diff --git a/doc/2013-02-TF5/mktoken b/doc/2013-02-TF5/mktoken new file mode 100755 index 0000000..10eb077 --- /dev/null +++ b/doc/2013-02-TF5/mktoken @@ -0,0 +1,17 @@ +#! /bin/sh + +# Give it your registration raw data on stdin +# It appends any new folks to tokens.txt + +mktoken () { + dd if=/dev/urandom bs=4 count=1 2>/dev/null | hexdump | while read a b c; do + [ -n "$b" ] && echo $b$c + done +} + +while IFS=' ' read name email org c1 c2; do + if ! grep -q "$email" tokens.txt; then + printf "%s " "$email" >> tokens.txt + mktoken >> tokens.txt + fi +done \ No newline at end of file diff --git a/doc/2013-02-TF5/progressive-story.txt b/doc/2013-02-TF5/progressive-story.txt new file mode 100644 index 0000000..85042a0 --- /dev/null +++ b/doc/2013-02-TF5/progressive-story.txt @@ -0,0 +1,122 @@ +The Story +------- + +[start] +At approximately 8:05 AM US/Eastern, +an analyst at the Maine Energy Research Facility (MERF) +discovered anomalous traffic to an IP geolocated in the Macedonian Empire. +The analyst reported the traffic to IARC, +who requested packet captures. +Packet captures reveal port 79 (finger) TCP traffic, +which does not conform to the finger protocol. +The MERF analyst is investigating proxy logs to determine the internal origin of traffic. +Packet captures have been sent to the Cyber Response Team (CRT) +for deep analysis. + + +proto +----- + +#20 + +"Garfield" protocol identified and decoded. +Decodes indicate additional IPs of interest: + 10.48.12.16 + 10.82.173.211 +New pcap to be sent to CRT for deep analysis. + +#30 + +Further analysis of Garfield protocol indicates attackers interested in +primarily JPEG and MP3 files on local hard drive, +and network-attached OkiMate 10 color printers. + + +#40 + +List of transferred files indicates interest in pie- and cake-related images, +audio files of bird calls. +Password "ARBUCKLE" used for exfiltrated ZIP files. + +advise addition of snort rule +{dsize:48; pcre:"^#~1..PDQ\008"; msg:"CRT Garfield"; sid:1663999; rev:00;} + + +#100 + +Second stage malware binary identified, +named "Odie". +18GB of Odie traffic found at MERF. + + +#1000 + +Odie protocol decoded. +Decodes indicate attackers interested in +primarily video files, +no indication of further infections. + + +#2000 + +Video files transferred are all of Maine wildlife, +mostly birds. +All attacker activity identified. + + +Kevin's Stuff +---------- + +Kevin has not yet told me what his stuff contains, +and probably never will, +so I'm making it all up. + + +Investigation at MERF has uncovered three internal machines as traffic origin. +These machines are being left online for observation, + +Files from directory C:\Windows\System32\POOKY have been sent to IARC and CRT for further analysis. + +Several ZIP files located in deleted filespace on infected machines. + +Analysis of C:\Windows\System32\POOKY\system_wallpaper.jpg +reveals malware dropper. + +MERF machines all contain the unique registry entry \HOST\UNREAL\LASAGNE_KEY = I_HATE_MONDAYS. +IARC has advised sites to search for this key. + +Visited network file systems all pertain to wildlife photography. + +ZIP files contain JPEG and MP3 files, +all photographs and recordings of birds. + + + +rln's stuff +-------- + +rln has also not yet told me what his stuff contains, +and may not actually have any stuff. +If he does, this is what I'll say it is. + +"Garfield" drops registry key \HOST\UNREAL\LASAGNE_KEY + +"Garfield" malware contains C2 capability. + +Reports all joystick input to web server at atlv.papillon.mcd, +recommend policy disabling joysticks at this time. + +Registry key value I_HATE_MONDAYS indicates successful phone home + + +"Odie" malware contains C2 capability, +no registry keys. + +Odie uses remote host jasex.binky.mcd + +Odie Malware appears to use 16-byte key "NERMALpookyODIE" + +Odie has directory walking search capability. + +Odie has file transfer capability. +