Dissecting BetaBot
-
Upload
securityxploded -
Category
Technology
-
view
346 -
download
1
description
Transcript of Dissecting BetaBot
![Page 1: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/1.jpg)
Dissecting BetaBot
Raghav PandeResearcher @ FireEye
![Page 2: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/2.jpg)
Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded is responsible for any damage or loss caused due to use or misuse of the information presented here.
![Page 3: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/3.jpg)
ContentIntroduction
Static
BehaviorAnti R.E.
Injection
Hooking Methodology
Interesting Areas
![Page 4: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/4.jpg)
Why Betabot?
Difficult to understand
No Cracked builder
No good Writeup
Super Duper Rootkit as Advertised
Complaint for Removal
Harassment for other Criminals
![Page 5: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/5.jpg)
Information
Samples used can be downloaded from malwarenet.com
Betabot 1.7 was used
Bot was analyzed on Win7 Sp1 64bit
Required Tools: Ollydbg, Windbg, x64dbg, Ida Pro
![Page 6: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/6.jpg)
IntroductionTypical Botnet but with good features
Botkiller
AV Killer
UAC SE trick
UserKit for x86/x64
Anti Bootkit
Usermode SandBox evasion
Proactive Defense
DnsBlocker/Redirect
File Search & Grab
Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
![Page 7: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/7.jpg)
Advert
![Page 8: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/8.jpg)
![Page 9: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/9.jpg)
StaticThrow Wild binary in IDA
![Page 10: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/10.jpg)
Unpacking
Unpacking 101: Throw in OllyBp @ ntdll!
NtWriteVirtualMemoryBp @ ntdll!NtResumeThread
Automate
Dump PE header
![Page 11: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/11.jpg)
Unpacking
![Page 12: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/12.jpg)
Unpacking
Place 0xEb 0xFe @ CreateProcessInternalW
No debugger usage
Automate
Attach Olly
Bp @ CreateProcessInternalW
Hit, Then Automate till ntdll!NtWriteVirtualMemory comes up
![Page 13: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/13.jpg)
Unpacking
![Page 14: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/14.jpg)
Unpacking
![Page 15: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/15.jpg)
Unpacking stage2
![Page 16: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/16.jpg)
Unpacking stage2Random Routine & POI
![Page 17: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/17.jpg)
Unpacking stage2Last Routine & POI
![Page 18: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/18.jpg)
Unpacking Stage2 Et' Voila
![Page 19: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/19.jpg)
Behavior
Anti REFS:[0x30] + 2
DbgBreakPoint() = 0x90
Ntdll!NtQueryInformationProcess()
Ntdll!NtSetInformationThread()
![Page 20: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/20.jpg)
BehaviorNtQueryInformationProcess
![Page 21: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/21.jpg)
Behavior
NtQueryInformationProcess
Note: [119f590] = address of ZwQuerySectionif [Ebp - 1] == 1 (debugger found)modify Fs:[0xc0] from Far jump 0x0033:0x7*******
to ZwQuerySection
![Page 22: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/22.jpg)
BehaviorEIP result
![Page 23: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/23.jpg)
Behavior
Other aspects
![Page 24: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/24.jpg)
Injection & Migration
CreateProcessInternalW(suspended)
CreateSection()
MapViewOfSection(), Unmap(), MapViewOfSection()
CreateSection(2)
MapViewOfSection(), Unmap(), MapViewOfSection(2)
ResumeThread()
ExitProcess()
![Page 25: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/25.jpg)
Injection & Migration
![Page 26: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/26.jpg)
Injection & Migration
![Page 27: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/27.jpg)
Injection & Migration
![Page 28: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/28.jpg)
Injection & Migration
![Page 29: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/29.jpg)
Injection & Migration
![Page 30: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/30.jpg)
Injection & Migration
![Page 31: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/31.jpg)
Injection & Migration
![Page 32: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/32.jpg)
Injection & Migration
![Page 33: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/33.jpg)
Injection & Migration
![Page 34: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/34.jpg)
Injection & Migration
![Page 35: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/35.jpg)
Hooks
How Normal Applications Hook and why
![Page 36: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/36.jpg)
Hooks
32bit system without hooks
![Page 37: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/37.jpg)
Hooks
32bit API on WOW64bit system without hooks
![Page 38: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/38.jpg)
Hooks
3 different areas of hooking in BetabotHook @ KiFastSystemCall (strictly x86 Environment)
Hook @ Fs:[0xc0] (WOW64 handler for x86 API)
Hook @ 64Bit Api directly
![Page 39: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/39.jpg)
Hooks
32bit
![Page 40: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/40.jpg)
HooksWow64
![Page 41: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/41.jpg)
Hooks
64bit Process
![Page 42: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/42.jpg)
Hooks
![Page 43: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/43.jpg)
Explanation for 64bit handler
![Page 44: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/44.jpg)
Interesting Areas
![Page 45: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/45.jpg)
Interesting Areas
![Page 46: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/46.jpg)
Interesting Areas
![Page 47: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/47.jpg)
Interesting Areas
![Page 48: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/48.jpg)
Interesting Areas
![Page 49: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/49.jpg)
Interesting Areas
![Page 50: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/50.jpg)
Interesting Areas
![Page 51: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/51.jpg)
Interesting Areas
![Page 52: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/52.jpg)
Interesting Areas
![Page 53: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/53.jpg)
Interesting Areas
![Page 54: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/54.jpg)
References
blog.gdatasoftware.com
kernelmode.info
![Page 55: Dissecting BetaBot](https://reader036.fdocuments.net/reader036/viewer/2022062319/553891ef4a79598f768b47a7/html5/thumbnails/55.jpg)
Queries?