![Behavior
Anti RE
FS:[0x30] + 2
DbgBreakPoint() = 0x90
Ntdll!NtQueryInformationProcess()
Ntdll!NtSetInformationThread()](https://image.slidesharecdn.com/gfcsgxzftjs9coxaynpw-signature-fa17ef08645a3cce9ed98bc960f7e89b419197b8ab9318d2a54057ce7f634710-poli-160709185308/85/Betabot-19-320.jpg)
![Behavior
NtQueryInformationProcess
Note: [119f590] = address of ZwQuerySection
if [Ebp - 1] == 1 (debugger found)
modify Fs:[0xc0] from Far jump
0x0033:0x7*******
to ZwQuerySection](https://image.slidesharecdn.com/gfcsgxzftjs9coxaynpw-signature-fa17ef08645a3cce9ed98bc960f7e89b419197b8ab9318d2a54057ce7f634710-poli-160709185308/85/Betabot-21-320.jpg)
![Hooks
3 different areas of hooking in Betabot
Hook @ KiFastSystemCall (strictly x86
Environment)
Hook @ Fs:[0xc0] (WOW64 handler for x86 API)
Hook @ 64Bit Api directly](https://image.slidesharecdn.com/gfcsgxzftjs9coxaynpw-signature-fa17ef08645a3cce9ed98bc960f7e89b419197b8ab9318d2a54057ce7f634710-poli-160709185308/85/Betabot-38-320.jpg)
Betabot
- 1. Dissecting BetaBot Raghav Pande Researcher @ FireEye
- 2. Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely mine and have nothing to do with the company or the organization in which i am currently working. However in no circumstances neither me nor Cysinfo is responsible for any damage or loss caused due to use or misuse of the information presented here.
- 4. Why Betabot? Difficult to understand No Cracked builder No good Writeup Super Duper Rootkit as Advertised Complaint for Removal Harassment for other Criminals
- 5. Information Samples used can be downloaded from malwarenet.com Betabot 1.7 was used Bot was analyzed on Win7 Sp1 64bit Required Tools: Ollydbg, Windbg, x64dbg, Ida Pro
- 6. Introduction Typical Botnet but with good features Botkiller AV Killer UAC SE trick UserKit for x86/x64 Anti Bootkit Usermode SandBox evasion Proactive Defense DnsBlocker/Redirect File Search & Grab Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
- 7. Advert
- 9. Static Throw Wild binary in IDA
- 10. Unpacking Unpacking 101: Throw in Olly Bp @ ntdll!NtWriteVirtualMemory Bp @ ntdll!NtResumeThread Automate Dump PE header
- 11. Unpacking
- 12. Unpacking Place 0xEb 0xFe @ CreateProcessInternalW No debugger usage Automate Attach Olly Bp @ CreateProcessInternalW Hit, Then Automate till ntdll!NtWriteVirtualMemory comes up
- 13. Unpacking
- 14. Unpacking
- 15. Unpacking stage2
- 16. Unpacking stage2 Random Routine & POI
- 17. Unpacking stage2 Last Routine & POI
- 19. Behavior Anti RE FS:[0x30] + 2 DbgBreakPoint() = 0x90 Ntdll!NtQueryInformationProcess() Ntdll!NtSetInformationThread()
- 21. Behavior NtQueryInformationProcess Note: [119f590] = address of ZwQuerySection if [Ebp - 1] == 1 (debugger found) modify Fs:[0xc0] from Far jump 0x0033:0x7******* to ZwQuerySection
- 24. Injection & Migration CreateProcessInternalW(suspended) CreateSection() MapViewOfSection(), Unmap(), MapViewOfSection() CreateSection(2) MapViewOfSection(), Unmap(), MapViewOfSection(2) ResumeThread() ExitProcess()
- 35. Hooks How Normal Applications Hook and why
- 36. Hooks 32bit system without hooks
- 37. Hooks 32bit API on WOW64bit system without hooks
- 38. Hooks 3 different areas of hooking in Betabot Hook @ KiFastSystemCall (strictly x86 Environment) Hook @ Fs:[0xc0] (WOW64 handler for x86 API) Hook @ 64Bit Api directly
- 39. Hooks 32bit
- 40. Hooks Wow64
- 42. Hooks
- 43. Explanation for 64bit handler
- 55. Queries?