Writing modules for bamfdetect requires a variety of talents including reverse engineering, parsing, decryption, as well as development. For this reason, I invite everyone to test their skills to create bamfdetect modules, and compete for cash prizes.
bamfdetect is a tool designed to extract the command and control configuration details from malware statically.
It is highly suggested that before writing modules for the competition that you use bamfdetect to some capacity to get an understanding of how it operates. Modules which do not make sense to the overall operation of bamfdetect may not be merged, and may not be considered a submission.
bamfdetect supports three kinds of modules. These modules are referred to as preprocessors, detections modules, and post processors. With preprocessors, you have control over the raw data to be parsed by the detection modules. For instance, the existing preprocessing module is designed to decompress UPX packed files (although temporarily disabled due to security concerns with UPX). While the primary inspiration for preprocessing modules is to unpack or deobfuscate data, that is not the sole purpose of these modules, and other preprocessing ideas may be applied. Archive decompression is not considered part of preprocessing modules, and preprocessing has one input and has one output (as opposed to one input and multiple outputted files).
The detection modules are the heart of bamfdetect. They are responsible for both identifying the target malware family (primarily via YARA) as well as parsing and extracting out the bot’s configuration. All configuration extraction methods are required to be static and not based on executing the malware. The closer to pure python these modules can be, the better.
The post processing modules focus around using the information extracted from bot panels. For instance, in my private bamfdetect repository, I have a module which uploads all extracted bot configurations to my botnet tracking system. This allows me to immediately start tracking any malware that gets processed by my local bamfdetect setup. These modules allow for a good deal of creativity.
Multiple judges (totally more than just me), will rate pull requests to the bamfdetect repository (not including previous ones). The sum of the ratings for an individual user will lead to the user’s overall score. Once the overall scores have been determined, we will sort the users by their score, and assign prizes and announce the winners.
Submissions must be your own, and not the property of any corporation. The submissions will be open source and will be under the same license as bamfdetect itself. For detection modules, ensure that the judges can access the actual malware being parsed (SHA256 will suffice if sample is uploaded to VirusTotal).
The first cut off for submissions is August 1st, although there are a number of scenarios where this cut off will be extended. There is no reason the cut off would be made earlier. If this results in quality contributions to bamfdetect, I will be happy to have similar competitions in the future.
Prizes are USD values distributed in the form of gift cards (of the user’s choice). I must be able to purchase said gift card over the internet with some level of anoniminity. Amazon gift cards are the preferred location.
- $250 in gift card
- $100 in gift card
- $50 in gift card
Happy Hunting :)