Malware Challenge

Home

News

Rules

FAQ

The Challenge

Results

Resources

Prizes

 

Malware Challenge

Difficulty: Easy - Medium

A system administrator within your organization has come to you because a user's PC was infected with malware. Unfortunately, anti-virus is unable to remove the malware. However, the administrator was able to recover the suspected malware executable. Your job is to analyze the malware.

Participants should download the malware sample and analyze it. The end result should be a document containing details on the analysis performed. The analysis document can be written in any form, but the questions and statements beow should be answered within it. Participants should note what questions are being answered.

Note: just because the question is asked does not mean a particular functionality is present. For example "What registry keys does it create and/or modify?" does not guarantee the malware creates any keys. If none found you answer can state "None found."

malware.zip - MD5 31d2ec3b312d0fd27940aae5c89e3787

The password on the zip file in "infected".

The questions...

• Describe your malware lab.
  
  
• What information can you gather about the malware without executing it?
  
  
• Is the malware packed? If so, how did you determine what it was?
  
  
• Describe the malware's behavior. What files does it drop? What registry keys does it create and/or modify? What network connections does it create? How does it auto-start, etc?
  
  
• What type of command and control server does the malware use? Describe the server and interface this malware uses as well as the domains and URLs accessed by the malware.
  
  
• What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
  
  
• How would you classify this malware? Why?
  
  
• What do you think the purpose of this malware is?

Bonus questions: (These questions are not required to be answered but could be used to break a tie for prizes.)

• Is it possible to find the malware's source code? If so, how did you do it?
  
  
• How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it?
  

Analysis documents should be submitted in PDF format to 2008challenge@malwarechallenge.info by 12:00 Midnight EST (5:00 AM GMT) on October 26, 2008. Submissions after this deadline will not be eligible for the prizes but might possibly be reviewed during the session at the conference. If additional files are included with the analysis, all files should be archived in a password-protected zip file. The password for the file should be "infected".

Please be sure to read the rules and FAQ pages for answers to additional questions. Feel free to email 2008challenge@malwarechallenge.info with any other questions.

Questions? Contest 2008challenge@malwarechallenge.info.