The-InterWeb.com is a technology blog with a couple of book reviews sprinkled in

Rating: 0 - 0 votes

Company Logo

Company Name

Sebastian Porst

Company Contact

Wolfsgasse 4 Trier, D-54294, DE

Website Analysis

Domain Whois

WHOIS information for The-InterWeb.com

Powered by who.is

Page Type

This page is about a company.

Title

Programming stuff

Description

My solution to the CSSRT-LU malware contest

The Computer Security Research and Response Team - Luxembourg ran a malware contest between January 2006 and yesterday. People were supposed to analyze three files. The three files turned out to be a Reptile bot, a SDNBot and a modified openssl-too-open exploit. The first two are Windows bots from the SDBot family which use IRC to communicate with their bot masters. The third file is a Linux executable which contains an exploit for an earlier version of OpenSSL.

Here's my solution. It's pretty big and it's interesting how the individual chapters and sections get shorter and shorter the farther you read. I think that's what happens when you lose interest in doing something. I think it's a nice read if you'd like to read about the bots or how to analyze relatively simple pieces of malware.

Update: A kind soul informed me that I made a pretty dumb mistake with File Z which is actually infected with a Linux virus called RST.b too. That wasn't all that surprising as the online virus scanner I use actually reported that. IDA doesn't load the relevant code though because the section size of the .rodata section where the virus code can be found is too small. That's why you won't find the code in FileZ.idb either. That was easy for me to miss but I still could have found out because the entry point of File Z points to the virus code. Looks like I was too fast dismissing the IDA "Invalid entry point" message as just another warning message when analyzing a broken file.