By Lenny Zeltser. Lenny teaches the reverse-engineering malware (REM) course at SANS Institute.
We are very grateful to everyone who submitted answers to our Puzzle #5: Ms. Moneymany’s Mysterious Malware. Congratulations to everyone who provided correct answers to this network forensics puzzle with a malware twist.
Don Jackson submitted the solution that we picked as the winner of this contest. We were very impressed with the thoroughness of his description, with the attention to detail, and with the focus on network-related aspects of the incident. Reading Don’s solution made us feel like we are looking over the shoulder of the forensic analyst, as he formed theories and looked for evidence to substantiate or disprove them. Great job, Don, and congratulations on winning the Lenovo Ideapad netbook!
We also wanted to mention several other solutions that ranked close to the top:
We were impressed by the in-depth dive yulyul2003 took when looking at the inner-workings of the malicious executable. Though this level of detail was a bit outside the scope of this puzzle, we liked the analysis yulyul2003 performed of the infection and rootkit-related functionality of the specimen. This solution also provides excellent details regarding the infection mechanism.
Eugenio Delfa created a handy tool called castflow for carving PCAP files, which he used to extract files from the network traffic capture. Eugenio also performed some behavioral analysis of the malicious executable in the lab–we appreciated seeing these details in his write-up.
IÃ±aki RodrÃguez showcased the use of tshark for analyzing network traffic–very nice. We also liked the use of Snort by dn1nj4 to examine the network traffic capture for signs of malicious activity.
Thanks to everyone who participated in this puzzle!
Don Jackson (wins a Lenovo Netbook)
Ahmed Adel Mohamed
Ashish, Garima, Vikrant
Don Jackson (winning submission)
Victor Ant Torre
June 6, 2010 at 12:05 pm
Congratulations and thanks to Don Jackson and everyone else who participated. It’s always nice to see the different solutions!
June 7, 2010 at 10:52 am
Congratulations to Don and thanks to SANS and everyone for the opportunity to see all those different solutions.