Skip to content

My solution to the CSSRT-LU malware contest

The Computer Security Research and Response Team - Luxembourg ran a malware contest between January 2006 and yesterday. People were supposed to analyze three files. The three files turned out to be a Reptile bot, a SDNBot and a modified openssl-too-open exploit. The first two are Windows bots from the SDBot family which use IRC to communicate with their bot masters. The third file is a Linux executable which contains an exploit for an earlier version of OpenSSL.

Here's my solution. It's pretty big and it's interesting how the individual chapters and sections get shorter and shorter the farther you read. I think that's what happens when you lose interest in doing something. I think it's a nice read if you'd like to read about the bots or how to analyze relatively simple pieces of malware.

The solution includes the documentation in PDF format and three IDA 5 databases.

Update: A kind soul informed me that I made a pretty dumb mistake with File Z which is actually infected with a Linux virus called RST.b too. That wasn't all that surprising as the online virus scanner I use actually reported that. IDA doesn't load the relevant code though because the section size of the .rodata section where the virus code can be found is too small. That's why you won't find the code in FileZ.idb either. That was easy for me to miss but I still could have found out because the entry point of File Z points to the virus code. Looks like I was too fast dismissing the IDA "Invalid entry point" message as just another warning message when analyzing a broken file.

This brought my attention to something else too. I need to be more careful in the future. Assume a bot is packed, then infected with a virus and then packed again. My run-and-dump method to get the unpacked file wouldn't pick up the file infector. I think I should focus on developing some strategies on how to pick up pieces of malware that are made up of several individual viruses and packer layers.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.