Download - Dissecting BetaBot
Dissecting BetaBot
Raghav PandeResearcher @ FireEye
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
ContentIntroduction
Static
BehaviorAnti R.E.
Injection
Hooking Methodology
Interesting Areas
Why Betabot?
Difficult to understand
No Cracked builder
No good Writeup
Super Duper Rootkit as Advertised
Complaint for Removal
Harassment for other Criminals
Information
Samples used can be downloaded from malwarenet.com
Betabot 1.7 was used
Bot was analyzed on Win7 Sp1 64bit
Required Tools: Ollydbg, Windbg, x64dbg, Ida Pro
IntroductionTypical Botnet but with good features
Botkiller
AV Killer
UAC SE trick
UserKit for x86/x64
Anti Bootkit
Usermode SandBox evasion
Proactive Defense
DnsBlocker/Redirect
File Search & Grab
Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
Advert
StaticThrow Wild binary in IDA
Unpacking
Unpacking 101: Throw in OllyBp @ ntdll!
NtWriteVirtualMemoryBp @ ntdll!NtResumeThread
Automate
Dump PE header
Unpacking
Unpacking
Place 0xEb 0xFe @ CreateProcessInternalW
No debugger usage
Automate
Attach Olly
Bp @ CreateProcessInternalW
Hit, Then Automate till ntdll!NtWriteVirtualMemory comes up
Unpacking
Unpacking
Unpacking stage2
Unpacking stage2Random Routine & POI
Unpacking stage2Last Routine & POI
Unpacking Stage2 Et' Voila
Behavior
Anti REFS:[0x30] + 2
DbgBreakPoint() = 0x90
Ntdll!NtQueryInformationProcess()
Ntdll!NtSetInformationThread()
BehaviorNtQueryInformationProcess
Behavior
NtQueryInformationProcess
Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******
to ZwQuerySection
BehaviorEIP result
Behavior
Other aspects
Injection & Migration
CreateProcessInternalW(suspended)
CreateSection()
MapViewOfSection(), Unmap(), MapViewOfSection()
CreateSection(2)
MapViewOfSection(), Unmap(), MapViewOfSection(2)
ResumeThread()
ExitProcess()
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Injection & Migration
Hooks
How Normal Applications Hook and why
Hooks
32bit system without hooks
Hooks
32bit API on WOW64bit system without hooks
Hooks
3 different areas of hooking in BetabotHook @ KiFastSystemCall (strictly x86 Environment)
Hook @ Fs:[0xc0] (WOW64 handler for x86 API)
Hook @ 64Bit Api directly
Hooks
32bit
HooksWow64
Hooks
64bit Process
Hooks
Explanation for 64bit handler
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
Interesting Areas
References
blog.gdatasoftware.com
kernelmode.info
Queries?