/* */

02 October 2008

Technical OSINT innovation contest: the 2008 Malware Challenge

While the worlds of most OSINT analysts do not typically overlap with those working in the more rarified fields of digital network intelligence, forensic analysis, and network warfare, there are a highly specialized subset that may be interested in testing their skills as part of a challenge of their own. While clearly not as high profile as the recent DNI OSINT contest, the 2008 Malware Challenge promises interesting responses of its own.

The winners of the malware challenge will be announced at the 2008 Ohio Information Security Summit on 31 October 2008. We had not previously seen this conference, but it appears to be a small regional conference that is unusually well attended by the usual round of ex-spooks and ex-cops that have moved into the cyber security industry as of late.

The challenge scenario is reproduced below:

"A system administrator within your organization has come to you because a user's PC was infected with malware. Unfortunately, anti-virus is unable to remove the malware. However, the administrator was able to recover the suspected malware executable. Your job is to analyze the malware.
Participants should download the malware sample and analyze it. The end result should be a document containing details on the analysis performed. The analysis document can be written in any form, but the questions and statements below should be answered within it. Participants should note what questions are being answered.
The questions...
* Describe your malware lab.
* What information can you gather about the malware without executing it?
* Is the malware packed? If so, how did you determine what it was?
* Describe the malware's behavior. What files does it drop? What registry keys does it create and/or modify? What network connections does it create? How does it auto-start, etc?
* What type of command and control server does the malware use? Describe the server and interface this malware uses as well as the domains and URLs accessed by the malware.
* What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
* How would you classify this malware? Why?
* What do you think the purpose of this malware is?

Bonus questions: (These questions are not required to be answered but could be used to break a tie for prizes.)
* Is it possible to find the malware's source code? If so, how did you do it?
* How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it?

Analysis documents should be submitted in PDF format to 2008challenge@malwarechallenge.info by 12:00 Midnight EST (5:00 AM GMT) on October 26, 2008."

Additional information, including other contest rules and FAQ, can be found at the challenge website.

Interestingly, we note that Steve Jackson Games is among the sponsors providing prizes for the winners. SJG was most famously the victim of a botched Secret Service raid in 1990, which seized files and texts that were part of one its published gaming lines. For those that are not familiar with this disastrous episode from the earliest days of the cyber intelligence account, it was best recounted in Bruce Sterling’s still timeless book, The Hacker Crackdown. (In our opinion, this is also a text which should be mandatory reading for those involved in SIGINT, MEDEX, or eCrime analysis. And while the USSS has indeed come a long way since then, we do from time to time encounter other shops still grappling to come to terms with the new threat environment with often equally absurd results.)

h/t Spy Logic

Labels: , , , ,