Finding real-world malware samples that illustrate practical analysis techniques is tricky. When training professionals how to reverse-engineer malware, I’ve gone through lots of malicious programs for the purpose of educational examples. Here are some of the samples that I’ve retired from the FOR610 course over the years, because they no longer seemed current or relevant. And yet, many of their attributes are present in modern malicious software.
A Backdoor with a Backdoor
To learn fundamental aspects of code-based and behavioral malware analysis, the course examined Slackbot. It was an IRC-based backdoor, which it’s author “slim” distributed for free as a compiled Windows executable without source code.
Dated April 18, 2000, Slackbot came with a builder that allowed its user to customize the name of the IRC server and channel that the person wanted to use for Command and Control (C2). Slackbot documentation explained how the remote attacker could interact with the infected system and included this taunting note:
“don’t bother me about this, if you can’t figure out how to use it, you probably shouldn’t be using a computer. have fun. –slim”
Those who reverse-engineered this sample discovered that it had undocumented functionality. In addition to connecting to the user-designated C2 server, the specimen also reached out to a hardcoded server irc.slim.org.au that “slim” controlled. The channel #penix channel gave “slim” the ability to take over all the botnets that Slackbot users were building.
The backdoor had a backdoor! Not surprisingly, backdoors continue to be present in today’s “hacking” tools. For example, I recently came across a DarkComet RAT builder that was surreptitiously bundled with a DarkComet backdoor of its own.
You Are an Idiot
The FOR610 course used a simple web page to introduce the techniques for examining potentially-malicious websites. The page, captured below, was a nuisance that insulted its visitors with the following message:
When Flash reigned supreme among banner ad technologies, the FOR610 course covered several examples of these forms of malware. One of the Flash programs we analyzed was a malicious version of the ad pictured below:
Visitors to legitimate websites, such as MSNBC, were reporting that their clipboards appeared “hijacked” when the browser displayed this ad. The advertisement, implemented as a Flash program, was using the ActionScript setClipboard function to repeatedly replace victims’ clipboard contents with a malicious URL.
The attacker was probably counting on the victims to blindly paste the URL into messages without looking at what they were sharing. I remembered this sample when reading about a more recent example of malware that, when running on victims’ computers, replaced Bitcoin addresses stored in the clipboard with the attacker’s Bitcoin address.
As malware evolves, so do our analysis approaches, and so do the exercises we use in the FOR610 malware analysis course. It’s fun to reflect upon the samples that at some point were present in the materials. After all, I’ve been covering this topic at SANS Institute since 2001. It’s also interesting to notice that, despite all the changes in the threat landscape, many of the same objectives and tricks persist in today’s malware world.