The Malware Challenge

malware

Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.

[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.

Comments

  1. TJHooker says:

    Once you know the structure of PE or ELF it’s pretty easy to unpack one, unless it’s some VM mutating packer with dynamic crypto like some commercial solution have now.

  2. Descention says:

    I may have found a page containing the crxbot’s source code. Not sure if I’m allowed to link files here, so I’ll put up a link on my own site (which is under construction).

  3. Jon Williams says:

    Malware authors should be imprisoned (I’d be okay with water-boarding them, too). How many billions of dollars of productivity are lost world-wide each year because of these jokers?

  4. Ajan says:

    Hey, those are interesting tools.
    I never used tools myself. But I removed the orkut worm and the drive guard worm myself..hey, m a rookie..wat do u expect me to do?? get some more crazy stuff off the net?? hehehe!
    Love this site!

  5. Nick H says:

    @jon:

    The internet without malware would be like your immune system without any environmental antigens. It’s a terribly bad idea.

    good security depends on a feedback loop between attacks and improvements. you need both to evolve.

  6. steve says:

    I’m so glad I dont have to deal with all that malware crap! you guys have fun now.

  7. Descention says:

    I agree with nick h, if we didn’t have any security vulnerabilities then when one arises, we would have no way to defend against it, no basis.

    But at the same time, I do agree with jon and think these people should not roam freely about the net.

  8. Dude says:

    Ollydbg comes will a free trojan in the tutorials.

  9. greg says:

    @jon

    You are right, they need to be locked up. There is very little (if any) deterrence against the criminal behavior right now. :(

    nick h has a point: without malware we’d likely slip into complacency. We don’t need to worry about it going away however: just like the physical world – where there is money there is crime.

  10. youngzuse says:

    hey all i have msn admin rights and i am able unlock any @msn @hotmail @live address i currently charge 25.00 per account recovery i accept paypal only to this address youngzuse@live.ca once i have received the funds in full with in 24 hours i will send you the new password just to show i am not a scammer and i am the real deal heres a screenshot
    of my admin tool

  11. spk says:

    @yougzuse: too young’un ;)

  12. youngzuse says:

    lol

  13. youngzuse says:

    my wireless hack website is

    http://www.wepwpahacker.blogspot.com

  14. Apneet Jolly says:

    The challenge is over, so feel free to post the link to the source code. I’m curious if you found a link other than the one I found.

    (My challenge submission references included a link to similar source code I had found).

    Overall, I felt this challenge was fairly easy, but I’m looking forward to participating in it again next year!

  15. Apneet Jolly says:

    Oh yeah – there was no need to use ollydbg to unpack the malware, it was packed with UPX (+a bit of trivial hex editing).

    See my submission entry at http://www.malwarechallenge.info/results/jolly.pdf
    for more details.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,600 other followers