Teddy Rogers Posted May 22, 2011 Posted May 22, 2011 Honeynet Project - Forensic Challenge 8 - "Malware Reverse Engineering"The challenge is about reversing a malware sample and deciphering and analyzing its configuration. Please consider this is a real sample captured in the wild so you must be extremely careful in analyzing it.Skill Level: DifficultQuestions:1. Provide the common name for the malware family and version (1 point)2. Describe the mechanism used by the sample in order to be able to restart itself at the next reboot (2 points)3. Describe how the malware injects itself in the running system. How many threads does it spawns and which is their role? (8 points)4. Describe the API hooking mechanism used by the sample (3 points)5. What is the purpose of the HttpSendRequest hook? Detail how it works (6 points)6. What is the purpose of the NtQueryDirectoryFile hook? Detail how it works (3 points)7. What is the purpose of the NtVdmControl hook? Detail how it works (4 points)8. What is the purpose of the InternetReadFile hook? Detail how it works (4 points)9. What is the purpose of the InternetWriteFile hook? Detail how it works (4 points)10. Describe the mechanism used by the sample in order to load the external plugins (3 points)11. Extract the decrypted configuration file used by this sample (6 points)11a. Analyze the plugin ddos.dll and detail its inner working (3 points)11b. Analyze the plugin customconnector.dll and detail its inner working (6 points)11c. Analyze the plugin ccgrabber.dll and detail its inner working (6 points)Bonus question:12. Write a code which allows automating the decryption of the configuration file/>https://www.honeynet.org/node/668Ted.Malware Reverse Engineering.zip
metr0 Posted June 9, 2011 Posted June 9, 2011 What about not posting any results till the challenge is over? (Feel free to post afterwards though, not sure if the entries are published on their page.)
abhijit mohanta Posted June 10, 2011 Posted June 10, 2011 What about not posting any results till the challenge is over? (Feel free to post afterwards though, not sure if the entries are published on their page.) oh sorry metro i was not aware the challange deadline was extended
Teddy Rogers Posted June 10, 2011 Author Posted June 10, 2011 I guess a bit of discussion on it wouldn't hurt? This is an announcement released on their blog yesterday...Forensic Challenge 8 - "Malware Reverse Engineering" - Deadline ExtendedThu, 06/09/2011 - 08:16 — angelo.dellaera Taking a look at the first submissions it seems like the Forensic Challenge 8 - "Malware Reverse Engineering" - is quite difficult to solve. For this reason we decided to extend the submission deadline to June 30th.Have fun!Angelo Dell'AeraThe Honeynet ProjectTed.
Teddy Rogers Posted September 1, 2011 Author Posted September 1, 2011 The Winners:1. Lutz Schildt (submission SHA1: ab917d66ca4aeb0432fee83996d5f6c86460a169)2. Sebastian Eschweiler (submission SHA1: 30e392444eae53f26db64482358af7291e3c2894)3. Luka Milković (submission SHA1: a419eb1f88aa87a80fcd5f439864d1d1cf68df3b)http://www.honeynet.org/node/766Ted.
WeKnow Posted December 22, 2011 Posted December 22, 2011 Going through the solution to understand what the winners have done. Forgive if this is a noob question but I did not understand how the solution for this question was answeredDescribe the API hooking mechanism used by the sampleIs there a place where I can understand this process via tutorials or examples if possible ?Any help is highly appreciated.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now