118 People, 33 Countries: The PolySwarm Malware Bounty Program

As we pave the way for a new contest, with bigger prizes, more swag, and greater challenges, we’re sharing what we found during our first bounty program.

Over the past three months, we have been running our inaugural PolySwarm Malware Bounty Program. Over the course of the campaign, we had nearly 120 participants from all around the world throwing malware into our system, with some even trying to game the system for more free Nectar (as we would expect any good hacker to do!). Malware was submitted from all types and functionalities and ranged in age from decades old to cutting edge.

The Numbers

• Total number of artifacts: 576
• Total number of malware families: 307
• Total number of participants: 118
• Total number of participating countries: 33
• Total amount of NCT won overall: 118,430

Through this program there have also been nine free Binary Ninja licenses winners! The prize went out to the contest all-stars who submitted more than 30 different malware samples and pulled in over 5,000 NCT. You can win a free Binary Ninja license too—just sign up for our Weekly Security Experts Newsletter so you don’t miss our Phase 2 contest announcement!

But that’s not all. There’s still so much more to share. Keep reading to learn more about what we found during our inaugural contest.

The Malware Bounty Program: An Overview

Our first malware bounty contest was designed as the first end-to-end test of the PolySwarm market on testnet. The Free Nectar for Malware Bounty Program rewarded security experts with Nectar (NCT) for uploading malicious files. A ClamAV engine was tied in to the network to act as a hybrid security expert-arbiter and assess whether the uploaded files are malicious.

Once per day, each expert was eligible to enter one IPFS link to a suspicious file. Per malware family, the first 5 submissions to trigger a ClamAV signature earned NCT in a tiered structure, with each subsequent artifact in the malware family worth less. We also announced a specific malware family in the PolySwarm Telegram Channel every day worth double the NCT.

Want to know more about what was required of our participants? Read the full contest rules.

The Experts: Gaming the System?

This wouldn’t be a program for hackers and security experts if someone wasn’t trying to game the system. We saw people using many different strategies to work around the rules, so we’re glad to see that we’re attracting the right type of people so far.

There was, for example, the case of the blatant sock-puppeteer. This participant set up two separate registrations and would submit the same artifact from each account with only a couple seconds of separation. Nice try, but no dice.

For those of you who may have flown under our radar, good job! Now let’s repurpose those skills into malware detection in the next contest (more details to come soon)!

The Malware: Across the Entire Spectrum

Through the course of the Malware Bounty Program we received 576 artifacts from 307 distinct malware families — everything from the first viruses ever created to bleeding edge (at the time) full access chain-exploit malware in Stuxnet and Flame! With a broad spectrum of malware types flowing into our system, this contest proved to be a great functionality test of the PolySwarm market. Here are some of the malware families that were most-submitted :

• Angler
• BAT
• BiFrost
• Black Energy
• Bladabindi
• Casper
• Cidox
• CryptoWall
• CosmicDuke
• Doomjuice
• Fiesta
• Farfli
• Welchia
• Waledac
• TeslaCrypt
• SubSeven
• MyDoom
• KungFu
• Luhn
• Memscan
• Gootkit
• Hookit

The most common functional attributes among the artifacts submitted were Trojan, Backdoor, and Spyware. We also saw a lot of botnet malware samples, netsky, ransomware (cryptowall + teslacrypt), and tons of Mimikatz / things that use Mimikatz that steal passwords from Windows memory. We were pleased to even have some malware out the wild that were previously unscanned on VirusTotal.

Cryptominers

As a company of security experts in the blockchain space, it follows logically that artifacts with cryptomining malware would fall into our hands. These malware components are developed by profit-seeking hackers to take over a computer’s resources and use them to mine cryptocurrencies without the user’s permission.

Buenoware

We’re already recruiting some of the nice guys. There were multiple instances of artifacts that spread themselves and install the security update that patches the vulnerability they exploit. Most of these also remove themselves or leave a friendly “You’re welcome!” type message. Be careful, though; this type of malware is still technically illegal.

Poser Malware

Some of the craftiest submissions were not actual malware but still triggered a ClamAV signature, taking the concept of free NCT to another level. These crafty participants were able to take a benign artifact and modify the signature such that the program believed it was malicious. Hopefully these security experts will be the ones to build engines that are able to detect the same scheme they used in the opposition direction — malware hiding as a benign file — in the PolySwarm market!

The Non-Malware

The 10 percent of submissions that were not malware were either empty, a random artifact, or cat pictures (obviously). Check out some of the many pictures submitted below!

The Biggest Target: Windows OS For The Win

It’s no secret that most malware targets Windows operating systems, and that was no different in our bounty program. The reasons why? There are a number of them, including:

1. As the most widely used OS, especially by enterprises, the most value is held in these systems.
2. Windows emphasizes backwards compatibility, which introduces wrinkles in security posture.
3. There is momentum behind these hacks. Windows has been targeted for quite some time, and hackers have released documentation and open-source tools to do so.
4. Application distribution is not held in a common, trusted store, rather users often download apps directly from the Internet.

A blog post on ‘Why Most Malware is Designed for Windows’ is coming soon!

The Participants

We’re thrilled to have people join in from 33 countries around the world. We had the most sign-ups and participants from the Netherlands, Great Britain, Australia, Russia, and Ireland.

Our all-star participants who were awarded Binary Ninja licenses, represented many different corners of the world as well, coming from:

1. Great Britain
2. Belgium
3. South Korea
4. Ireland
5. South Korea
6. Pakistan
7. Australia
8. Netherlands
9. Ireland

We’re very happy with the results of our first bounty program and are excited to get Phase 2 up and running! Stay tuned for more details about other upcoming contests and competitions and the latest updates on PolySwarm, as well! Follow us on Twitter and Telegram so you never miss an announcement!