Skip to content

My solution to the CSSRT-LU malware contest

The Computer Security Research and Response Team - Luxembourg ran a malware contest between January 2006 and yesterday. People were supposed to analyze three files. The three files turned out to be a Reptile bot, a SDNBot and a modified openssl-too-open exploit. The first two are Windows bots from the SDBot family which use IRC to communicate with their bot masters. The third file is a Linux executable which contains an exploit for an earlier version of OpenSSL.

Here's my solution. It's pretty big and it's interesting how the individual chapters and sections get shorter and shorter the farther you read. I think that's what happens when you lose interest in doing something. I think it's a nice read if you'd like to read about the bots or how to analyze relatively simple pieces of malware.

The solution includes the documentation in PDF format and three IDA 5 databases.

Update: A kind soul informed me that I made a pretty dumb mistake with File Z which is actually infected with a Linux virus called RST.b too. That wasn't all that surprising as the online virus scanner I use actually reported that. IDA doesn't load the relevant code though because the section size of the .rodata section where the virus code can be found is too small. That's why you won't find the code in FileZ.idb either. That was easy for me to miss but I still could have found out because the entry point of File Z points to the virus code. Looks like I was too fast dismissing the IDA "Invalid entry point" message as just another warning message when analyzing a broken file.

This brought my attention to something else too. I need to be more careful in the future. Assume a bot is packed, then infected with a virus and then packed again. My run-and-dump method to get the unpacked file wouldn't pick up the file infector. I think I should focus on developing some strategies on how to pick up pieces of malware that are made up of several individual viruses and packer layers.

Comparing different versions of SDBot using SABRE BinDiff v1.7

SABRE BinDiff is a cool little tool made by Sabre Security. It works as a plugin for the popular disassembler IDA Pro and compares two versions of a binary file. After the comparison ended it can show which functions changed between the two versions of the file and which didn't. That alone wouldn't make it noteworthy but thanks to some cool graph-based algorithms BinDiff can even create successful matches when the order of the functions or the code inside the functions changed.

In this small paper I wrote about my experiences while using BinDiff to compare four different versions of the widespread Trojan horse SDBot.

RawSrv 1.0

Yesterday I was merrily reverse engineering the very popular Trojan SDBot. I was about 60% done when I found out that the source code of it is actually available online. Too bad, the next time I'll check that before I start debugging. The only good thing that came out of the wasted time is a little Java tool I wrote to communicate with SDBot.

It's a TCP server called RawSrv that can send and receive ASCII strings. That's often necessary due to the popularity of Trojans that communicate with their creator using an ASCII protocol (mostly IRC). I'm sure tools like that exist en masse (and way better) on the internet but I suffer from the not-built-here syndrome and it's time for another website update.

Click here to see a screenshot of me communicating with the dreaded SDBot!
Click here to download RawSrv (as always it includes the complete Java source code).

Malware Analysis - Trojan horse Downloader.Istbar.6.BU

I've recently come across a file AVG classifies as Trojan horse Downloader.Istbar.6.BU and Kaspersky Labs as Trojan-Downloader.Win32.IstBar.gen. I've decided to have a closer look at it. It turned out to be a major disappointment because there are basically not many interesting things to tell about the code in there. I'm nevertheless going to discuss my findings briefly because there are still one or two remarkable things.

If you downloaded the file don't worry about accidentaly running it, I've applied a small patch to it to make it unrunnable. If you know what you're doing you can restore it's functionality. Even if you run it in it's fixed form nothing bad will happen as long as you deny it access to the internet.

The header of the file is moderately interesting. Merging MZ header and PE header apparently caught on with the writers of EXE packers over the last time. The last time I saw it was when I had a brief look at .kkrieger, the 96KB small 3D shooter made by .theprodukkt. Istbar gets bonus points for storing the kernel32.dll string in the unused parts of the MZ header though. Continue reading "Malware Analysis - Trojan horse Downloader.Istbar.6.BU"