Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Offensive Computing Reverse Engineering Challenge #1

Welcome to the first ever Offensive Computing Reverse Engineering Challenge. Basically there will be a file attached to this post. Your job is to download the file and figure out as much information as possible about the file. This includes disassembly, packer, if its AV detected, packet captures, ports used, processes spawned, source code if available.

Note however, this is a malicious file. It could be a propegating worm, a trojan or a virus. Therefor take all necessary precautions when analyzing this file. Offensive Computing is NOT responsible for anything that may happen to you as a result of this file.

For consideration

I suppose this is a question to everyone reading this blog. If you were to have a tool that could locate similar instruction sequences in some large database, say all of the binaries on an installation, what would you like to see it do?

Based on the work/analysis of valsmith and others, I'm going to start by seeing if Win32.Klez has anything in common with Ubuntu, SuSE, and Mandrake.*

As I don't expect that to return any results, does anyone have any good Linux malware w/ analysis?

* Yes, I do realize that I'm doing a cross-platform analysis. Unfortunately, the people funding my research will not let me assume the risk for analysis of Windows.

Malware Analysis Quiz #6 Results

| |

Results of Malware Quiz #6 from ISC released today! Did you submit your analysis? Drop a note.

http://handlers.sans.org/pbueno/ma6.html

Worm.P2P.Capside.C

ClamAV 0.88/1333/Wed Mar 15 06:57:53 2006: Worm.P2P.Capside.C
Kaspersky: P2P-Worm.Win32.Capside.d

MD5: 3ca444c74d4f7c32315cb3cc439e6a6b
SHA1: 50ced47778e9083f727f01902da13fe5733ed8fd

-aaw,kl

Bagel.AE

MD5: a867d1287d7c51846ec65c855413e2a2
SHA1: 6604c6fa897139e2c4647cc342a683d72846dbeb

Antivirus Version Update Result
AntiVir 6.34.0.53 03.16.2006 Worm/Bagle.gen
Avast 4.6.695.0 03.16.2006 Win32:Beagle-IH
AVG 718 03.16.2006 Win32/Sality
Avira 6.34.0.53 03.16.2006 Worm/Bagle.gen
BitDefender 7.2 03.16.2006 Win32.Bagle.FJ@mm
CAT-QuickHeal 8.00 03.14.2006 I-Worm.Bagle.ae
ClamAV devel-20060126 03.16.2006 Worm.Bagle.CT
DrWeb 4.33 03.16.2006 Win32.HLLM.Beagle.27136
eTrust-InoculateIT 23.71.103 03.16.2006 Win32/Bagle.DW!Worm
eTrust-Vet 12.4.2121 03.16.2006 Win32/Bagle.DW
Ewido 3.5 03.16.2006 no virus found

Mydoom.BB

MD5: f28a4c0f855afdf35d3d6fe541bbb881
SHA1: c47efe5311eb5e792064d068044197ef1f25850d

Ganda.A

MD5: 6009b3fd7cc7fc126d6236069230fdaa

SHA1: 57e67715c7dac5e6c7419decd083a91a36613b18

Antivirus Version Update Result
AntiVir 6.34.0.53 03.16.2006 Worm/Mydoom.BB
Avast 4.6.695.0 03.16.2006 Win32:Mydoom-AM
AVG 718 03.16.2006 I-Worm/Mydoom.AP
Avira 6.34.0.53 03.16.2006 Worm/Mydoom.BB
BitDefender 7.2 03.16.2006
Antivirus Version Update Result
AntiVir 6.34.0.53 03.15.2006 Worm/Ganda
Avast 4.6.695.0 03.14.2006 Win32:Ganda-B
AVG 718 03.15.2006 I-Worm/Ganda
Avira 6.34.0.53 03.15.2006 Worm/Ganda
BitDefender 7.2 03.15.2006 Win32.Ganda.A@mm
CAT-QuickHeal 8.00 03.14.2006 W32.Ganda.A
ClamAV devel-20060126 03.15.2006 Worm.Ganda-A
DrWeb 4.33 03.15.2006 Win32.Roger.45056
eTrust-InoculateIT 23.71.102 03.15.2006 Win32/Ganda.A!Worm
eTrust-Vet 12.4.2120 03.15.2006 Win32/Ganda.A
Ewido 3.5 03.15.2006 Worm.Ganda
Fortinet 2.71.0.0 03.15.2006 W32/Ganda.A-mm
F-Prot 3.16c 03.14.2006 W32/Ganda.A@mm
Ikarus 0.2.59.0 03.15.2006 Email-Worm.Win32.Ganda
Kaspersky 4.0.2.24 03.15.2006 Email-Worm.Win32.Ganda
McAfee 4719 03.15.2006 W32/Ganda@MM
NOD32v2 1.1444 03.15.2006 Win32/Ganda.A
Norman 5.70.10 03.15.2006 W32/Ganda.A@mm
Panda 9.0.0.4 03.15.2006 W32/Ganda.A
Sophos 4.03.0 03.15.2006 W32/Ganda-A
Symantec 8.0 03.15.2006 W32.Ganda.A@mm
TheHacker 5.9.5.113 03.15.2006 W32/Ganda@MM
UNA 1.83 03.15.2006 I-Worm.Ganda
VBA32 3.10.5 03.15.2006 Email-Worm.Win32.Ganda

Cryzip Wanted

| |

Does anyone have a copy of the new Cryzip trojan that purportedly encrypts files then demands a $300 ransom for decryption? Thanks.

malware request

| |

Does anyone have a sample which listens on a port for one reason or another? Doesn't matter if its windows or linux. An example is sasser listens on 5554 for ftp. (we already have that)

Not looking for something that just opens a shell on a port like netcat (we have those) but maybe a worm that propegates some how like that; say using http or ftp, etc.

Email me (valsmith at metasploit dot com)

thanks!

V.

Trojan.Win32.Morwill.B

| |

MD5: 1d098fb29bf0c99fd786e5e6c749f9eb

AntiVir 6.34.0.53 03.07.2006 TR/Click.Morwill.B.3
Avast 4.6.695.0 03.06.2006 no virus found
AVG 718 03.07.2006 Adware Generic.AFJ
Avira 6.33.1.53 03.07.2006 TR/Click.Morwill.B.3
BitDefender 7.2 03.07.2006 Trojan.Clicker.Morwill.B
CAT-QuickHeal 8.00 03.07.2006 no virus found
ClamAV devel-20060126 03.07.2006 no virus found
DrWeb 4.33 03.07.2006 no virus found
eTrust-InoculateIT 23.71.95 03.07.2006 no virus found
eTrust-Vet 12.4.2108 03.07.2006 no virus found
Ewido 3.5 03.07.2006 Hijacker.Morwill.b
Fortinet 2.71.0.0 03.07.2006 Adware/Morwill