Successful flag thieves from the honeypot
Last Thursday, while those attending the Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA) conference in the Swiss town of Lucerne enjoyed their dinner after a day of conferencing, 25 teams of students started the cipher capture-the-flag contest. As last year, the event was organised and hosted by the SIDAR section of the Gesellschaft für Informatik (GI).
The contest participants did not have to travel to Switzerland, but could participate via VPN. The individual teams comprised up to five persons and had to name an independent contact to monitor compliance with the rules of the game. To collect scores, each team must seal off its own server against attacks to prevent the flags stored by the central game server from being stolen by other teams and to allow the game server to collect them again after a certain period of time. The other teams, in turn, try to find such flags on the other servers and to send them back to the game server in time – the flags have a limited lifespan of only 15 minutes.
Winner of the contest was teamSparta, a team of four people from mwcollect. Normally, the successful flag thieves collect worms and other malware – mwcollect stands for MalWare Collect. They operate a network of specially prepared systems which serve as the "honeypot" to entice attackers to conduct an attack. The captured attack programs are then evaluated. The "Five Finger Discounters" of RWTH Aachen were second, followed by the "Defender of the Flag" group of the University of Regensburg. The organisers of the contest have published a page with the complete ranking and some statistics on the contest.