Challenge 6: Malware Analysis

Introduction


Malware analysis is the task of analyzing a piece of malicious code with the goal of finding out more about the behavior and capabilities of the program and the intent of the author. Often, analysts try to identify hidden behavior, actions that are only triggered under certain circumstances. For example, certain Trojan horses only steal user credentials from certain banks, and these banks obviously like to know when they are targeted. In other cases, malware analysis is used to break home-brew encryption algorithms, to find cryptographic keys, or to determine how a bot will find its command and control server and what commands it understands.

Clearly, malware authors do not want that their code is quickly understood. After all, the longer it takes malware analysts to determine targeted banks or to locate the command and control server, the longer the criminal operations can run undisturbed. Thus, malware authors have introduced many techniques to make their binaries harder to analyze. Popular techniques include run-time packing, code obfuscation, and anti-debugging.

Detailed Description


Your task is to analyze a malware program and answer a few questions about the sample's behavior. The malware sample is named hbotv3up.exe, and it is located in the /usr/local/bin directory on bandit.

The three questions that need to be answered for this challenge are the following:

  1. As with many malware programs, this sample creates a copy of itself in the Windows system directory. What is the name of this file?
  2. To prevent multiple instances of the program from infecting the same machine, the sample attempts to create a mutex object. When this mutex already exists, the program terminates. What is the name of this mutex?
  3. The malware program is an IRC bot that can receive and understand a number of different commands from the botmaster. One of these commands is called botcash. What is the name of the program that the bot launches when it receives this command?

Important: Be careful when you analyze this malware program. This is real malware that has only been slightly crippled. It still has the potential to mess with your computer, and it executes all sorts of things that you do not want to run on your (production) Windows boxes. Thus, it is strongly recommended that you perform your analysis in a virtual machine. You already have set up a VMware environment for Challenge 2, and this would be optimal to reuse here. Also, it is strongly recommended that you disable network access for this VM so that nothing leaks out.

Hints


  • In principle, you are free to perform your analysis in any way that you like. However, having to analyze a large, packed binary can be a daunting task at first. Thus, think about the kinds of analysis that are needed for answering the different questions.
  • Some answers are better found using dynamic analysis. That is, you can execute the program in a controlled environment and just see what it does. Think about the things you need to monitor to answer the questions and get the necessary tools for that, or make use of already existing malware analysis services.
  • Other questions are better found using static analysis, especially when the bot demonstrates behavior only under very specific circumstances (e.g., after a particular command is received). For performing static malware analysis on Windows, there are two popular programs that many malware analysts use: OllyDbg and IDA Pro.
  • OllyDbg is a 32-bit analyzing debugger for Windows that you can get here. It has a neat plugin called OllyDump. OllyDump can be found here, and it allows you to dump the memory image of a running process. This is helpful when trying to analyze packed executables; after the unpacking code has finished, you can dump the image of the unpacked binary to disk and then analyze it.
  • IDA Pro is a great disassembler that is used for many binary analysis tasks. There is a free, non-commercial version available for download here. IDA could be used to analyze dumps that you create from OllyDbg.
  • The malware sample is packed with a well-known packer, but with a small twist. Thus, one good (and fun) way to get the code of the original binary is to perform manual unpacking. For this, simply launch some Google searches for keywords such as: OllyDbg manual unpacking <name of packer>.

Deliverables


To submit your challenge solution to us, you need to follow these steps:

  1. Create a file called bot.txt.
  2. Put the answers to the three questions in this file, each answer on one separate line (as a result, you will have a file with three lines). Make sure that your answers are in the same order as the questions; that is, the first line holds the name of the file, the second the name of the mutex, and the third the name of the process that is launched.
  3. In the directory where your file bot.txt is located, call /usr/local/bin/submit6
  4. Read any error or success messages. Then, wait a couple of minutes and read your e-mails on bandit to view the results of the automatic grading program.

Administrative Information and Deadline


This is an individual project. The project is due on Wednesday, 25.05.2011, 23:59:59 PST.