Friday, November 9, 2012

2008 Malware Challenge

In 2008, Greg Feezel and I published the following malware analysis challenge. The goal was to answer the questions below and submit them back to us for prizes. While the challenge is no longer going on, we wanted to publish it again so those that wished to try it could.

The malware is contained within a password protected zip file named The password is “infected”. The MD5 hash of the files are:
  • 59a95f668e1bd00f30fe8c99af675691 malware.exe
  • 31d2ec3b312d0fd27940aae5c89e3787


A system administrator within your organization has come to you because a user's PC was infected with malware. Unfortunately, anti-virus is unable to remove the malware. However, the administrator was able to recover the suspected malware executable. Your job is to analyze the malware.
Participants should download the malware sample and analyze it. The end result should be a document containing details on the analysis performed. The analysis document can be written in any form, but the following questions and statements should be answered within it. Participants should note when questions are being answered.
  • Describe your malware lab.
  • What information can you gather about the malware without executing it?
  • Is the malware packed? If so, how did you determine what it was?
  • Describe the malware's behavior. In other words - what files does it drop, what registry keys does it modify, what network connections does it create, how does it auto-start, etc?
  • What type of command and control server does the malware use? Describe the server and interface this malware uses.
  • What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
  • How would you classify this malware? Why?
  • What do you think the purpose of this malware is?
Bonus questions:
  • Is it possible to find the malware's source code? If so, how did you do it?
  • How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it?

Blog Post Down

Yesterday I published a post on the 2008 malware challenge that I helped put together and how I felt it was being mis-represented in another security company's (pay for) CTF.

The person responsible for that CTF posted a comment on the blog and asked me to contact him, stating it was really a mistake and no ill-intent was involved. I believe him.

The security industry we work in is very small. If your integrity is besmirched* then that can have negative effects on your career or company. I would not want to be responsible for that in the case of a simple oversight.

That is why I removed the blog post. In all fairness, I should have contacted them first before posting anything.

I am still posting the malware challenge and will do so later today.

* Woohoo! I got to use besmirched in a blog post!

Friday, November 2, 2012

NEOISF Puzzle Solution

A few people emailed me with the solution to the puzzle I posted, but I figured I'd post the solution for those that wanted it.

In the puzzle, Van Helsing is attempting to break the crypto that Dracula is using to try and find him. Fortunately for Van Helsing, the program is free and he can download it to see if he can crack it. He ran the program and typed in "vampire_vampire_vampire" and got back "R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw=". 

Anyone who has done any type of network analysis, or looked at a raw SMTP message, should recognize the output as base64 encoded. Base64 is an algorithm that converts binary data to ASCII so it can be transferred over protocols that do not natively allow binary (e.g. SMTP). It does this by converting every 3 bytes of data to 4 bytes of ASCII. The "=" character is used as padding in case more characters are needed and is often a give-away.

Base64 can be converted using many methods, but since Van Helsing is awesome he is using Linux and uses the base64 command to do so.

$ echo -n R1lUR1hKXGhHWVRHWEpcaEdZVEdYSlw= | base64 -d -

NOTE: Van Helsing really should have redirected the output to a file since the characters could have been binary.

The base64 decoding produced a string that has 2 interesting qualities.

First, the base64 decoded string is the same length as the string he entered. This means that whatever algorithm the encryption program is using may be doing a 1-for-1 character encryption. In other words, the characters in his plaintext is being encrypted one at a time.

Second, there is a pattern of "GYTGXJ\h". The pattern is 8 characters long, which just happens to be the length of "vampire_". Coincidence? Probably not. 

The type of encryption that immediately popped into Van Helsing's head that can have these properties is XOR encryption. XOR is a boolean logic function that can be applied in encryption. This is done by taking a key and XOR'ing each of its bytes against the characters in the plaintext. 

One property of XOR encryption is that if you take the plaintext and XOR it with the ciphertext, it will reveal the key! Van Helsing knew this and XOR'd his plaintext against the ciphertext he got. (He wrote a quick Python script to do so):

$ python GYTGXJ\hGYTGXJ\hGYTGXJ\ vampire_vampire_vampire


Voila! XOR'ing each byte of his plaintext with the ciphertext he received returned a pattern of "1897", which must be the key!

Taking that as the key, he then base64 decoded Dracula's message and applied the key of 1897 to get:

I will be at the Ohio Information Security Summit.

Now Van Helsing knew where he would be and could destroy the fiend!

For those in the know, the key does have some significance. :)