The competition objective is to modify, validate functionality, and submit 50 working malicious PE files to evade open source machine learning models provided by Endgame. The competition will demonstrate a white box attack, wherein participants will have access to each model’s parameters and source code. The modified malware samples will be uploaded onto the MRG Effitas platform and detonated in VMRay. VMRay’s technology ensures full visibility into malware behavior, monitoring every interaction between the malware and the system. Points will be awarded to participants based on how many samples bypass each machine learning model. In particular, for each functional modified malware sample, one point is awarded for each ML model that it bypasses. Ties will be broken by earliest submission time.
To qualify for the prize (an NVIDIA TITAN RTX), the winner must publish source code and a blog post detailing how they successfully updated the malware to evade the machine learning model.
- Maximum number of files in the ZIP: 50
- Beware of hidden files (.DS_store, files starting with .) created by macOS. Hint:Use command line zip to compress the files.
- Maximum ZIP size: 50 MB
- Maximum individual uncompressed file size: 5 MB
- Maximum uncompressed size for all file in the archive: 200 MB
- Filenames must exactly match those in the original ZIP file.
- Valid filenames: 001, ... 050
- Invalid filenames: 01, 002.exe, 003.dll, myexe.exe
- If you don't use the same filename, the system will not be able to identify which malware you modified.
- The filenames in the ZIP should not contain any directory names. Please compress the files without the directory name.
- To prevent DoS attacks on https://evademalwareml.io/, upload frequency limits will be enforced.
- One ZIP file every one (1) hour.
- Maximum 200 files sent to the sandbox per day.
- If the backend queue is full, it is possible your processing wait time may exceed 30 minutes. Please be patient.
- If you prefer to upload the files in a password protected ZIP file, use the password "infected" for your file.
- If you have already achieved a maximum bypass score for a given sample, there is no need to upload these samples with your new batch. Scores for each sample will be retained from a previous submission.
- The malware analysis sandbox is running Windows 10 x64. Ensure your modified malware sample will run on this platform prior to submission. While you may choose to try to evade the sandbox, it is not advised as it will result in a lower score.
Tips for modifying PE files
Valid file modifications (non-exhaustive)
- Append data to the end of the PE file
- Add or remove digital signature
- Pack the file (e.g. UPX or similar), dynamically unpacking the original sample into memory and running from memory
- Change section names
- Change section permissions
- Add, remove section
- Modify exported functions
- Modify imported functions
- Create TLS callback
- Change PE structure
- Change PE header data, corrupt it or fix corrupted data
- Add, modify or remove Versioninfo data (CompanyName, OriginalFilename, ...)
- Change code/data which does not affect the malware behavior
Invalid file modifications
- Droppers - the sandbox does not have Internet connection
- SFX - self extracting executable. Dropping the original (or slightly modified) malware sample on the disk is not a viable attack.
If you have any questions, run into any bugs or want to participate in the competition conversation, join our Slack workspace