1. Technical Workshop - Win32/Georbot Analysis

2. Introduction
• Based in Montreal
• Studies in computer engineering at Ecole Polytechnique
• Malware analysis
• Focus on investigation and understanding trends

3. Labs’ Objectives
• Gain hands-on knowledge on malware analysis
• Obfuscation
• Persistence
• C&C traffic
• This case is *NOT* cutting edge but a good summary of common
things we see nowadays

4. Win32/Georbot
• One of our analyst reported an interesting string in a binary
(.gov.ge)
• Started investigation, we thought it was time sensitive and involved
3 guys for 3 days.
• Interesting feature
• Document stealing
• Audio / Video capture
• Etc

5. Win32/Georbot
• Further analysis showed thousands of variants
• We were able to track the evolution of the features
• Track AV evasion techniques

6. Win32/Georbot

8. Workshop Outline
1. Data obfuscation
2. Control flow obfuscation
3. API call obfuscation
4. Answer basic malware analysis questions
5. C&C network protocol

9. Tools Required
1. IDA 6.x (you can use the demo)
2. Python interpreter w/ some modules for web server
3. Immunity Debugger / Olly Debugger

10. IDA Python
• Automate repetitive tasks in IDA
• Read data (Byte, Word, Dword, etc)
• Change data (PatchByte, PatchWord, PatchDword, etc)
• Add comments (MakeComm)
• Add cross references
• User interaction
• Etc.

11. Data Obfuscation
• Where’s all my data?!
• Debug the malware (in a controlled environment), do you see
something appear? (0x407afb)
• What happened? Find the procedure which decodes the data
• Understand obfuscation
• Implement deobfuscation with IDA Python

12. Data Obfuscation

13. Control Flow Obfuscation

14. Control Flow Obfuscation
• Identify common obfuscation patterns
• Find a straight forward replacement
• Implement substitutions with IDA Python
• Reanalyze program, does it look better?

15. Control Flow Obfuscation
Obfuscated Deobfuscated
push <addr>; ret Jmp <addr>
Push <addr> Call <addr> (will return to addr)
jmp <addr>

16. API Call Obfuscation
• Where are all my API calls?
• Find and understand hashing function
• Brute force API calls and add comments to IDB using IDA Python

17. API Hashing Function

18. Let’s understand what’s going on!
• Can multiple instances of the malware run at the same time?
• Is the malware persistent? How?
• What is the command and control server?
• What is the update mechanism for binaries?
• Is there a C&C fallback mechanism?

19. Additional work
• Write a detection mechanism for an infected system
• Implement a cleaner for this malware
• Kill the process
• Remove persistence
• At what time interval does the malware probe its C&C server?

20. 0x403AFD - cpuid
http://en.wikipedia.org/wiki/CPUID

21. C&C Protocol Analysis
• What’s the chain of event in the communication
• What is the information provided by the bot
• What type of answer is the bot expecting?
• What are the different actions?

22. C&C Commands
0A029h ; find
1675h ; dir
0A8FEh ; load?
22C4C1h ; upload
42985 ; main?
0A866h ; list?
1175972831 ; upload_dir
9C9Ch ; ddos
0B01Dh ; scan
47154 ; word
2269271 ; system
9FCCh ; dump
310946 ; photo
440F6h 18FEh ; rdp
4F5BBh ; video
3D0BD7C6h ; screenshot
741334016 ; password
0DA8B3Ch ; history

23. FALLBCK.com
• What is this DNS query?
• What can we do with it?

25. GUID
• What is at 0x0040A03D, how is it used in program?

26. Conclusions
• The set of questions to answer is often similar.
• Don’t focus on details, remember your objective, its easy to get lost.
• A mix of dynamic and static analysis is often the best solution for
quick understanding of a new malware family.

27. Thank You