December 29, 2008

The 2008 Malware Challenge

Back in September a friend had pointed me to a little contest being held online called ‘The 2008 Malware Challenge‘. The Malware Challenge was created to establish a fun way for folks to get their hands dirty with reverse engineering by analyzing real world malware. The organizers of the contest realize the need for these skills in this day in age, especially for IT administrators and such to be able to keep networks safe. Probably easiest to just let them summarize it:

Malware has become an ever-present danger in today’s computing world.
Due to the constantly changing nature of malware, analysts cannot rely
on the traditional means of protection, anti-virus software, to identify
and protect their systems. Analysts now need to be able to analyze
malware that anti-virus software does not detect. This is what the
challenge is about.

After reading about the contest, I decided to toss my hat into the ring and give the contest a shot to see how I stacked up against my fellow peers in the reversing community. My submission ended up winning me a free copy of Chris Eagle’s fantastic book “The IDA Pro Book” (if you haven’t read it, I highly  recommend it). Stoked about that to say the least.

The IDA Pro Book

The first night the contest opened I downloaded the file shortly after waking up to take a quick look at it before coming into the office. The malware itself was pretty standard as far as malware goes. Nothing fancy. Nothing tricky. A good choice indeed for people just getting into reversing. The file was packed of course using a pretty standard UPX packer. There are a lot of ways to go about unpacking it, but I went with what I knew, and just used Ollydbg with the Ollydump plug-in, and ImpRec16 to reconstruct the import tables. At this point it was just standard reversing work to go through the assembly and see what it was doing.  Obviously a little hard if you aren’t familiar with assembly, but this is a good exercise to learn some. If you’d like to get deep into the analysis of the assembly you can read the paper of course. But I won’t bore you with those details.

Malware Challenge 2008 - IDA Dissasembly

2008 Malware Challenge - IDA Dissasembly

Some of the more higher level methods I used are probably more along the lines of what any sysadmin could add to his bag of tricks. The first approach of course being a packet sniffer. I fired up wireshark and executed the malware. Right away I see it trying to resolve a domain. testirc1.sh1xy2bg.net. Pretty obvious it’s a botnet node looking for an IRC server to connect to. So I started up an ircd, and set the hostname to point to the IP of the new IRC server. Running wireshark again and executing the malware, we started to see a little more. Immediately it connects to the irc server and tries to join the channel #chalenge (yes, it is misspelled in the code) and supply the password happy12. Joining the #chalenge channel on the server I could see the little guy just chilling all legit like in there. I spent a few minutes reminiscing about the golden days of lost time on IRC, then went back to working on finding out a little more information. There wasn’t really much more to do on the network front, as it wasn’t transmitting any more packets after that. So I moved on to host modifications.

The Sysinternals tool (Now acquired by microsoft and closed source) Process Monitor can pretty much do the rest of the work for you. And you can watch registry key creation/modification as well as filesystem changes. Doing this we can see all the keys the malware touches as well as all the files its dropping! You can also run simple command line tools like strings on the malware to look at all the strings of text in the binary. You’ll notice right away many of these strings will give you a lot of hints about this particular piece of malware. At the end of my analysis, I was able to determine how to take control of the bot in the channel and issue commands and an assortment of other things. Was definitely a fun way to kill some time.

Here is the paper on the analysis I submitted: malwarechallenge2008.pdf

If you think you’d like to get into reverse engineering code, here are some of my favorite links that might be pretty helpful.

http://www.openrce.com – A reverse engineering community
http://www.uninformed.org – A security journal published by some friends
http://www.dumpanalysis.org/blog/ – Dmitry Vostokov’s blog on windbg tricks, etc.

I’m already looking forward to the 2009 Malware Challenge. See you all again next year.

P.S. If you read this and thought “Man, this stuff is easier than beating a level 1 dwarf in D&D!”, feel free to shoot us an e-mail. We’re hiring.

Category:   malware
December 23, 2008

Flexilis Beta Release 3 is Out!

Flexilis Beta Release 3 is now out and ready for download!  This update was focused on improving stability and fixing bugs that many of you have reported.  You can read the entire list of new features, bug fixes, and enhancements on our changelog.  Notable improvements include:

  • Added compatability for WiFi networks running WPA
  • Improved application display on devices with square screens
  • Fixed multiple issues with displaying the home screen plugin
  • Over 20 bug fixes on the mobile client

Current users will receive this update automatically at their next sync.  For anyone that has been waiting to install the software, now is a great time to get started!  Just log in to your account, click ‘Add a New Device’, and then follow the instructions on the screen.

Thanks to everyone that contributed feedback and bug reports for this release.  If you need help or would like to send us a report, you can e-mail support@flexilis.com or use our contact form to get in touch with us any time.  We love hearing your feedback, and everything that you send us really helps make Flexilis better.

Thanks!

-The Flexilis Team

Update 1 (1/3/2009 4:25 PM):  We just pushed an update that fixes a small issue with processing logs on certain devices.

Category:   Flexilis  •  Releases
December 2, 2008

Flexilis Beta Release 2 is Out!

We’ve just pushed the first client update for our private beta! This update contains many new bug fixes and several enhancements for both the mobile client and the server, and we’re all very excited about it. You can read the entire list of new features, bug fixes, and enhancements on our changelog. Notable changes include:

  • Significantly improved the device activation process to be quicker and easier
  • Added the ability to change the display of the homescreen plugin on Smartphones
  • Improved compatibility with Windows Mobile 6.1 devices
  • Lots of bug fixes on the client and server

Current users will receive this update automatically at their next sync. For anyone that has been waiting to install the software, now is a great time to get started!  Just log in to your account, click ‘Add a New Device’, and then follow the instructions on the screen.

Please note: Old clients will no longer be able to activate with the server. If you have downloaded Flexilis but not activated, please re-download the new setup file if you have not already registered your device with Flexilis.

Thanks to everyone that contributed feedback and bug reports for this release. If you need help or would like to send us a report, you can e-mail support@flexilis.com or use our contact form to get in touch with us any time. We love hearing your feedback and everything that you send us makes a big difference.

Thanks!

-The Flexilis Team

Category:   Flexilis  •  Releases