Skip navigation.
Home

Malware Analysis Quiz #6 Results

| |

Results of Malware Quiz #6 from ISC released today! Did you submit your analysis? Drop a note.

http://handlers.sans.org/pbueno/ma6.html

yeah . .

post emotional break down revision :)

I thought about this a bit and I realize that I overreacted. I see now I wasnt indepth enough or explicit about the "hidden process" that was -bash. I also see that I posted a reverse engineering analysis more than a forensics assesment, which is really what was asked for. I see that Pedro was trying to help me make the analysis better. However I still think doing our own style of challenges are a good idea, so I'm doing that. Im going to leave this post here to help me remember and learn from this.

V.
------------------------------
So im very dissapointed about this one. My answers were WAY more in depth than the winners, and I turned them in months ago. I didn't even get an honerable mention! Well He didnt like my answers because I included full source code and indept disassembly. I even worked with Pedro Bueno to change things he didn't feel comfortable with. I guess the test is more for basic entry level forensics people than deep analysts. (Sans doesnt exactly approve of offensivecomputing either so that probably doesn't help, politically speaking).

Maybe we will do our own, less biased, challenges here, what do you think?

V.

ps here is a real analysis:

http://www.offensivecomputing.net/files/active/1/sans_analysis.pdf

Sure

I'd be game, gives me something to do on trains other than work stuff :)

-Patrick

Re:yeah ...

Good idea regarding those "less-biased" challenges. I guess it's not so tough to throw a new piece of malware from a honeypot and get results !! It doesn't demand you to be Einstein, if he could do that, hell anyone could ;)

Check your gmail inbox.

Regards

---
Remember there is alwayz someone who knows more than us out there

RE: yeah..

If I had to guess, I think your analysis was good but not listed because it was incorrect on at least one question. For question 5 you say that the process does not appear in a "ps" listing because it is a zombie process. In fact, the shelll processes do appear in the listing as " -bash". The command line gets overwritten right before the fork.

As far as the challenges go, by all means have more! Let's keep things civil though. Please don't make assumptions about bias and try to go off and do something else simply out of spite.

good post

that ps thing was the question i had the most problems with. I had a really hard time explaining that part. And I see now where the problem is and what I should have done better at. Ill be honest too I made this post when I was angry but basically my analysis didn't meet Pedro's criteria and thats fine. The challenge idea actually isn't spite. The more I think about it the more I like it. I think it is a good way to get people involved. And of course everyone is biased and theres nothing wrong with that. So that said, I think the challenge idea should continue. Our criteria will be most in depth analysis versus most useful forensic report. Ill come up with something soon.

V>

Heh. I'm runner up #2,

Heh. I'm runner up #2, Anthony Martinez.