Introduction
Malware analysis is the task of analyzing a piece of malicious
code with the goal of finding out more about the behavior and
capabilities of the program and the intent of the author. Often,
analysts try to identify hidden behavior, actions that are only
triggered under certain circumstances. For example, certain
Trojan horses only steal user credentials from certain banks,
and these banks obviously like to know when they are
targeted. In other cases, malware analysis is used to break
home-brew encryption algorithms, to find cryptographic keys, or
to determine how a bot will find its command and control server
and what commands it understands.
Clearly, malware authors do not want that their code is quickly
understood. After all, the longer it takes malware analysts to
determine targeted banks or to locate the command and control
server, the longer the criminal operations can run
undisturbed. Thus, malware authors have introduced many
techniques to make their binaries harder to analyze. Popular
techniques include run-time packing, code obfuscation, and
anti-debugging.
Detailed Description
Your task is to analyze a malware program and answer a few
questions about the sample's behavior. The malware sample is
named hbotv3up.exe, and it is located in
the /usr/local/bin directory on bandit.
The three questions that need to be answered for this challenge
are the following:
-
As with many malware programs, this sample creates a copy of
itself in the Windows system directory. What is the name of
this file?
-
To prevent multiple instances of the program from infecting
the same machine, the sample attempts to create a mutex
object. When this mutex already exists, the program
terminates. What is the name of this mutex?
-
The malware program is an IRC bot that can receive and
understand a number of different commands from the
botmaster. One of these commands is
called botcash. What is the name of the program that
the bot launches when it receives this command?
Important: Be careful when you analyze this malware
program. This is real malware that has only been
slightly crippled. It still has the potential to mess with your
computer, and it executes all sorts of things that you do not
want to run on your (production) Windows boxes. Thus, it is
strongly recommended that you perform your analysis in a virtual
machine. You already have set up a VMware environment for
Challenge 2, and this would be
optimal to reuse here. Also, it is strongly recommended that you
disable network access for this VM so that nothing leaks out.
Hints
-
In principle, you are free to perform your analysis in any way
that you like. However, having to analyze a large, packed
binary can be a daunting task at first. Thus, think about the
kinds of analysis that are needed for answering the different
questions.
-
Some answers are better found using dynamic analysis. That is,
you can execute the program in a controlled environment and
just see what it does. Think about the things you need to
monitor to answer the questions and get the necessary tools
for that, or make use of already existing malware analysis
services.
-
Other questions are better found using static analysis,
especially when the bot demonstrates behavior only under very
specific circumstances (e.g., after a particular command is
received). For performing static malware analysis on Windows,
there are two popular programs that many malware analysts use:
OllyDbg and IDA Pro.
-
OllyDbg is a 32-bit analyzing debugger for Windows that you
can get here. It
has a neat plugin called OllyDump. OllyDump can be
found
here,
and it allows you to dump the memory image of a running
process. This is helpful when trying to analyze packed
executables; after the unpacking code has finished, you can
dump the image of the unpacked binary to disk and then analyze
it.
-
IDA Pro is a great disassembler that is used for many binary
analysis tasks. There is a free, non-commercial version
available for
download here. IDA
could be used to analyze dumps that you create from OllyDbg.
-
The malware sample is packed with a well-known packer, but
with a small twist. Thus, one good (and fun) way to get the
code of the original binary is to perform manual
unpacking. For this, simply launch some Google searches for
keywords such as: OllyDbg manual unpacking <name of
packer>.
Deliverables
To submit your challenge solution to us, you need to follow these steps:
-
Create a file called bot.txt.
-
Put the answers to the three questions in this file, each
answer on one separate line (as a result, you will have a file
with three lines). Make sure that your answers are in
the same order as the questions; that is, the first
line holds the name of the file, the second the name of the
mutex, and the third the name of the process that is launched.
-
In the directory where your file bot.txt is located, call
/usr/local/bin/submit6
-
Read any error or success messages. Then, wait a couple of
minutes and read your e-mails on
bandit to view the results of the automatic grading
program.
Administrative Information and Deadline
This is an individual project. The project is due
on Wednesday, 25.05.2011, 23:59:59 PST.