The 2008 Malware Challenge

Anthony December 29

13 Comments

Back in September a friend had pointed me to a little contest being held online called ‘The 2008 Malware Challenge‘. The Malware Challenge was created to establish a fun way for folks to get their hands dirty with reverse engineering by analyzing real world malware. The organizers of the contest realize the need for these skills in this day in age, especially for IT administrators and such to be able to keep networks safe. Probably easiest to just let them summarize it:

Malware has become an ever-present danger in today’s computing world.
Due to the constantly changing nature of malware, analysts cannot rely
on the traditional means of protection, anti-virus software, to identify
and protect their systems. Analysts now need to be able to analyze
malware that anti-virus software does not detect. This is what the
challenge is about.

After reading about the contest, I decided to toss my hat into the ring and give the contest a shot to see how I stacked up against my fellow peers in the reversing community. My submission ended up winning me a free copy of Chris Eagle’s fantastic book “The IDA Pro Book” (if you haven’t read it, I highly  recommend it). Stoked about that to say the least.

The IDA Pro Book

The first night the contest opened I downloaded the file shortly after waking up to take a quick look at it before coming into the office. The malware itself was pretty standard as far as malware goes. Nothing fancy. Nothing tricky. A good choice indeed for people just getting into reversing. The file was packed of course using a pretty standard UPX packer. There are a lot of ways to go about unpacking it, but I went with what I knew, and just used Ollydbg with the Ollydump plug-in, and ImpRec16 to reconstruct the import tables. At this point it was just standard reversing work to go through the assembly and see what it was doing.  Obviously a little hard if you aren’t familiar with assembly, but this is a good exercise to learn some. If you’d like to get deep into the analysis of the assembly you can read the paper of course. But I won’t bore you with those details.

Malware Challenge 2008 - IDA Dissasembly

2008 Malware Challenge - IDA Dissasembly

Some of the more higher level methods I used are probably more along the lines of what any sysadmin could add to his bag of tricks. The first approach of course being a packet sniffer. I fired up wireshark and executed the malware. Right away I see it trying to resolve a domain. testirc1.sh1xy2bg.net. Pretty obvious it’s a botnet node looking for an IRC server to connect to. So I started up an ircd, and set the hostname to point to the IP of the new IRC server. Running wireshark again and executing the malware, we started to see a little more. Immediately it connects to the irc server and tries to join the channel #chalenge (yes, it is misspelled in the code) and supply the password happy12. Joining the #chalenge channel on the server I could see the little guy just chilling all legit like in there. I spent a few minutes reminiscing about the golden days of lost time on IRC, then went back to working on finding out a little more information. There wasn’t really much more to do on the network front, as it wasn’t transmitting any more packets after that. So I moved on to host modifications.

The Sysinternals tool (Now acquired by microsoft and closed source) Process Monitor can pretty much do the rest of the work for you. And you can watch registry key creation/modification as well as filesystem changes. Doing this we can see all the keys the malware touches as well as all the files its dropping! You can also run simple command line tools like strings on the malware to look at all the strings of text in the binary. You’ll notice right away many of these strings will give you a lot of hints about this particular piece of malware. At the end of my analysis, I was able to determine how to take control of the bot in the channel and issue commands and an assortment of other things. Was definitely a fun way to kill some time.

Here is the paper on the analysis I submitted: malwarechallenge2008.pdf

If you think you’d like to get into reverse engineering code, here are some of my favorite links that might be pretty helpful.

http://www.openrce.com – A reverse engineering community
http://www.uninformed.org – A security journal published by some friends
http://www.dumpanalysis.org/blog/ – Dmitry Vostokov’s blog on windbg tricks, etc.

I’m already looking forward to the 2009 Malware Challenge. See you all again next year.

P.S. If you read this and thought “Man, this stuff is easier than beating a level 1 dwarf in D&D!”, feel free to shoot us an e-mail. We’re hiring.

Share with the world:
  • E-mail this story to a friend!
  • Digg
  • Yahoo! Buzz
  • del.icio.us
  • TwitThis
  • Reddit
  • StumbleUpon
  • Facebook
  • Slashdot
  • Google
  • Technorati
Join the Lookout Beta!

13 Responses

  • 1

    Viss 29 Dec 08

    I did something like this in the offensive-security course.

    It was moreso hooking into an existing process, and throwing a buffer overflow at it, and then changing the payload code to change what went into registers to cause the registers to point to shellcode.

    It was NEAT :D

  • 2

    John 29 Dec 08

    @Viss – Which security course was this?

  • 3

    Tyler 30 Dec 08

    Glad you enjoyed it! Your submission was one of the best….which is why you got the book!

  • 4

    anthony 30 Dec 08

    @Tyler Thanks man. Looking forward to next year ;)

  • 6

    Ajit Gaddam 31 Dec 08

    Smile, you are on slashdot

  • 7

    John 31 Dec 08

    Hello Slashdot readers… Welcome.

  • 8

    Alen Capalik 31 Dec 08

    Anthony, you rascal you! :-)

    Congrats!

  • 9

    Viss 31 Dec 08

    The course was the ‘offensive security 101′ course offered by offensive-security.com – the same guys that make the backtrack3 cd.

    Mati Ahroni(sp?) is the guy who narrates all the videos in the course and he was at defcon16 this(last?) year demonstrating how he found an exploit for an HP product and did a live demo of building a sploit and getting a bindshell. Neat stuff!

  • 10

    Jeff Williams 31 Dec 08

    Good stuff here! And well done. Glad to see that
    slasdot picked up on this as well, as more exposier
    to malware is essential to gaining broader knowledge
    as to how to deal with it.

    Regards,

    Spokesman for INEGroup LLA. – (Over 284k members/stakeholders strong!)
    “Obedience of the law is the greatest freedom” -
    Abraham Lincoln
    “YES WE CAN!” Barack ( Berry ) Obama

    “Credit should go with the performance of duty and not with what is
    very often the accident of glory” – Theodore Roosevelt

    “If the probability be called P; the injury, L; and the burden, B;
    liability depends upon whether B is less than L multiplied by
    P: i.e., whether B is less than PL.”
    United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
    ===============================================================
    Updated 1/26/04
    CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
    div. of Information Network Eng. INEG. INC.
    ABA member in good standing member ID 01257402 E-Mail
    jwkckid1@ix.netcom.com
    My Phone: 214-244-4827

  • 11

    The Malware Challenge - Hack a Day 03 Jan 09

    [...] own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of [...]

  • 12

    Descention 03 Jan 09

    I may have found a page containing the crxbot’s source code. Not sure if I’m allowed to link files here, so I’ll put up a link on my own site (which is under construction).

  • 13

    Lesbian Incest Galleries 03 Aug 09

    hmm.. amazing

Post a Comment

Comments     Basic HTML is allowed (a href, strong, em, blockquote).

NOTE: We'd rather not moderate, but off-topic, blatantly inflammatory, or otherwise inappropriate or vapid comments may be removed. Repeat offenders will be banned from commenting.