This document summarizes the analysis of the Betabot malware. It describes how the malware unpacks itself in multiple stages using common unpacking techniques. It also discusses the malware's anti-analysis behaviors, injection and migration methods, and how it hooks various system calls on 32-bit and 64-bit systems to maintain persistence. The document provides technical details on the malware's behavior and interesting internal workings.

1. Dissecting BetaBot
Raghav Pande
Researcher @ FireEye

2. Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or conditions
of any kind. Also the views/ideas/knowledge expressed here
are solely mine and have nothing to do with the company or the
organization in which i am currently working.
However in no circumstances neither me nor SecurityXploded
is responsible for any damage or loss caused due to use or
misuse of the information presented here.

3. Content
Introduction
Static
Behavior
Anti R.E.
Injection
Hooking Methodology
Interesting Areas

4. Why Betabot?
Difficult to understand
No Cracked builder
No good Writeup
Super Duper Rootkit as Advertised
Complaint for Removal
Harassment for other Criminals

5. Information
Samples used can be downloaded from
malwarenet.com
Betabot 1.7 was used
Bot was analyzed on Win7 Sp1 64bit
Required Tools: Ollydbg, Windbg, x64dbg, Ida
Pro

6. Introduction
Typical Botnet but with good features
Botkiller
AV Killer
UAC SE trick
UserKit for x86/x64
Anti Bootkit
Usermode SandBox evasion
Proactive Defense
DnsBlocker/Redirect
File Search & Grab
Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber

7. Advert

9. Static
Throw Wild binary in IDA

10. Unpacking
Unpacking 101: Throw in Olly
Bp @ ntdll!NtWriteVirtualMemory
Bp @ ntdll!NtResumeThread
Automate
Dump PE header

11. Unpacking

12. Unpacking
Place 0xEb 0xFe @ CreateProcessInternalW
No debugger usage
Automate
Attach Olly
Bp @ CreateProcessInternalW
Hit, Then Automate till
ntdll!NtWriteVirtualMemory comes up

13. Unpacking

14. Unpacking

15. Unpacking stage2

16. Unpacking stage2
Random Routine & POI

17. Unpacking stage2
Last Routine & POI

18. Unpacking Stage2
Et' Voila

19. Behavior
Anti RE
FS:[0x30] + 2
DbgBreakPoint() = 0x90
Ntdll!NtQueryInformationProcess()
Ntdll!NtSetInformationThread()

20. Behavior
NtQueryInformationProcess

21. Behavior
NtQueryInformationProcess
Note: [119f590] = address of ZwQuerySection
if [Ebp - 1] == 1 (debugger found)
modify Fs:[0xc0] from Far jump
0x0033:0x7*******
to ZwQuerySection

22. Behavior
EIP result

23. Behavior
Other aspects

24. Injection & Migration
CreateProcessInternalW(suspended)
CreateSection()
MapViewOfSection(), Unmap(),
MapViewOfSection()
CreateSection(2)
MapViewOfSection(), Unmap(),
MapViewOfSection(2)
ResumeThread()
ExitProcess()

25. Injection & Migration

26. Injection & Migration

27. Injection & Migration

28. Injection & Migration

29. Injection & Migration

30. Injection & Migration

31. Injection & Migration

32. Injection & Migration

33. Injection & Migration

34. Injection & Migration

35. Hooks
How Normal Applications Hook and why

36. Hooks
32bit system without hooks

37. Hooks
32bit API on WOW64bit system without hooks

38. Hooks
3 different areas of hooking in Betabot
Hook @ KiFastSystemCall (strictly x86
Environment)
Hook @ Fs:[0xc0] (WOW64 handler for x86 API)
Hook @ 64Bit Api directly

39. Hooks
32bit

40. Hooks
Wow64

41. Hooks
64bit Process

42. Hooks

43. Explanation for 64bit handler

44. Interesting Areas

45. Interesting Areas

46. Interesting Areas

47. Interesting Areas

48. Interesting Areas

49. Interesting Areas

50. Interesting Areas

51. Interesting Areas

52. Interesting Areas

53. Interesting Areas

54. References
blog.gdatasoftware.com
kernelmode.info

55. Queries?