Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.
[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.
Once you know the structure of PE or ELF it’s pretty easy to unpack one, unless it’s some VM mutating packer with dynamic crypto like some commercial solution have now.
I may have found a page containing the crxbot’s source code. Not sure if I’m allowed to link files here, so I’ll put up a link on my own site (which is under construction).
Malware authors should be imprisoned (I’d be okay with water-boarding them, too). How many billions of dollars of productivity are lost world-wide each year because of these jokers?
Hey, those are interesting tools.
I never used tools myself. But I removed the orkut worm and the drive guard worm myself..hey, m a rookie..wat do u expect me to do?? get some more crazy stuff off the net?? hehehe!
Love this site!
@jon:
The internet without malware would be like your immune system without any environmental antigens. It’s a terribly bad idea.
good security depends on a feedback loop between attacks and improvements. you need both to evolve.
I’m so glad I dont have to deal with all that malware crap! you guys have fun now.
I agree with nick h, if we didn’t have any security vulnerabilities then when one arises, we would have no way to defend against it, no basis.
But at the same time, I do agree with jon and think these people should not roam freely about the net.
Ollydbg comes will a free trojan in the tutorials.
@jon
You are right, they need to be locked up. There is very little (if any) deterrence against the criminal behavior right now. :(
nick h has a point: without malware we’d likely slip into complacency. We don’t need to worry about it going away however: just like the physical world – where there is money there is crime.
hey all i have msn admin rights and i am able unlock any @msn @hotmail @live address i currently charge 25.00 per account recovery i accept paypal only to this address youngzuse@live.ca once i have received the funds in full with in 24 hours i will send you the new password just to show i am not a scammer and i am the real deal heres a screenshot
of my admin tool
http://i550.photobucket.com/albums/ii409/youngzuse/untitled.jpg
@yougzuse: too young’un ;)
lol
my wireless hack website is
http://www.wepwpahacker.blogspot.com
The challenge is over, so feel free to post the link to the source code. I’m curious if you found a link other than the one I found.
(My challenge submission references included a link to similar source code I had found).
Overall, I felt this challenge was fairly easy, but I’m looking forward to participating in it again next year!
Oh yeah – there was no need to use ollydbg to unpack the malware, it was packed with UPX (+a bit of trivial hex editing).
See my submission entry at http://www.malwarechallenge.info/results/jolly.pdf
for more details.