Technical Workshop - Win32/Georbot Analysis
1 like836 views
This document summarizes a technical workshop on analyzing the Win32/Georbot malware. The workshop covers obfuscation techniques used like data obfuscation, control flow obfuscation and API call obfuscation. It also analyzes the malware's command and control protocol and discusses how to deobfuscate and better understand the malware using IDA Python and debugging tools. The objectives are to gain hands-on experience analyzing an actual malware sample and understand common obfuscation and persistence techniques seen in the wild.
Technical Workshop - Win32/Georbot Analysis
- 1. Technical Workshop - Win32/Georbot Analysis
- 2. Introduction • Based in Montreal • Studies in computer engineering at Ecole Polytechnique • Malware analysis • Focus on investigation and understanding trends
- 3. Labs’ Objectives • Gain hands-on knowledge on malware analysis • Obfuscation • Persistence • C&C traffic • This case is *NOT* cutting edge but a good summary of common things we see nowadays
- 4. Win32/Georbot • One of our analyst reported an interesting string in a binary (.gov.ge) • Started investigation, we thought it was time sensitive and involved 3 guys for 3 days. • Interesting feature • Document stealing • Audio / Video capture • Etc
- 5. Win32/Georbot • Further analysis showed thousands of variants • We were able to track the evolution of the features • Track AV evasion techniques
- 8. Workshop Outline 1. Data obfuscation 2. Control flow obfuscation 3. API call obfuscation 4. Answer basic malware analysis questions 5. C&C network protocol
- 9. Tools Required 1. IDA 6.x (you can use the demo) 2. Python interpreter w/ some modules for web server 3. Immunity Debugger / Olly Debugger
- 10. IDA Python • Automate repetitive tasks in IDA • Read data (Byte, Word, Dword, etc) • Change data (PatchByte, PatchWord, PatchDword, etc) • Add comments (MakeComm) • Add cross references • User interaction • Etc.
- 11. Data Obfuscation • Where’s all my data?! • Debug the malware (in a controlled environment), do you see something appear? (0x407afb) • What happened? Find the procedure which decodes the data • Understand obfuscation • Implement deobfuscation with IDA Python
- 12. Data Obfuscation
- 14. Control Flow Obfuscation • Identify common obfuscation patterns • Find a straight forward replacement • Implement substitutions with IDA Python • Reanalyze program, does it look better?
- 15. Control Flow Obfuscation Obfuscated Deobfuscated push <addr>; ret Jmp <addr> Push <addr> Call <addr> (will return to addr) jmp <addr>
- 16. API Call Obfuscation • Where are all my API calls? • Find and understand hashing function • Brute force API calls and add comments to IDB using IDA Python
- 18. Let’s understand what’s going on! • Can multiple instances of the malware run at the same time? • Is the malware persistent? How? • What is the command and control server? • What is the update mechanism for binaries? • Is there a C&C fallback mechanism?
- 19. Additional work • Write a detection mechanism for an infected system • Implement a cleaner for this malware • Kill the process • Remove persistence • At what time interval does the malware probe its C&C server?
- 21. C&C Protocol Analysis • What’s the chain of event in the communication • What is the information provided by the bot • What type of answer is the bot expecting? • What are the different actions?
- 22. C&C Commands 0A029h ; find 1675h ; dir 0A8FEh ; load? 22C4C1h ; upload 42985 ; main? 0A866h ; list? 1175972831 ; upload_dir 9C9Ch ; ddos 0B01Dh ; scan 47154 ; word 2269271 ; system 9FCCh ; dump 310946 ; photo 440F6h 18FEh ; rdp 4F5BBh ; video 3D0BD7C6h ; screenshot 741334016 ; password 0DA8B3Ch ; history
- 23. FALLBCK.com • What is this DNS query? • What can we do with it?
- 25. GUID • What is at 0x0040A03D, how is it used in program?
- 26. Conclusions • The set of questions to answer is often similar. • Don’t focus on details, remember your objective, its easy to get lost. • A mix of dynamic and static analysis is often the best solution for quick understanding of a new malware family.
- 27. Thank You