Technical Workshop - Win32/Georbot Analysis
-
Upload
positive-hack-days -
Category
Technology
-
view
573 -
download
1
Transcript of Technical Workshop - Win32/Georbot Analysis
Technical Workshop - Win32/Georbot Analysis
• Based in Montreal
• Studies in computer engineering at Ecole Polytechnique
• Malware analysis
• Focus on investigation and understanding trends
Introduction
• Gain hands-on knowledge on malware analysis
• Obfuscation
• Persistence
• C&C traffic
• This case is *NOT* cutting edge but a good summary of common
things we see nowadays
Labs’ Objectives
• One of our analyst reported an interesting string in a binary
(.gov.ge)
• Started investigation, we thought it was time sensitive and involved
3 guys for 3 days.
• Interesting feature
• Document stealing
• Audio / Video capture
• Etc
Win32/Georbot
• Further analysis showed thousands of variants
• We were able to track the evolution of the features
• Track AV evasion techniques
Win32/Georbot
Win32/Georbot
1. Data obfuscation
2. Control flow obfuscation
3. API call obfuscation
4. Answer basic malware analysis questions
5. C&C network protocol
Workshop Outline
1. IDA 6.x (you can use the demo)
2. Python interpreter w/ some modules for web server
3. Immunity Debugger / Olly Debugger
Tools Required
• Automate repetitive tasks in IDA
• Read data (Byte, Word, Dword, etc)
• Change data (PatchByte, PatchWord, PatchDword, etc)
• Add comments (MakeComm)
• Add cross references
• User interaction
• Etc.
IDA Python
• Where’s all my data?!
• Debug the malware (in a controlled environment), do you see
something appear? (0x407afb)
• What happened? Find the procedure which decodes the data
• Understand obfuscation
• Implement deobfuscation with IDA Python
Data Obfuscation
Data Obfuscation
Control Flow Obfuscation
• Identify common obfuscation patterns
• Find a straight forward replacement
• Implement substitutions with IDA Python
• Reanalyze program, does it look better?
Control Flow Obfuscation
Obfuscated Deobfuscated
push <addr>; ret Jmp <addr>
Push <addr> jmp <addr>
Call <addr> (will return to addr)
Control Flow Obfuscation
• Where are all my API calls?
• Find and understand hashing function
• Brute force API calls and add comments to IDB using IDA Python
API Call Obfuscation
API Hashing Function
• Can multiple instances of the malware run at the same time?
• Is the malware persistent? How?
• What is the command and control server?
• What is the update mechanism for binaries?
• Is there a C&C fallback mechanism?
Let’s understand what’s going on!
• Write a detection mechanism for an infected system
• Implement a cleaner for this malware
• Kill the process
• Remove persistence
• At what time interval does the malware probe its C&C server?
Additional work
0x403AFD - cpuid
http://en.wikipedia.org/wiki/CPUID
• What’s the chain of event in the communication
• What is the information provided by the bot
• What type of answer is the bot expecting?
• What are the different actions?
C&C Protocol Analysis
C&C Commands
0A029h ; find
1675h ; dir
0A8FEh ; load?
22C4C1h ; upload
42985 ; main?
0A866h ; list?
1175972831 ; upload_dir
9C9Ch ; ddos
0B01Dh ; scan
47154 ; word
2269271 ; system
9FCCh ; dump
310946 ; photo
440F6h 18FEh ; rdp
4F5BBh ; video
3D0BD7C6h ; screenshot
741334016 ; password
0DA8B3Ch ; history
• What is this DNS query?
• What can we do with it?
FALLBCK.com
• What is at 0x0040A03D, how is it used in program?
GUID
• The set of questions to answer is often similar.
• Don’t focus on details, remember your objective, its easy to get lost.
• A mix of dynamic and static analysis is often the best solution for
quick understanding of a new malware family.
Conclusions
Thank You