The Malware Challenge

posted Jan 3rd 2009 5:00pm by
filed under: news, security hacks

malware

Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.

[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.



15 Responses to The Malware Challenge

  • TJHooker says:
    January 3, 2009 at 7:10 pm

    Once you know the structure of PE or ELF it’s pretty easy to unpack one, unless it’s some VM mutating packer with dynamic crypto like some commercial solution have now.

    Reply Report comment
  • Descention says:
    January 3, 2009 at 7:13 pm

    I may have found a page containing the crxbot’s source code. Not sure if I’m allowed to link files here, so I’ll put up a link on my own site (which is under construction).

    Reply Report comment
  • Jon Williams says:
    January 4, 2009 at 8:10 am

    Malware authors should be imprisoned (I’d be okay with water-boarding them, too). How many billions of dollars of productivity are lost world-wide each year because of these jokers?

    Reply Report comment
  • Ajan says:
    January 4, 2009 at 12:05 pm

    Hey, those are interesting tools.
    I never used tools myself. But I removed the orkut worm and the drive guard worm myself..hey, m a rookie..wat do u expect me to do?? get some more crazy stuff off the net?? hehehe!
    Love this site!

    Reply Report comment
  • Nick H says:
    January 4, 2009 at 2:19 pm

    @jon:

    The internet without malware would be like your immune system without any environmental antigens. It’s a terribly bad idea.

    good security depends on a feedback loop between attacks and improvements. you need both to evolve.

    Reply Report comment
  • steve says:
    January 4, 2009 at 2:51 pm

    I’m so glad I dont have to deal with all that malware crap! you guys have fun now.

    Reply Report comment
  • Descention says:
    January 4, 2009 at 5:12 pm

    I agree with nick h, if we didn’t have any security vulnerabilities then when one arises, we would have no way to defend against it, no basis.

    But at the same time, I do agree with jon and think these people should not roam freely about the net.

    Reply Report comment
  • Dude says:
    January 4, 2009 at 10:53 pm

    Ollydbg comes will a free trojan in the tutorials.

    Reply Report comment
  • greg says:
    January 5, 2009 at 2:28 pm

    @jon

    You are right, they need to be locked up. There is very little (if any) deterrence against the criminal behavior right now. :(

    nick h has a point: without malware we’d likely slip into complacency. We don’t need to worry about it going away however: just like the physical world – where there is money there is crime.

    Reply Report comment
  • youngzuse says:
    January 6, 2009 at 12:58 am

    hey all i have msn admin rights and i am able unlock any @msn @hotmail @live address i currently charge 25.00 per account recovery i accept paypal only to this address youngzuse@live.ca once i have received the funds in full with in 24 hours i will send you the new password just to show i am not a scammer and i am the real deal heres a screenshot
    of my admin tool

    http://i550.photobucket.com/albums/ii409/youngzuse/untitled.jpg

    Reply Report comment
  • spk says:
    January 7, 2009 at 12:28 pm

    @yougzuse: too young’un ;)

    Reply Report comment
  • youngzuse says:
    January 7, 2009 at 7:57 pm

    lol

    Reply Report comment
  • youngzuse says:
    January 7, 2009 at 7:58 pm

    my wireless hack website is

    http://www.wepwpahacker.blogspot.com

    Reply Report comment
  • Apneet Jolly says:
    January 10, 2009 at 1:21 am

    The challenge is over, so feel free to post the link to the source code. I’m curious if you found a link other than the one I found.

    (My challenge submission references included a link to similar source code I had found).

    Overall, I felt this challenge was fairly easy, but I’m looking forward to participating in it again next year!

    Reply Report comment
  • Apneet Jolly says:
    January 10, 2009 at 1:23 am

    Oh yeah – there was no need to use ollydbg to unpack the malware, it was packed with UPX (+a bit of trivial hex editing).

    See my submission entry at http://www.malwarechallenge.info/results/jolly.pdf
    for more details.

    Reply Report comment

    • Leave a Reply

    XHTML: You can use these tags: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

    Hack a Day serves up fresh hacks each day, every day from around the web as well as hacking related news.

    Send us your hacks










         



    Hacks

    Resources