Technical Workshop - Win32/Georbot Analysis
Upcoming SlideShare
Loading in...5

Technical Workshop - Win32/Georbot Analysis






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Technical Workshop - Win32/Georbot Analysis Technical Workshop - Win32/Georbot Analysis Presentation Transcript

  • Technical Workshop - Win32/Georbot Analysis
  • Introduction• Based in Montreal• Studies in computer engineering at Ecole Polytechnique• Malware analysis• Focus on investigation and understanding trends
  • Labs’ Objectives• Gain hands-on knowledge on malware analysis • Obfuscation • Persistence • C&C traffic• This case is *NOT* cutting edge but a good summary of common things we see nowadays View slide
  • Win32/Georbot• One of our analyst reported an interesting string in a binary (• Started investigation, we thought it was time sensitive and involved 3 guys for 3 days.• Interesting feature • Document stealing • Audio / Video capture • Etc View slide
  • Win32/Georbot• Further analysis showed thousands of variants• We were able to track the evolution of the features• Track AV evasion techniques
  • Win32/Georbot
  • Workshop Outline1. Data obfuscation2. Control flow obfuscation3. API call obfuscation4. Answer basic malware analysis questions5. C&C network protocol
  • Tools Required1. IDA 6.x (you can use the demo)2. Python interpreter w/ some modules for web server3. Immunity Debugger / Olly Debugger
  • IDA Python• Automate repetitive tasks in IDA• Read data (Byte, Word, Dword, etc)• Change data (PatchByte, PatchWord, PatchDword, etc)• Add comments (MakeComm)• Add cross references• User interaction• Etc.
  • Data Obfuscation• Where’s all my data?!• Debug the malware (in a controlled environment), do you see something appear? (0x407afb)• What happened? Find the procedure which decodes the data• Understand obfuscation• Implement deobfuscation with IDA Python
  • Data Obfuscation
  • Control Flow Obfuscation
  • Control Flow Obfuscation• Identify common obfuscation patterns• Find a straight forward replacement• Implement substitutions with IDA Python• Reanalyze program, does it look better?
  • Control Flow ObfuscationObfuscated Deobfuscatedpush <addr>; ret Jmp <addr>Push <addr> Call <addr> (will return to addr)jmp <addr>
  • API Call Obfuscation• Where are all my API calls?• Find and understand hashing function• Brute force API calls and add comments to IDB using IDA Python
  • API Hashing Function
  • Let’s understand what’s going on!• Can multiple instances of the malware run at the same time?• Is the malware persistent? How?• What is the command and control server?• What is the update mechanism for binaries?• Is there a C&C fallback mechanism?
  • Additional work• Write a detection mechanism for an infected system• Implement a cleaner for this malware • Kill the process • Remove persistence• At what time interval does the malware probe its C&C server?
  • 0x403AFD - cpuid
  • C&C Protocol Analysis• What’s the chain of event in the communication• What is the information provided by the bot• What type of answer is the bot expecting?• What are the different actions?
  • C&C Commands 0A029h ; find 1675h ; dir 0A8FEh ; load? 22C4C1h ; upload 42985 ; main? 0A866h ; list? 1175972831 ; upload_dir 9C9Ch ; ddos 0B01Dh ; scan 47154 ; word 2269271 ; system 9FCCh ; dump 310946 ; photo 440F6h 18FEh ; rdp 4F5BBh ; video 3D0BD7C6h ; screenshot 741334016 ; password 0DA8B3Ch ; history
  •• What is this DNS query?• What can we do with it?
  • GUID• What is at 0x0040A03D, how is it used in program?
  • Conclusions• The set of questions to answer is often similar.• Don’t focus on details, remember your objective, its easy to get lost.• A mix of dynamic and static analysis is often the best solution for quick understanding of a new malware family.
  • Thank You