Dissecting BetaBotRaghav PandeResearcher @ FireEye

Disclaimer

The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.

However in no circumstances neither me nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.

ContentIntroductionStaticBehavior

Anti R.E.Injection

Hooking MethodologyInteresting Areas

Why Betabot?Difficult to understandNo Cracked builderNo good WriteupSuper Duper Rootkit as AdvertisedComplaint for RemovalHarassment for other Criminals

InformationSamples used can be downloaded from malwarenet.comBetabot 1.7 was usedBot was analyzed on Win7 Sp1 64bitRequired Tools: Ollydbg, Windbg, x64dbg, Ida Pro

IntroductionTypical Botnet but with good featuresBotkillerAV KillerUAC SE trickUserKit for x86/x64Anti BootkitUsermode SandBox evasionProactive DefenseDnsBlocker/RedirectFile Search & GrabFormgrabber for IE/FF/CH (x86 & x64) including SPDY grabber

Advert

StaticThrow Wild binary in IDA

UnpackingUnpacking 101: Throw in Olly

Bp @ ntdll!NtWriteVirtualMemory

Bp @ ntdll!NtResumeThread

AutomateDump PE header

Unpacking

UnpackingPlace 0xEb 0xFe @ CreateProcessInternalWNo debugger usageAutomateAttach OllyBp @ CreateProcessInternalWHit, Then Automate till ntdll!NtWriteVirtualMemory comes up

Unpacking

Unpacking

Unpacking stage2

Unpacking stage2Random Routine & POI

Unpacking stage2Last Routine & POI

Unpacking Stage2 Et' Voila

BehaviorAnti RE

FS:[0x30] + 2DbgBreakPoint() = 0x90Ntdll!NtQueryInformationProcess()Ntdll!NtSetInformationThread()

BehaviorNtQueryInformationProcess

BehaviorNtQueryInformationProcess

Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******to ZwQuerySection

BehaviorEIP result

BehaviorOther aspects

Injection & MigrationCreateProcessInternalW(suspended)CreateSection()MapViewOfSection(), Unmap(), MapViewOfSection()CreateSection(2)MapViewOfSection(), Unmap(), MapViewOfSection(2)ResumeThread()ExitProcess()

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

HooksHow Normal Applications Hook and why

Hooks32bit system without hooks

Hooks32bit API on WOW64bit system

without hooks

Hooks3 different areas of hooking in Betabot

Hook @ KiFastSystemCall (strictly x86 Environment)Hook @ Fs:[0xc0] (WOW64 handler for x86 API)Hook @ 64Bit Api directly

Hooks32bit

HooksWow64

Hooks64bit Process

Hooks

Explanation for 64bit handler

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Referencesblog.gdatasoftware.comkernelmode.info

Queries?