The Malware Challenge

malware

Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.

[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.

15 thoughts on “The Malware Challenge

  1. Once you know the structure of PE or ELF it’s pretty easy to unpack one, unless it’s some VM mutating packer with dynamic crypto like some commercial solution have now.

  2. Malware authors should be imprisoned (I’d be okay with water-boarding them, too). How many billions of dollars of productivity are lost world-wide each year because of these jokers?

  3. Hey, those are interesting tools.
    I never used tools myself. But I removed the orkut worm and the drive guard worm myself..hey, m a rookie..wat do u expect me to do?? get some more crazy stuff off the net?? hehehe!
    Love this site!

  4. @jon:

    The internet without malware would be like your immune system without any environmental antigens. It’s a terribly bad idea.

    good security depends on a feedback loop between attacks and improvements. you need both to evolve.

  5. I agree with nick h, if we didn’t have any security vulnerabilities then when one arises, we would have no way to defend against it, no basis.

    But at the same time, I do agree with jon and think these people should not roam freely about the net.

  6. @jon

    You are right, they need to be locked up. There is very little (if any) deterrence against the criminal behavior right now. :(

    nick h has a point: without malware we’d likely slip into complacency. We don’t need to worry about it going away however: just like the physical world – where there is money there is crime.

  7. The challenge is over, so feel free to post the link to the source code. I’m curious if you found a link other than the one I found.

    (My challenge submission references included a link to similar source code I had found).

    Overall, I felt this challenge was fairly easy, but I’m looking forward to participating in it again next year!

Leave a Reply to DudeCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.