Jump to content
turnback

Forensic Challenge "Malware Reverse Engineering"

By turnback, in Challenges (CTF)

Recommended Posts

turnback Newbie

turnback

Posted
Posted

Challenge 8 - Malware Reverse Engineering (provided by Angelo Dell'Aera and Guido Landi from the Sysenter Honeynet Project Chapter)

Please submit your solution using the submission template below by June 15th 2011 at The Honeynet Project - Forensic Challenge 2011.

Results will be announced around the third week of July. For any questions and inquiries, please contact forensicchallenge2010@honeynet.org.

Skill Level: Difficult

The challenge is about reversing a malware sample and deciphering and analyzing its configuration. Please consider this is a real sample captured in the wild so you must be extremely careful in analyzing it.

Questions:

1. Provide the common name for the malware family and version (1 point)

2. Describe the mechanism used by the sample in order to be able to restart itself at the next reboot (2 points)

3. Describe how the malware injects itself in the running system. How many threads does it spawns and which is their role? (8 points)

4. Describe the API hooking mechanism used by the sample (3 points)

5. What is the purpose of the HttpSendRequest hook? Detail how it works (6 points)

6. What is the purpose of the NtQueryDirectoryFile hook? Detail how it works (3 points)

7. What is the purpose of the NtVdmControl hook? Detail how it works (4 points)

8. What is the purpose of the InternetReadFile hook? Detail how it works (4 points)

9. What is the purpose of the InternetWriteFile hook? Detail how it works (4 points)

10. Describe the mechanism used by the sample in order to load the external plugins (3 points)

11. Extract the decrypted configuration file used by this sample (6 points)

11a. Analyze the plugin ddos.dll and detail its inner working (3 points)

11b. Analyze the plugin customconnector.dll and detail its inner working (6 points)

11c. Analyze the plugin ccgrabber.dll and detail its inner working (6 points)

Bonus question

12. Write a code which allows automating the decryption of the configuration file

Download:

Malware sample (password: infected)

Configuration

sursa: https://www.honeynet.org/node/668

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...