half-an-hour.

Reconstructing what the intruder did during those thirty minutes took German programmer Thomas Roessler thirty-five hours. Roessler's painstaking digital detective work made him the winner of a unique anti-hacking contest, the results of which were announced Tuesday.

The Honeynet Project's Forensic Challenge invited aspiring cyber sleuths to match wits with a real computer criminal by piecing together the evidence left in the wake of a hack attack on one of the Project's honeypots, a deliberately vulnerable machine designed to lure opportunistic intruders.

Contestants were given a snippet of the intrusion detection system log from the night of the penetration, along with mountable images of the hacked computer's disk drive. The mission: uncover such details as the technique used to crack the system, the type of malicious code the intruder used once inside, and as much as possible about the perpetrator's identity--then write it up into a well organized report.

"The person that does the best job of making a high level view that can be easily broken down wins," says challenge organizer Dave Dittrich, a computer security expert at the University of Washington. The challenge's purpose was "to try and help the security community produce reports that help law enforcement... Something that speeds up the process of determining what crime occurred, who has venue and jurisdiction."

Costly Investigation

The contest began in January, and entries were due on February 19th. There were thirteen entries in all, says Dittrich, and almost all the contestants uncovered details that the others missed.

Each contestant spent an average of thirty-four hours on the challenge, highlighting the toll a computer intrusion can take in investigation costs, Dittrich says.

Roessler resurrected deleted files, dived into the computer's swap space, and performed various feats of Linux prestidigitation to summon up a clear timeline of the intruder's actions -- beginning with the attacker's entry through a well-known vulnerability in rpc.statd, continuing through his use of pre-fab backdoors and Trojan horses to cover his tracks, and ending in his unsuccessful attempt to set up a robotic presence on IRC, the Internet chat system.

A panel of judges rated entries on a point system, and the judging was close, says Dittrich, particularly among the top seven contestants. "Everybody did a slightly different thing, focused on different areas," Dittrich says. "[Roessler] won basically because of the technical skills that he showed, and the quality of the presentation of the material."

All thirteen contestants received a copy of McGraw-Hill's Hacking Exposed, a $28 value, and the top three winners won t-shirts. All the entries are on the Honeynet Project web site, where together they provide an intriguing thirteen different views of the same intrusion.

As for the ultimate mystery in the cyber whodunit, the contestants did uncover evidence of the intruder's identity, says Dittrich. But there are no plans to go after the culprit.

"The whole purpose of this intrusion seemed to be to set up [an IRC bot]," says Dittrich. "Something like this, I normally would not spend thirty-five hours on."

© 2001 SecurityFocus.com, all rights reserved.

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.