betabot
TRANSCRIPT
Dissecting BetaBotRaghav PandeResearcher @ FireEye
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
ContentIntroductionStaticBehavior
Anti R.E.Injection
Hooking MethodologyInteresting Areas
Why Betabot?Difficult to understandNo Cracked builderNo good WriteupSuper Duper Rootkit as AdvertisedComplaint for RemovalHarassment for other Criminals
InformationSamples used can be downloaded from malwarenet.comBetabot 1.7 was usedBot was analyzed on Win7 Sp1 64bitRequired Tools: Ollydbg, Windbg, x64dbg, Ida Pro
IntroductionTypical Botnet but with good featuresBotkillerAV KillerUAC SE trickUserKit for x86/x64Anti BootkitUsermode SandBox evasionProactive DefenseDnsBlocker/RedirectFile Search & GrabFormgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
Advert
StaticThrow Wild binary in IDA
UnpackingUnpacking 101: Throw in Olly
Bp @ ntdll!NtWriteVirtualMemory
Bp @ ntdll!NtResumeThread
AutomateDump PE header
Unpacking
UnpackingPlace 0xEb 0xFe @ CreateProcessInternalWNo debugger usageAutomateAttach OllyBp @ CreateProcessInternalWHit, Then Automate till ntdll!NtWriteVirtualMemory comes up
Unpacking
Unpacking
Unpacking stage2
Unpacking stage2Random Routine & POI
Unpacking stage2Last Routine & POI
Unpacking Stage2 Et' Voila
BehaviorAnti RE
FS:[0x30] + 2DbgBreakPoint() = 0x90Ntdll!NtQueryInformationProcess()Ntdll!NtSetInformationThread()
BehaviorNtQueryInformationProcess
BehaviorNtQueryInformationProcess
Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******to ZwQuerySection
BehaviorEIP result
BehaviorOther aspects
Injection & MigrationCreateProcessInternalW(suspended)CreateSection()MapViewOfSection(), Unmap(), MapViewOfSection()CreateSection(2)MapViewOfSection(), Unmap(), MapViewOfSection(2)ResumeThread()ExitProcess()
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
HooksHow Normal Applications Hook and why
Hooks32bit system without hooks
Hooks32bit API on WOW64bit system
without hooks
Hooks3 different areas of hooking in Betabot
Hook @ KiFastSystemCall (strictly x86 Environment)Hook @ Fs:[0xc0] (WOW64 handler for x86 API)Hook @ 64Bit Api directly
Hooks32bit
HooksWow64
Hooks64bit Process
Hooks
Explanation for 64bit handler
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Referencesblog.gdatasoftware.comkernelmode.info
Queries?