This document summarizes the analysis of the Betabot malware. It describes how the malware unpacks itself in multiple stages using common unpacking techniques. It also discusses the malware's anti-analysis behaviors, injection and migration methods, and how it hooks various system calls on 32-bit and 64-bit systems to maintain persistence. The document provides technical details on the malware's behavior and interesting internal workings.
2. Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here
are solely mine and have nothing to do with the company or the
organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded
is responsible for any damage or loss caused due to use or
misuse of the information presented here.
4. Why Betabot?
Difficult to understand
No Cracked builder
No good Writeup
Super Duper Rootkit as Advertised
Complaint for Removal
Harassment for other Criminals
5. Information
Samples used can be downloaded from
malwarenet.com
Betabot 1.7 was used
Bot was analyzed on Win7 Sp1 64bit
Required Tools: Ollydbg, Windbg, x64dbg, Ida
Pro
6. Introduction
Typical Botnet but with good features
Botkiller
AV Killer
UAC SE trick
UserKit for x86/x64
Anti Bootkit
Usermode SandBox evasion
Proactive Defense
DnsBlocker/Redirect
File Search & Grab
Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
12. Unpacking
Place 0xEb 0xFe @ CreateProcessInternalW
No debugger usage
Automate
Attach Olly
Bp @ CreateProcessInternalW
Hit, Then Automate till
ntdll!NtWriteVirtualMemory comes up
21. Behavior
NtQueryInformationProcess
Note: [119f590] = address of ZwQuerySection
if [Ebp - 1] == 1 (debugger found)
modify Fs:[0xc0] from Far jump
0x0033:0x7*******
to ZwQuerySection
38. Hooks
3 different areas of hooking in Betabot
Hook @ KiFastSystemCall (strictly x86
Environment)
Hook @ Fs:[0xc0] (WOW64 handler for x86 API)
Hook @ 64Bit Api directly