assign tokens, create progressive story

This commit is contained in:
Neale Pickett 2013-02-03 23:10:43 -07:00
parent 8c7a5528fc
commit 93a6686843
2 changed files with 139 additions and 0 deletions

17
doc/2013-02-TF5/mktoken Executable file
View File

@ -0,0 +1,17 @@
#! /bin/sh
# Give it your registration raw data on stdin
# It appends any new folks to tokens.txt
mktoken () {
dd if=/dev/urandom bs=4 count=1 2>/dev/null | hexdump | while read a b c; do
[ -n "$b" ] && echo $b$c
done
}
while IFS=' ' read name email org c1 c2; do
if ! grep -q "$email" tokens.txt; then
printf "%s " "$email" >> tokens.txt
mktoken >> tokens.txt
fi
done

View File

@ -0,0 +1,122 @@
The Story
-------
[start]
At approximately 8:05 AM US/Eastern,
an analyst at the Maine Energy Research Facility (MERF)
discovered anomalous traffic to an IP geolocated in the Macedonian Empire.
The analyst reported the traffic to IARC,
who requested packet captures.
Packet captures reveal port 79 (finger) TCP traffic,
which does not conform to the finger protocol.
The MERF analyst is investigating proxy logs to determine the internal origin of traffic.
Packet captures have been sent to the Cyber Response Team (CRT)
for deep analysis.
proto
-----
#20
"Garfield" protocol identified and decoded.
Decodes indicate additional IPs of interest:
10.48.12.16
10.82.173.211
New pcap to be sent to CRT for deep analysis.
#30
Further analysis of Garfield protocol indicates attackers interested in
primarily JPEG and MP3 files on local hard drive,
and network-attached OkiMate 10 color printers.
#40
List of transferred files indicates interest in pie- and cake-related images,
audio files of bird calls.
Password "ARBUCKLE" used for exfiltrated ZIP files.
advise addition of snort rule
{dsize:48; pcre:"^#~1..PDQ\008"; msg:"CRT Garfield"; sid:1663999; rev:00;}
#100
Second stage malware binary identified,
named "Odie".
18GB of Odie traffic found at MERF.
#1000
Odie protocol decoded.
Decodes indicate attackers interested in
primarily video files,
no indication of further infections.
#2000
Video files transferred are all of Maine wildlife,
mostly birds.
All attacker activity identified.
Kevin's Stuff
----------
Kevin has not yet told me what his stuff contains,
and probably never will,
so I'm making it all up.
Investigation at MERF has uncovered three internal machines as traffic origin.
These machines are being left online for observation,
Files from directory C:\Windows\System32\POOKY have been sent to IARC and CRT for further analysis.
Several ZIP files located in deleted filespace on infected machines.
Analysis of C:\Windows\System32\POOKY\system_wallpaper.jpg
reveals malware dropper.
MERF machines all contain the unique registry entry \HOST\UNREAL\LASAGNE_KEY = I_HATE_MONDAYS.
IARC has advised sites to search for this key.
Visited network file systems all pertain to wildlife photography.
ZIP files contain JPEG and MP3 files,
all photographs and recordings of birds.
rln's stuff
--------
rln has also not yet told me what his stuff contains,
and may not actually have any stuff.
If he does, this is what I'll say it is.
"Garfield" drops registry key \HOST\UNREAL\LASAGNE_KEY
"Garfield" malware contains C2 capability.
Reports all joystick input to web server at atlv.papillon.mcd,
recommend policy disabling joysticks at this time.
Registry key value I_HATE_MONDAYS indicates successful phone home
"Odie" malware contains C2 capability,
no registry keys.
Odie uses remote host jasex.binky.mcd
Odie Malware appears to use 16-byte key "NERMALpookyODIE"
Odie has directory walking search capability.
Odie has file transfer capability.