WeChall - Malware

Challenge

This challenge consists of 6 different parts.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
1. Hi, This is an **\*\*\*\*\*\*\*\*** virus. As you know we are not so technical advanced as in the West. We therefore ask you to delete all your files on your harddisk manually and send this email to all your friends.

2. When you see "Dis is one half" on your screen, half of your hard drive has been encrypted with **\*\*\*** encryption.

3. **\*\*\*\* \*\*\*\*** is a great DNS technique for botherders to avoid shutting down of their malware or phishing site and to hide these sites with an ever-changing network of compromised hosts acting as proxies.

4. Download the source code for netsky.ae (variant name by Kaspersky), in the main.cpp (sha-256sum=e80d5db98e3e661bee9e57e0e524de2b97db2f48c63f2e73c562719501aeddc1) the first host name in the 90. row is www.**\*\*\*\*\***.com

5. After downloading and installing Trojan-PSW.Win32.Sinowal.w (variant name by Kaspersky) (sha-256sum=c21ae31e700930b02ad8c286c098770a1baad33abae6436733bb024998bdd19e), first the malware queries the DNS for r**\*\*\*\*\***.com (include r in the final answer).

6. Download Trojan-GameThief.Win32.Nilage.mc (variant name by Kaspersky) (sha-256sum=d2243520460811f14c7f77dce093b807e546298b6eb3e8d8a8f4581f28057284), unpack and analyze. The executable contains the string: c:\\**\*\*\*\*\***.txt


Your task is to fill in the \* parts, concatenate the answers with \_ (underscore) and remove any spaces (if any). To be more precise, the solution string will contain 5 \_ and altogether 43 characters. You only have to answer 5 out of the 6 questions correctly to be succesfull, but please include every answer (even if one is known wrong).

Solution

Part 1: ALBANIAN

题面描述的是 ILOVEYOU 蠕虫(LoveLetter,2000年)——"Hi" 开头、要求删除文件、转发给所有好友的邮件蠕虫。但填空的 8 个星号对应的是 ALBANIAN(Albanian 病毒),不是 ILOVEYOU。答案全大写。

Part 2: XOR

"Dis is one half" 是 OneHalf DOS 病毒(1994年)的显示信息,硬盘被 XOR encryption 部分加密。3 个星号对应 XOR,全大写。

Part 3: fastflux

题面完整定义了 fast-flux DNS:botnet 通过快速变更 DNS A 记录,在不断变化的代理主机网络中隐藏恶意/钓鱼站点。**** **** = "fast flux",去空格后 8 字符 fastflux,全小写。注意首轮测试中混合大小写变体(FastFlux/FASTFLUX/fast-flux)被拒,唯 fastflux 正确。

Part 4: norton

通过 Wayback Machine 获取 VX Heaven 的 netsky_ae.zip 在线浏览,main.cpp 第 90 行:

1
const char* buffer = "127.0.0.1 www.norton.com 127.0.0.1 norton.com 127.0.0.1 yahoo.com...";

第一个 www.******.com = norton(6 字符)。

Web Archive 来源:https://web.archive.org/web/20150418161252id_/http://vxheaven.org/src_view.php?file=netsky_ae.zip&view=main.cpp

Part 5: rikora (未解占位)

Sinowal.w(SHA256: c21ae31e700930b02ad8c286c098770a1baad33abae6436733bb024998bdd19e)首次 DNS 查询。Torpig/Sinowal 论文(UCSB 2009)列出硬编码 C2 域名为 rikora.compinakola.comflippibi.com。提交 rikora 未增加正确数。

注意题面 r****** 表明答案应为 r + 6 字 = 7 字符,而 rikora 仅 6 字符。可能该特定变种使用不同域名,或题面星号数不精确。

Part 6: t1game

Trojan-GameThief.Win32.Nilage.mc(SHA256: d2243520460811f14c7f77dce093b807e546298b6eb3e8d8a8f4581f28057284),Lineage 游戏密码窃取木马,UPX 压缩。

从 Hybrid Analysis 沙箱运行的 Nilage.mc 报告中提取的字符串表确认偏移 126544 处有 t1game + .txt。Microsoft 的 PWS:Win32/Lineage 威胁文档也确认该家族常用 t1game.txt 存储窃取的凭据。

答案:t1game(6 字符),对应 c:\t1game.txt

验证方法

通过 WeChall authme 端点 POST 提交,服务器返回逐部分正确数:

  1. ALBANIAN_xxx_aaaaaaaa_bbbbbb_cccccc_dddddd → 1/6(仅 Part 1 正确)
  2. ALBANIAN_XOR_fastflux_norton_cccccc_dddddd → 4/6(Parts 1-4 全部正确)
  3. ALBANIAN_XOR_fastflux_norton_rikora_gamect1 → 4/6(Part 5 和 Part 6 均未通过)
  4. ALBANIAN_XOR_fastflux_norton_rikora_t1game5/6 通过