Back in September a friend had pointed me to a little contest being held online called ‘The 2008 Malware Challenge‘. The Malware Challenge was created to establish a fun way for folks to get their hands dirty with reverse engineering by analyzing real world malware. The organizers of the contest realize the need for these skills in this day in age, especially for IT administrators and such to be able to keep networks safe. Probably easiest to just let them summarize it:
Malware has become an ever-present danger in today’s computing world.
Due to the constantly changing nature of malware, analysts cannot rely
on the traditional means of protection, anti-virus software, to identify
and protect their systems. Analysts now need to be able to analyze
malware that anti-virus software does not detect. This is what the
challenge is about.
After reading about the contest, I decided to toss my hat into the ring and give the contest a shot to see how I stacked up against my fellow peers in the reversing community. My submission ended up winning me a free copy of Chris Eagle’s fantastic book “The IDA Pro Book” (if you haven’t read it, I highly recommend it). Stoked about that to say the least.
The first night the contest opened I downloaded the file shortly after waking up to take a quick look at it before coming into the office. The malware itself was pretty standard as far as malware goes. Nothing fancy. Nothing tricky. A good choice indeed for people just getting into reversing. The file was packed of course using a pretty standard UPX packer. There are a lot of ways to go about unpacking it, but I went with what I knew, and just used Ollydbg with the Ollydump plug-in, and ImpRec16 to reconstruct the import tables. At this point it was just standard reversing work to go through the assembly and see what it was doing. Obviously a little hard if you aren’t familiar with assembly, but this is a good exercise to learn some. If you’d like to get deep into the analysis of the assembly you can read the paper of course. But I won’t bore you with those details.
Some of the more higher level methods I used are probably more along the lines of what any sysadmin could add to his bag of tricks. The first approach of course being a packet sniffer. I fired up wireshark and executed the malware. Right away I see it trying to resolve a domain. testirc1.sh1xy2bg.net. Pretty obvious it’s a botnet node looking for an IRC server to connect to. So I started up an ircd, and set the hostname to point to the IP of the new IRC server. Running wireshark again and executing the malware, we started to see a little more. Immediately it connects to the irc server and tries to join the channel #chalenge (yes, it is misspelled in the code) and supply the password happy12. Joining the #chalenge channel on the server I could see the little guy just chilling all legit like in there. I spent a few minutes reminiscing about the golden days of lost time on IRC, then went back to working on finding out a little more information. There wasn’t really much more to do on the network front, as it wasn’t transmitting any more packets after that. So I moved on to host modifications.
The Sysinternals tool (Now acquired by microsoft and closed source) Process Monitor can pretty much do the rest of the work for you. And you can watch registry key creation/modification as well as filesystem changes. Doing this we can see all the keys the malware touches as well as all the files its dropping! You can also run simple command line tools like strings on the malware to look at all the strings of text in the binary. You’ll notice right away many of these strings will give you a lot of hints about this particular piece of malware. At the end of my analysis, I was able to determine how to take control of the bot in the channel and issue commands and an assortment of other things. Was definitely a fun way to kill some time.
Here is the paper on the analysis I submitted: malwarechallenge2008.pdf
If you think you’d like to get into reverse engineering code, here are some of my favorite links that might be pretty helpful.
http://www.openrce.com – A reverse engineering community
http://www.uninformed.org – A security journal published by some friends
http://www.dumpanalysis.org/blog/ – Dmitry Vostokov’s blog on windbg tricks, etc.
I’m already looking forward to the 2009 Malware Challenge. See you all again next year.
P.S. If you read this and thought “Man, this stuff is easier than beating a level 1 dwarf in D&D!”, feel free to shoot us an e-mail. We’re hiring.