dissecting betabot

55
Dissecting BetaBot Raghav Pande Researcher @ FireEye

Upload: securityxploded

Post on 22-Apr-2015

335 views

Category:

Technology


1 download

DESCRIPTION

Presented by Raghav Pande in our quarterly Cyber security meet. visit: http://www.securitytrainings.net for more information.

TRANSCRIPT

Page 1: Dissecting BetaBot

Dissecting BetaBot

Raghav PandeResearcher @ FireEye

Page 2: Dissecting BetaBot

Disclaimer

The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.

However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.

Page 3: Dissecting BetaBot

ContentIntroduction

Static

BehaviorAnti R.E.

Injection

Hooking Methodology

Interesting Areas

Page 4: Dissecting BetaBot

Why Betabot?

Difficult to understand

No Cracked builder

No good Writeup

Super Duper Rootkit as Advertised

Complaint for Removal

Harassment for other Criminals

Page 5: Dissecting BetaBot

Information

Samples used can be downloaded from malwarenet.com

Betabot 1.7 was used

Bot was analyzed on Win7 Sp1 64bit

Required Tools: Ollydbg, Windbg, x64dbg, Ida Pro

Page 6: Dissecting BetaBot

IntroductionTypical Botnet but with good features

Botkiller

AV Killer

UAC SE trick

UserKit for x86/x64

Anti Bootkit

Usermode SandBox evasion

Proactive Defense

DnsBlocker/Redirect

File Search & Grab

Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber

Page 7: Dissecting BetaBot

Advert

Page 8: Dissecting BetaBot
Page 9: Dissecting BetaBot

StaticThrow Wild binary in IDA

Page 10: Dissecting BetaBot

Unpacking

Unpacking 101: Throw in OllyBp @ ntdll!

NtWriteVirtualMemoryBp @ ntdll!NtResumeThread

Automate

Dump PE header

Page 11: Dissecting BetaBot

Unpacking

Page 12: Dissecting BetaBot

Unpacking

Place 0xEb 0xFe @ CreateProcessInternalW

No debugger usage

Automate

Attach Olly

Bp @ CreateProcessInternalW

Hit, Then Automate till ntdll!NtWriteVirtualMemory comes up

Page 13: Dissecting BetaBot

Unpacking

Page 14: Dissecting BetaBot

Unpacking

Page 15: Dissecting BetaBot

Unpacking stage2

Page 16: Dissecting BetaBot

Unpacking stage2Random Routine & POI

Page 17: Dissecting BetaBot

Unpacking stage2Last Routine & POI

Page 18: Dissecting BetaBot

Unpacking Stage2 Et' Voila

Page 19: Dissecting BetaBot

Behavior

Anti REFS:[0x30] + 2

DbgBreakPoint() = 0x90

Ntdll!NtQueryInformationProcess()

Ntdll!NtSetInformationThread()

Page 20: Dissecting BetaBot

BehaviorNtQueryInformationProcess

Page 21: Dissecting BetaBot

Behavior

NtQueryInformationProcess

Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******

to ZwQuerySection

Page 22: Dissecting BetaBot

BehaviorEIP result

Page 23: Dissecting BetaBot

Behavior

Other aspects

Page 24: Dissecting BetaBot

Injection & Migration

CreateProcessInternalW(suspended)

CreateSection()

MapViewOfSection(), Unmap(), MapViewOfSection()

CreateSection(2)

MapViewOfSection(), Unmap(), MapViewOfSection(2)

ResumeThread()

ExitProcess()

Page 25: Dissecting BetaBot

Injection & Migration

Page 26: Dissecting BetaBot

Injection & Migration

Page 27: Dissecting BetaBot

Injection & Migration

Page 28: Dissecting BetaBot

Injection & Migration

Page 29: Dissecting BetaBot

Injection & Migration

Page 30: Dissecting BetaBot

Injection & Migration

Page 31: Dissecting BetaBot

Injection & Migration

Page 32: Dissecting BetaBot

Injection & Migration

Page 33: Dissecting BetaBot

Injection & Migration

Page 34: Dissecting BetaBot

Injection & Migration

Page 35: Dissecting BetaBot

Hooks

How Normal Applications Hook and why

Page 36: Dissecting BetaBot

Hooks

32bit system without hooks

Page 37: Dissecting BetaBot

Hooks

32bit API on WOW64bit system without hooks

Page 38: Dissecting BetaBot

Hooks

3 different areas of hooking in BetabotHook @ KiFastSystemCall (strictly x86 Environment)

Hook @ Fs:[0xc0] (WOW64 handler for x86 API)

Hook @ 64Bit Api directly

Page 39: Dissecting BetaBot

Hooks

32bit

Page 40: Dissecting BetaBot

HooksWow64

Page 41: Dissecting BetaBot

Hooks

64bit Process

Page 42: Dissecting BetaBot

Hooks

Page 43: Dissecting BetaBot

Explanation for 64bit handler

Page 44: Dissecting BetaBot

Interesting Areas

Page 45: Dissecting BetaBot

Interesting Areas

Page 46: Dissecting BetaBot

Interesting Areas

Page 47: Dissecting BetaBot

Interesting Areas

Page 48: Dissecting BetaBot

Interesting Areas

Page 49: Dissecting BetaBot

Interesting Areas

Page 50: Dissecting BetaBot

Interesting Areas

Page 51: Dissecting BetaBot

Interesting Areas

Page 52: Dissecting BetaBot

Interesting Areas

Page 53: Dissecting BetaBot

Interesting Areas

Page 54: Dissecting BetaBot

References

blog.gdatasoftware.com

kernelmode.info

Page 55: Dissecting BetaBot

Queries?