dissecting betabot

Dissecting BetaBot

Raghav PandeResearcher @ FireEye

Disclaimer

The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.

However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

ContentIntroduction

Static

BehaviorAnti R.E.

Injection

Hooking Methodology

Interesting Areas

Why Betabot?

Difficult to understand

No Cracked builder

No good Writeup

Super Duper Rootkit as Advertised

Complaint for Removal

Harassment for other Criminals

Information

Samples used can be downloaded from malwarenet.com

Betabot 1.7 was used

Bot was analyzed on Win7 Sp1 64bit

Required Tools: Ollydbg, Windbg, x64dbg, Ida Pro

IntroductionTypical Botnet but with good features

Botkiller

AV Killer

UAC SE trick

UserKit for x86/x64

Anti Bootkit

Usermode SandBox evasion

Proactive Defense

DnsBlocker/Redirect

File Search & Grab

Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber

Advert

StaticThrow Wild binary in IDA

Unpacking

Unpacking 101: Throw in OllyBp @ ntdll!

NtWriteVirtualMemoryBp @ ntdll!NtResumeThread

Automate

Dump PE header

Unpacking

Unpacking

Place 0xEb 0xFe @ CreateProcessInternalW

No debugger usage

Automate

Attach Olly

Bp @ CreateProcessInternalW

Hit, Then Automate till ntdll!NtWriteVirtualMemory comes up

Unpacking

Unpacking

Unpacking stage2

Unpacking stage2Random Routine & POI

Unpacking stage2Last Routine & POI

Unpacking Stage2 Et' Voila

Behavior

Anti REFS:[0x30] + 2

DbgBreakPoint() = 0x90

Ntdll!NtQueryInformationProcess()

Ntdll!NtSetInformationThread()

BehaviorNtQueryInformationProcess

Behavior

NtQueryInformationProcess

Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******

to ZwQuerySection

BehaviorEIP result

Behavior

Other aspects

Injection & Migration

CreateProcessInternalW(suspended)

CreateSection()

MapViewOfSection(), Unmap(), MapViewOfSection()

CreateSection(2)

MapViewOfSection(), Unmap(), MapViewOfSection(2)

ResumeThread()

ExitProcess()

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Injection & Migration

Hooks

How Normal Applications Hook and why

Hooks

32bit system without hooks

Hooks

32bit API on WOW64bit system without hooks

Hooks

3 different areas of hooking in BetabotHook @ KiFastSystemCall (strictly x86 Environment)

Hook @ Fs:[0xc0] (WOW64 handler for x86 API)

Hook @ 64Bit Api directly

Hooks

32bit

HooksWow64

Hooks

64bit Process

Hooks

Explanation for 64bit handler

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

Interesting Areas

References

blog.gdatasoftware.com

kernelmode.info

Queries?