Log in

View Full Version : Malware Challenge Contest


Kayaker
October 12th, 2008, 00:05
An interesting looking malware challenge I found referenced at Sans, with cool prizes 'n stuff . It started Oct 1, but the deadline is Oct 26. Check it out

http://www.malwarechallenge.info/index.html

esther
October 12th, 2008, 10:17
Haha yeah,many ppl are eyeing for the prizes,especially IDA Pro

evaluator
October 12th, 2008, 14:57
just dlded, then i see 'ABC' instead of 'UPX' 4times;
getBACK UPX & UPX unpacked!
what now!? should we write 'ABC' DETECTOR!?!?!? %-D

rendari
October 12th, 2008, 15:32
Malware is scary. A MUP challenge would be nicer for timid people like me

Kayaker
November 25th, 2008, 14:45
And the results are in!

http://www.malwarechallenge.info/results.html

I'm a little surprised at only 29 submissions. At least a few are a direct result of it being mentioned by this thread on this board. These guys need to advertise a bit better next time

evaluator
November 26th, 2008, 01:05
kayus, how about my lil malware unpack contest !? :~)

BTW, i not trust such contest, where winner CAN (who knows!?!?) be author ~:0

evaluator
November 26th, 2008, 01:12
just read in winner "bastuz" paper:
>>Obviously the binary is packed but can not be unpacked with the tool „Upx“.

hehe, he not read my first post :~)

PS: & this author even no disassmed program!

while Esther wrote
>>Haha yeah,many ppl are eyeing for the prizes,especially IDA Pro..

PS2:
i'm taking back my words:
>>where winner CAN (who knows!?!?) be author ~:0
SURE NOT :~)

apuromafo
December 10th, 2008, 23:22
unpacked ep
004109CC >/$ 55 PUSH EBP
004109CD |. 8BEC MOV EBP,ESP
004109CF |. 6A FF PUSH -1
004109D1 |. 68 D0854100 PUSH malware_.004185D0
004109D6 |. 68 18514100 PUSH malware_.00415118 ; SE handler installation
004109DB |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004109E1 |. 50 PUSH EAX


* The following Registry Keys were created:
o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
o HKEY_CURRENT_USER\Software\Microsoft\OLE

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
+ Microsoft Svchost local services = "Winsec32.exe"

so that Winsec32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
+ Microsoft Svchost local services = "Winsec32.exe"

so that Winsec32.exe runs every time Windows starts
o [HKEY_CURRENT_USER\Software\Microsoft\OLE]
+ Microsoft Svchost local services = "Winsec32.exe"


HKLM\​Software\​Microsoft\​Tracing\​RASAPI32 0 Attributes Change,Value Change,Security Descriptor Change 2
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5 0 Key Change 1
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9 0 Key Change 1
HKLM\​system\​CurrentControlSet\​control\​NetworkProvider\​HwOrder 0 Value Change 1

and
C:\WINDOWS\Winsec32.exe
ejecutes an bat





* To mark the presence in the system, the following Mutex object was created:
o 1

* The following Host Name was requested from a host database:
o testirc1.sh1xy2bg.NET


NICK USA[XP]5187016
USER oktnjqw 0 0 :USA[XP]5187016
USERHOST USA[XP]5187016
MODE USA[XP]5187016 +i-x+s
JOIN #chalenge happy12
NOTICE USA[XP]5187016 :.VERSION http://www.W32-gen.us (-National Virus Site-).
NOTICE #chalenge :USA[XP]5187016 has just versioned me.
PRIVMSG #chalenge :RealmBoT (irc.p.l.g) .... Status: Ready. Bot Uptime: 0d 0h 0m.
PRIVMSG #chalenge :RealmBoT (irc.p.l.g) .... Bot ID: 1.
PRIVMSG #chalenge :RealmBoT (portscan.p.l.g) .... Exploit Statistics: VNC: 0, Total: 0 in 0d 0h 0m.
PRIVMSG #chalenge :RealmBoT (irc.p.l.g) .... Uptime: 0d 0h 4m.
PRIVMSG #chalenge :[REALMBOT] : Failed to start scan, port is invalid.
NICK USA[XP]0315871
USER ywwzkfkx 0 0 :USA[XP]0315871
USERHOST USA[XP]0315871
MODE USA[XP]0315871 +i-x+s
NICK USA[XP]2962195
USER ywwzkfkx 0 0 :USA[XP]2962195
USERHOST USA[XP]2962195
MODE USA[XP]2962195 +i-x+s
NICK USA[XP]3943036
USER rcfovkzy 0 0 :USA[XP]3943036
USERHOST USA[XP]3943036
MODE USA[XP]3943036 +i-x+s


well the other is similar to others comments in the solutions..

nice tutorials

evaluator
December 11th, 2008, 10:45
just catch slightly harder trojan.
make training on this!
uses CreateProcess>UnmapView>(dump here buffer) load new pe-image..

evaluator
February 7th, 2009, 15:26
just dld this RBot, it impresses me by size & huge crazy strings inside..

pass: malware