Technical Workshop - Win32/Georbot Analysis

• Based in Montreal

• Studies in computer engineering at Ecole Polytechnique

• Malware analysis

• Focus on investigation and understanding trends

Introduction

• Gain hands-on knowledge on malware analysis

• Obfuscation

• Persistence

• C&C traffic

• This case is *NOT* cutting edge but a good summary of common

things we see nowadays

Labs’ Objectives

• One of our analyst reported an interesting string in a binary

(.gov.ge)

• Started investigation, we thought it was time sensitive and involved

3 guys for 3 days.

• Interesting feature

• Document stealing

• Audio / Video capture

• Etc

Win32/Georbot

• Further analysis showed thousands of variants

• We were able to track the evolution of the features

• Track AV evasion techniques

Win32/Georbot

Win32/Georbot

1. Data obfuscation

2. Control flow obfuscation

3. API call obfuscation

4. Answer basic malware analysis questions

5. C&C network protocol

Workshop Outline

1. IDA 6.x (you can use the demo)

2. Python interpreter w/ some modules for web server

3. Immunity Debugger / Olly Debugger

Tools Required

• Automate repetitive tasks in IDA

• Read data (Byte, Word, Dword, etc)

• Change data (PatchByte, PatchWord, PatchDword, etc)

• Add comments (MakeComm)

• Add cross references

• User interaction

• Etc.

IDA Python

• Where’s all my data?!

• Debug the malware (in a controlled environment), do you see

something appear? (0x407afb)

• What happened? Find the procedure which decodes the data

• Understand obfuscation

• Implement deobfuscation with IDA Python

Data Obfuscation

Data Obfuscation

Control Flow Obfuscation

• Identify common obfuscation patterns

• Find a straight forward replacement

• Implement substitutions with IDA Python

• Reanalyze program, does it look better?

Control Flow Obfuscation

Obfuscated Deobfuscated

push <addr>; ret Jmp <addr>

Push <addr> jmp <addr>

Call <addr> (will return to addr)

Control Flow Obfuscation

• Where are all my API calls?

• Find and understand hashing function

• Brute force API calls and add comments to IDB using IDA Python

API Call Obfuscation

API Hashing Function

• Can multiple instances of the malware run at the same time?

• Is the malware persistent? How?

• What is the command and control server?

• What is the update mechanism for binaries?

• Is there a C&C fallback mechanism?

Let’s understand what’s going on!

• Write a detection mechanism for an infected system

• Implement a cleaner for this malware

• Kill the process

• Remove persistence

• At what time interval does the malware probe its C&C server?

Additional work

0x403AFD - cpuid

http://en.wikipedia.org/wiki/CPUID

• What’s the chain of event in the communication

• What is the information provided by the bot

• What type of answer is the bot expecting?

• What are the different actions?

C&C Protocol Analysis

C&C Commands

0A029h ; find

1675h ; dir

0A8FEh ; load?

22C4C1h ; upload

42985 ; main?

0A866h ; list?

1175972831 ; upload_dir

9C9Ch ; ddos

0B01Dh ; scan

47154 ; word

2269271 ; system

9FCCh ; dump

310946 ; photo

440F6h 18FEh ; rdp

4F5BBh ; video

3D0BD7C6h ; screenshot

741334016 ; password

0DA8B3Ch ; history

• What is this DNS query?

• What can we do with it?

FALLBCK.com

• What is at 0x0040A03D, how is it used in program?

GUID

• The set of questions to answer is often similar.

• Don’t focus on details, remember your objective, its easy to get lost.

• A mix of dynamic and static analysis is often the best solution for

quick understanding of a new malware family.

Conclusions

Thank You