2. Disclaimer
The Content, Demonstration, Source Code and Programs
presented here is "AS IS" without any warranty or
conditions of any kind. Also the views/ideas/knowledge
expressed here are solely mine and have nothing to do
with the company or the organization in which i am
currently working.
However in no circumstances neither me nor Cysinfo is
responsible for any damage or loss caused due to use or
misuse of the information presented here.
4. Why Betabot?
Difficult to understand
No Cracked builder
No good Writeup
Super Duper Rootkit as Advertised
Complaint for Removal
Harassment for other Criminals
5. Information
Samples used can be downloaded from
malwarenet.com
Betabot 1.7 was used
Bot was analyzed on Win7 Sp1 64bit
Required Tools: Ollydbg, Windbg, x64dbg, Ida
Pro
6. Introduction
Typical Botnet but with good features
Botkiller
AV Killer
UAC SE trick
UserKit for x86/x64
Anti Bootkit
Usermode SandBox evasion
Proactive Defense
DnsBlocker/Redirect
File Search & Grab
Formgrabber for IE/FF/CH (x86 & x64) including SPDY grabber
12. Unpacking
Place 0xEb 0xFe @ CreateProcessInternalW
No debugger usage
Automate
Attach Olly
Bp @ CreateProcessInternalW
Hit, Then Automate till
ntdll!NtWriteVirtualMemory comes up
38. Hooks
3 different areas of hooking in Betabot
Hook @ KiFastSystemCall (strictly x86
Environment)
Hook @ Fs:[0xc0] (WOW64 handler for x86 API)
Hook @ 64Bit Api directly