118 People, 33 Countries: The PolySwarm Malware Bounty Program

As we pave the way for a new contest, with bigger prizes, more swag, and greater challenges, we’re sharing what we found during our first bounty program.

Over the past three months, we have been running our inaugural PolySwarm Malware Bounty Program. Over the course of the campaign, we had nearly 120 participants from all around the world throwing malware into our system, with some even trying to game the system for more free Nectar (as we would expect any good hacker to do!). Malware was submitted from all types and functionalities and ranged in age from decades old to cutting edge.

The Numbers

Total number of artifacts: 576

Total number of malware families: 307

Total number of participants: 118

Total number of participating countries: 33

Total amount of NCT won overall: 118,430

Through this program there have also been nine free Binary Ninja licenses winners! The prize went out to the contest all-stars who submitted more than 30 different malware samples and pulled in over 5,000 NCT. You can win a free Binary Ninja license too—just sign up for our Weekly Security Experts Newsletter so you don’t miss our Phase 2 contest announcement!

But that’s not all. There’s still so much more to share. Keep reading to learn more about what we found during our inaugural contest.

The Malware Bounty Program: An Overview

Our first malware bounty contest was designed as the first end-to-end test of the PolySwarm market on testnet. The Free Nectar for Malware Bounty Program rewarded security experts with Nectar (NCT) for uploading malicious files. A ClamAV engine was tied in to the network to act as a hybrid security expert-arbiter and assess whether the uploaded files are malicious.

Once per day, each expert was eligible to enter one IPFS link to a suspicious file. Per malware family, the first 5 submissions to trigger a ClamAV signature earned NCT in a tiered structure, with each subsequent artifact in the malware family worth less. We also announced a specific malware family in the PolySwarm Telegram Channel every day worth double the NCT.

Want to know more about what was required of our participants? Read the full contest rules.

The Experts: Gaming the System?

This wouldn’t be a program for hackers and security experts if someone wasn’t trying to game the system. We saw people using many different strategies to work around the rules, so we’re glad to see that we’re attracting the right type of people so far.

There was, for example, the case of the blatant sock-puppeteer. This participant set up two separate registrations and would submit the same artifact from each account with only a couple seconds of separation. Nice try, but no dice.

For those of you who may have flown under our radar, good job! Now let’s repurpose those skills into malware detection in the next contest (more details to come soon)!

The Malware: Across the Entire Spectrum

Through the course of the Malware Bounty Program we received 576 artifacts from 307 distinct malware families — everything from the first viruses ever created to bleeding edge (at the time) full access chain-exploit malware in Stuxnet and Flame! With a broad spectrum of malware types flowing into our system, this contest proved to be a great functionality test of the PolySwarm market. Here are some of the malware families that were most-submitted :

Angler

BAT

BiFrost

Black Energy

Bladabindi

Casper

Cidox

CryptoWall

CosmicDuke

Doomjuice

Fiesta

Farfli

Welchia

Waledac

TeslaCrypt

SubSeven

MyDoom

KungFu

Luhn

Memscan

Gootkit

Hookit

The most common functional attributes among the artifacts submitted were Trojan, Backdoor, and Spyware. We also saw a lot of botnet malware samples, netsky, ransomware (cryptowall + teslacrypt), and tons of Mimikatz / things that use Mimikatz that steal passwords from Windows memory. We were pleased to even have some malware out the wild that were previously unscanned on VirusTotal.

Cryptominers

As a company of security experts in the blockchain space, it follows logically that artifacts with cryptomining malware would fall into our hands. These malware components are developed by profit-seeking hackers to take over a computer’s resources and use them to mine cryptocurrencies without the user’s permission.

Buenoware

We’re already recruiting some of the nice guys. There were multiple instances of artifacts that spread themselves and install the security update that patches the vulnerability they exploit. Most of these also remove themselves or leave a friendly “You’re welcome!” type message. Be careful, though; this type of malware is still technically illegal.

Poser Malware

Some of the craftiest submissions were not actual malware but still triggered a ClamAV signature, taking the concept of free NCT to another level. These crafty participants were able to take a benign artifact and modify the signature such that the program believed it was malicious. Hopefully these security experts will be the ones to build engines that are able to detect the same scheme they used in the opposition direction — malware hiding as a benign file — in the PolySwarm market!

The Non-Malware

The 10 percent of submissions that were not malware were either empty, a random artifact, or cat pictures (obviously). Check out some of the many pictures submitted below!