Malware analysis

From Inforail
Jump to: navigation, search

Allyourbase.jpg


Keywords

malware analysis, obfuscation, web-site hack, pwned, pwnage, reverse engineering, reversing


Background story

A web-site was hacked and secretly turned into a pharma-store, i.e. it looked the same to its owners, but new pages were created and could be accessed by typing the address directly.

Visiting those pages would bring up an online pharma store that would offer Viagra, Cialis et al.

Objectives

  • Examine the directory structure of a hacked web-site
  • Find the pharma-store
  • Find the malware
  • Overcome the obfuscation techniques to see what the malware does
  • Understand how the attack happened and what the attacker's objectives were


Workflow

  1. You're given an archive that contains the directory structure of a web-server running on Linux. You have to examine the contents of the archive, detect the malware and understand what it is doing.
  2. Document your findings by including file fragments, code samples or screenshots.
  3. Let the questionnaire below guide your research.
  4. Devise a set of recommendations for web-site owners, to help them avoid getting hacked.

Self-test questions

  • Which attack vector was leveraged to make the hack possible?
  • Why did the attacker obfuscate the malware?
  • What obfuscation techniques were employed?
  • Why did the malware not leave any visible traces on the front-end?
  • What could have been the motivation of the attacker?
  • How did the attacker ensure that only they could access the malware on the site after it got pwned?
  • What would be an easy way to identify malicious files in a web-application?
  • How to find other web-sites that were compromised using the same technique?
  • How can you find out the attacker's password?
  • Use of certain functions in the code of a web application is possibly a recipe for a disaster - which functions are those?
  • How can you catch the attacker?
  • What methods are employed by the attacker to ensure the malware stays there after you remove the malicious files?
  • What mistakes committed by the site owner made the attacker's job easier?


Tools

Nothing specific here, use whatever you want. You might need:

  • a directory and file comparison tool
  • Far or Midnight commander, or anything that can search for a specific string inside a number of files
  • command line skills

Grading policy

  • 5 - find the malicious files
  • 10 - answer all the self-test questions.

And anything between that, as a function of how many questions you've handled.


Bonus

This music video will not help you with this assignment at all: https://www.youtube.com/watch?v=9RHFFeQ2tu4. But this file will: https://dl.dropboxusercontent.com/u/3258602/faf-hack-pwned-site-input.zip

Retrieved from "https://info.railean.net/index.php?title=Malware_analysis&oldid=409"