This month's challenge is to analyze a home-made malware binary, in an effort to reinforce the value of reverse engineering malware, and improve (by learning from the security community) the methods, tools and procedures used to do it. Submissions are due no later than 23:00 CET, Friday, 1 October, 2004, and the results will be released a month later, Friday, 29 October. Review the challenge submission rules at the SOTM homepage before submitting your results.

The Challenge:
All we are going to tell you about the binary is that it was created to increase the security awareness around malware specimens and to point out the need of additional defensive countermeasures in order to fight current malware threats. It will be presented during the SANS Security conference the 3rd of October, 2004. It is now your goal as an incident handler - should you choose to accept it - to analyze this binary in depth and get as much information as possible about how it works, its purpose and capabilities, and most important, to show all the malware analysis techniques you follow to obtain every piece of information included in your submission. Be as detailed as possible so others could reproduce your analysis steps. You can use the previous Honeynet Reverse Challenge results as a background reference to aid in your analysis. There is a prize for the Top Three submissions, an author-signed copy of the Ed Skoudis' book Malware: Fighting Malicious Code.

*WARNING* The binary is a piece of malicious code, therefore precautions must be taken to ensure production systems are not infected. It is recommended to deal with this unknown specimen on a closed and controlled system/network.

Download the Image (17 KB)
MD5: a75de27ee59ab60e148efe7feee5dd3f RaDa.zip
SHA1: 3142cb05c394f2efb8e361b5ea34c6559acedafc RaDa.zip

Questions Ensure you document the procedures, tools and methods used.

1. Identify and provide an overview of the binary, including the fundamental pieces of information that would help in identifying the same specimen.
2. Identify and explain the purpose of the binary.
3. Identify and explain the different features of the binary. What are its capabilities?
4. Identify and explain the binary communication methods. Develop a Snort signature to detect this type of malware being as generic as possible, so other similar specimens could be detected, but avoiding at the same time a high false positives rate signature.
5. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
6. Categorize this type of malware (virus, worm...) and justify your reasoning.
7. Identify another tool that has demonstrated similar functionality in the past.
8. Suggest detection and protection methods to fight against the threats introduced by this binary.

Bonus Question:

• Is it possible to interrogate the binary about the person(s) who developed this tool? In what circumstances and under which conditions?
• What advancements in tools with similar purposes can we expect in the near future?

The Results:
This months challenge image and questions are lead by Jorge Ortiz, David Perez, and Raul Siles, all from HP Spain. You can find their outstanding, detailed 58 page writeup here.

Writeup from the Security Community

Top 3

• Chris Eagle
• Kevin Wenchel
• Wim Koomen, Thijs, and Bas Bosschert

Top 10

• Vinay Mahadik
• Lisa Thalheim
• Ronald Romero
• Lutz Schildt
• Fabrice Desclaux
• Chetan Ganatra
• Mario Pascucci
• Rajesh Jose
• Jose Vicente Martinez
• ISS Class March Sept_05