1. Use all of WHOIS, Robtex, and PhishTank to trace back on a phishing email found in your mailbox. If you don’t find one, create one email account and post the email address onto Web to solicit some. Show and discuss your findings.
in my mailbox
the original mail in plain text
126.com is a webmail service in China, it's easy to crack an account and use that to spam to others.
whois
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Server Name: 126.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
IP Address: 203.36.226.2
Registrar: INSTRA CORPORATION PTY, LTD.
Whois Server: whois.instra.net
Referral URL: http://www.instra.com
Domain Name: 126.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitor.com
Referral URL: http://www.markmonitor.com
Name Server: NS1.NEASE.NET
Name Server: NS2.NEASE.NET
Name Server: NS3.NEASE.NET
Name Server: NS4.NEASE.NET
Name Server: NS5.NEASE.NET
Name Server: NS6.NEASE.NET
Name Server: NS7.NEASE.NET
Name Server: NS8.NEASE.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 13-may-2014
Creation Date: 28-feb-1998
Expiration Date: 28-feb-2019
>>> Last update of whois database: Sun, 08 Jun 2014 10:57:01 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: 126.com
Registry Domain ID: 1373158_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-05-15T20:31:52-0700
Creation Date: 1998-02-27T21:00:00-0800
Registrar Registration Expiration Date: 2019-02-27T21:00:00-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Registry Registrant ID:
Registrant Name: Matt Serlin
Registrant Organization: DNStination Inc.
Registrant Street: 425 Market St, 5th Floor
Registrant City: San Francisco
Registrant State/Province: CA
Registrant Postal Code: 94105
Registrant Country: US
Registrant Phone: +1.4155319335
Registrant Phone Ext:
Registrant Fax: +1.4155319336
Registrant Fax Ext:
Registrant Email: [email protected]
Registry Admin ID:
Admin Name: Matt Serlin
Admin Organization: DNStination Inc.
Admin Street: 425 Market St, 5th Floor
Admin City: San Francisco
Admin State/Province: CA
Admin Postal Code: 94105
Admin Country: US
Admin Phone: +1.4155319335
Admin Phone Ext:
Admin Fax: +1.4155319336
Admin Fax Ext:
Admin Email: [email protected]
Registry Tech ID:
Tech Name: Matt Serlin
Tech Organization: DNStination Inc.
Tech Street: 425 Market St, 5th Floor
Tech City: San Francisco
Tech State/Province: CA
Tech Postal Code: 94105
Tech Country: US
Tech Phone: +1.4155319335
Tech Phone Ext:
Tech Fax: +1.4155319336
Tech Fax Ext:
Tech Email: [email protected]
Name Server: ns5.nease.net
Name Server: ns8.nease.net
Name Server: ns6.nease.net
Name Server: ns2.nease.net
Name Server: ns3.nease.net
Name Server: ns7.nease.net
Name Server: ns1.nease.net
Name Server: ns4.nease.net
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2014-06-08T03:56:40-0700 <<<
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail (spam); or
(2) enable high volume, automated, electronic processes that apply to
MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor is the Global Leader in Online Brand Protection.
MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services
Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
--
Robtex
PhishTank
2. On Windows with some running processes connecting to the Internet, use FTK Imager to dump memory and then Volatility Framework to analyze the memory dump. Show processes with connections, and check whether they have DLLs.
Again, I don't use Windows system, the following link is a system that I hacked in January, 2014. Hacking real system is much excited than the stupid homework.
cat /proc/self/maps
3. Retrieve Poison Ivy RAT from the Internet. Use a program tracing tool you are familiar with to trace this RAT. Show how you trace the RAT with your tracing tool and summarize what modules this RAT contains.
I don't find a source code pack of PIVY, although I can use IDA pro to do some reverse engineering but I don't want to waste my time. I read a report from FireEye which is a very famous company in industry.
http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf
A brief about PIVY:
Compared to other RATs, PIVY is very easy to operate. Its graphical user interface (GUI) makes building new servers and controlling infected targets simple. Attackers can point and click their way through a compromised network and exfiltrate data.
And some articles from f-Secure, which is also a big name company.
PIVY has the following operations to the victims.
- Files can be renamed, deleted, or executed. Files can also be uploaded and downloaded to and from the system
- The Windows registry can be viewed and edited
- Currently running processes can be viewed and suspended or killed
- Current network connections can be viewed and shut down
- Services can be viewed and controlled (for example stopped or started)
- Installed devices can be viewed and some devices can be disabled
- The list of installed applications can be viewed and entries can be deleted or programs uninstalled