In 2008, Greg Feezel and I published the following
malware analysis challenge. The goal was to answer the questions
below and submit them back to us for prizes. While the challenge is
no longer going on, we wanted to publish it again so those that
wished to try it could.
The malware is contained within a password protected zip file named malware.zip. The password is “infected”. The MD5 hash of the files
are:
- 59a95f668e1bd00f30fe8c99af675691 malware.exe
- 31d2ec3b312d0fd27940aae5c89e3787 malware.zip
Situation:
A system administrator within your organization has
come to you because a user's PC was infected with malware.
Unfortunately, anti-virus is unable to remove the malware. However,
the administrator was able to recover the suspected malware
executable. Your job is to analyze the malware.
Participants should download the malware sample and
analyze it. The end result should be a document containing details
on the analysis performed. The analysis document can be written in
any form, but the following questions and statements should be
answered within it. Participants should note when questions are
being answered.
- Describe your malware lab.
- What information can you gather about the malware without executing it?
- Is the malware packed? If so, how did you determine what it was?
- Describe the malware's behavior. In other words - what files does it drop, what registry keys does it modify, what network connections does it create, how does it auto-start, etc?
- What type of command and control server does the malware use? Describe the server and interface this malware uses.
- What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
- How would you classify this malware? Why?
- What do you think the purpose of this malware is?
Bonus questions:
- Is it possible to find the malware's source code? If so, how did you do it?
- How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it?