This month's challenge is to analyze a home-made malware binary, in an effort to
reinforce the value of reverse engineering malware, and improve (by learning from
the security community) the methods, tools and procedures used to do it. Submissions
are due no later than 23:00 CET, Friday, 1 October, 2004, and the results will be
released a month later, Friday, 29 October. Review the challenge submission rules
at the SOTM homepage before submitting your results.
Skill Level: Intermediate
All we are going to tell you about the binary is that it was created to increase
the security awareness around malware specimens and to point out the need of
additional defensive countermeasures in order to fight current malware threats. It will be
presented during the SANS Security conference the 3rd of October, 2004. It is now your
goal as an incident handler - should you choose to accept it - to analyze
this binary in depth and get as much information as possible about how it works, its purpose
and capabilities, and most important, to show all the malware analysis techniques you follow
to obtain every piece of information included in your submission. Be as detailed as possible
so others could reproduce your analysis steps. You can use the previous Honeynet
Reverse Challenge results as a background reference to aid
in your analysis. There is a prize for the Top Three submissions, an author-signed copy
of the Ed Skoudis' book
Malware: Fighting Malicious Code.
The binary is a piece of malicious code, therefore precautions must be taken to ensure
production systems are not infected. It is recommended to deal with this unknown specimen
on a closed and controlled system/network.
Download the Image (17 KB)
MD5: a75de27ee59ab60e148efe7feee5dd3f RaDa.zip
SHA1: 3142cb05c394f2efb8e361b5ea34c6559acedafc RaDa.zip
Ensure you document the procedures, tools and methods used.
- Identify and provide an overview of the binary, including the fundamental pieces of
information that would help in identifying the same specimen.
- Identify and explain the purpose of the binary.
- Identify and explain the different features of the binary. What are its capabilities?
- Identify and explain the binary communication methods. Develop a Snort signature to
detect this type of malware being as generic as possible, so other similar specimens
could be detected, but avoiding at the same time a high false positives rate signature.
- Identify and explain any techniques in the binary that protect it from being analyzed
or reverse engineered.
- Categorize this type of malware (virus, worm...) and justify your reasoning.
- Identify another tool that has demonstrated similar functionality in the past.
- Suggest detection and protection methods to fight against the threats introduced by this binary.
- Is it possible to interrogate the binary about the person(s) who developed this tool?
In what circumstances and under which conditions?
- What advancements in tools with similar purposes can we expect in the near future?
This months challenge image and questions are lead by Jorge Ortiz,
David Perez, and Raul
Siles, all from HP Spain. You can find their outstanding, detailed 58 page
Writeup from the Security Community