Forensic Challenge 8 - Malware Reverse Engineering

01 Sep 2011

Challenge 8 - Malware Reverse Engineering

(provided by Angelo Dell’Aera and Guido Landi from the Sysenter Honeynet Project Chapter)

Skill Level: Difficult

The challenge is about reversing a malware sample and deciphering and analyzing its configuration. Please consider this is a real sample captured in the wild so you must be extremely careful in analyzing it.

Questions:

  1. Provide the common name for the malware family and version (1 point)
  2. Describe the mechanism used by the sample in order to be able to restart itself at the next reboot (2 points)
  3. Describe how the malware injects itself in the running system. How many threads does it spawns and which is their role? (8 points)
  4. Describe the API hooking mechanism used by the sample (3 points)
  5. What is the purpose of the HttpSendRequest hook? Detail how it works (6 points)
  6. What is the purpose of the NtQueryDirectoryFile hook? Detail how it works (3 points)
  7. What is the purpose of the NtVdmControl hook? Detail how it works (4 points)
  8. What is the purpose of the InternetReadFile hook? Detail how it works (4 points)
  9. What is the purpose of the InternetWriteFile hook? Detail how it works (4 points)
  10. Describe the mechanism used by the sample in order to load the external plugins (3 points)
  11. Extract the decrypted configuration file used by this sample (6 points)
    11a Analyze the plugin ddos.dll and detail its inner working (3 points)
    11b Analyze the plugin customconnector.dll and detail its inner working (6 points)
    11c Analyze the plugin ccgrabber.dll and detail its inner working (6 points)

Bonus question
12. Write a code which allows automating the decryption of the configuration file

This work by Angelo Dell’Aera and Guido Landi is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

The Winners:
1. Lutz Schildt (submission SHA1: ab917d66ca4aeb0432fee83996d5f6c86460a169)
2. Sebastian Eschweiler (submission SHA1: 30e392444eae53f26db64482358af7291e3c2894)
3. Luka Milković (submission SHA1: a419eb1f88aa87a80fcd5f439864d1d1cf68df3b)

Download:

Malware sample (password: infected)
Configuration

Attachment Size
[your email]_Forensic Challenge 2010 - Challenge 8 - Submission Template.doc 64 KB
[your email]_Forensic Challenge 2010 - Challenge 8 - Submission Template.odt 19.75 KB
Submission #1: Lutz Schildt 629.32 KB
Submission #2: Sebastian Eschweiler 530.59 KB
Submission #3: Luka Milković 2.21 MB