Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Travelling to the far side of Andromeda
Jose Miguel Esparza
$ whoami
 Jose Miguel Esparza
 Lead Threat Analyst at Fox-IT InTELL (NL)
• Malware, Botnets, C&Cs, Exploit Kits, …
 Sec...
Agenda
 Introduction
 Evolution of Andromeda
 The Dark Side of Andromeda
 Statistics
 Interesting use cases
 Conclus...
Introduction
 Developed during 2011 (probably 2010 too)
 First advertised in July 2011
 Modular and versatile bot
 Pin...
Evolution of Andromeda
 Binary
 Plugins
 Panel
Evolution of Andromeda
 Binary
• Request parameters
• Response encryption
• Plugins decryption
• Anti-analysis (and bypas...
Evolution of Andromeda
 Binary
• References
- http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis
- http:...
Evolution of Andromeda
 Binary
• Request parameters
- <= 2.06
 id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu
- 2.07/...
Evolution of Andromeda
Evolution of Andromeda
 Binary
• Anti-analysis
- Previous versions
 BP detection
 Custom exception handler
 Comodo / S...
Evolution of Andromeda
 Binary
• Anti-analysis
- Newer versions
 Just blacklisted processes (CRC32)
Evolution of Andromeda
Evolution of Andromeda
avpui.exe (Kaspersky)
Evolution of Andromeda
 Binary
• Bypassing anti-analysis
- Hardcoded system drive volume hash (previous versions)
 0x20C...
Evolution of Andromeda
 Binary
• They want to fool you
- Fake payload (old versions)
- Fake URL
- Overwritten code
- RC4 ...
Evolution of Andromeda
 Binary
• They want to fool you
- Fake payload (old versions)
 Cmd.exe in port 8000
Evolution of Andromeda
Evolution of Andromeda
 Binary
• They want to fool you
- Fake URLs
 thisshitismoresafethanpentagonfuckyoufedsbecausethis...
Evolution of Andromeda
 Binary
• They want to fool you
- Code to decrypt URLs removed (since 2.07)
Evolution of Andromeda
Evolution of Andromeda
 Binary
• They want to fool you
- RC4 algorithm modified (2.07/2.08)
 Replacing 1 byte (add/sub)
...
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda
 Binary
• They want to fool you
- Fake RC4 key
 MD5("go fuck yourself")
 754037e7be8f61cbb1b85ab...
Evolution of Andromeda
 Base plugins (older versions)
• Socks4
• Formgrabber
• Keylogger
• Ring3 Rootkit
Evolution of Andromeda
 Base plugins
• Socks5
• Formgrabber
• Keylogger
• TeamViewer
Evolution of Andromeda
 Additional plugins
• Tutorial/Help on how to write your own plugins
Evolution of Andromeda
 Additional plugins
• Pony
• Powershell + Embedded dlls
• Spam
• Proxy
• …
Evolution of Andromeda
 Panel
• Show bot information / stats
• Create tasks
• Check received logs (Formgrabber / Keylogge...
Evolution of Andromeda
Evolution of Andromeda
Evolution of Andromeda
 Panel
• No too many changes in last version
• Just added support for:
- TeamViewer
- JSON
The Dark Side of Andromeda
 Who is behind Andromeda?
The Dark Side of Andromeda
d40e75961383124949436f37f45a8cb6
The Dark Side of Andromeda
 Business model
• Selling bot licenses
• Charging per rebuild (bot)
• Payment
- BTC, Perfect M...
The Dark Side of Andromeda
 Builder
• Used to create the binaries
- URLs
- RC4 key
- Builder id
The Dark Side of Andromeda
 Jabber bot
• Fully active since Feb 2012
• Connected to customer DB
• Refill credit
• Build b...
The Dark Side of Andromeda
 Jabber bot
• resident: If the bot will remain installed in the system or not
• plugins: Can b...
The Dark Side of Andromeda
 Jabber bot
• ! set | resident | off
• ! build | 123ABC | http://first.com/gate.php |
http://s...
The Dark Side of Andromeda
 Prices
Product Old price
Bot v1.* $300
Bot v2.* $500
Socks4 Included
Formgrabber $500
Keylogg...
Statistics
Statistics
Statistics
Statistics
Statistics
Statistics
Interesting use cases
 The Anunak group
 Smilex
 GamaPOS
 Andromeda + TOR
 Andromeda + PDF
 Andromeda loving AV indu...
Interesting use cases
 The Anunak group
• Report published in December 2014 (Fox-IT+GroupIB)
• Russian banks and POS brea...
Interesting use cases
 Smilex
• Dridex operator
• Arrested some months ago in Cyprus
• Using Andromeda to distribute spam...
Interesting use cases
 GamaPOS
• TrendMicro (July 2015)
• Andromeda spread via DOC+Macro and Rig EK
• PsExec & Mimikatz
•...
Interesting use cases
 Andromeda + TOR
• Weird case
• Spotted by Jaime Blasco (AlienVault)
• Dropper on Malwr
• Setting u...
Interesting use cases
 Andromeda + PDF
• Curious case
• Binary executing Andromeda
• Opening decoy PDF file
Interesting use cases
Interesting use cases
 Andromeda loving AV industry
Interesting use cases
 Veronica´s botnet ;)
• Distributed same plugin, different hashes
• Spam bot (Jahoo/Otlarda)
- S:_s...
malware.dontneedcoffee.com
malware.dontneedcoffee.com
Conclusions
 Andromeda is far from dying
 Alive “project” and business
 Used by serious criminal gangs
 Interesting cu...
Acknowledgements
 Fox-IT InTELL
• Ronaldo Vasconcellos
• Alberto Ortega
• Frank Ruiz
 The Honeynet Project
 Malware res...
Thanks!!
Jose Miguel Esparza
http://eternal-todo.com
@EternalTodo
Upcoming SlideShare
Loading in …5
×

Travelling to the far side of Andromeda

1,380 views

Published on

Talk about Andromeda at Botconf 2015. Abstract:

Andromeda, also known as Gamarue by some Antivirus vendors, is a popular and modular bot active since 2011. It is normally used to spread additional malware, but sometimes, depending on the criminals, the main objective could be just stealing user credentials. After almost five years of life its development has not stopped. The people behind it keep maintaining it and adding functionalities, like new anti-analysis routines, changes in the communication encryption, new request formats, etc.

This talk will not give just details about the latest changes in the Andromeda binary and control panel, but it will also respond some interesting questions about this botnet. Which are the most popular versions used nowadays? Are most of the botnets spreading malware or just using its plugins? What are the most popular plugins? How and where is Andromeda sold? Who is selling it? What criminal groups are using Andromeda? It is not just a talk about malware reversing but about the whole Andromeda ecosystem.

Published in: Internet
  • Be the first to comment

Travelling to the far side of Andromeda

  1. 1. Travelling to the far side of Andromeda Jose Miguel Esparza
  2. 2. $ whoami  Jose Miguel Esparza  Lead Threat Analyst at Fox-IT InTELL (NL) • Malware, Botnets, C&Cs, Exploit Kits, …  Security Researcher at home ;) • peepdf, NFC, malware (again)  http://eternal-todo.com  @EternalTodo on Twitter
  3. 3. Agenda  Introduction  Evolution of Andromeda  The Dark Side of Andromeda  Statistics  Interesting use cases  Conclusions
  4. 4. Introduction  Developed during 2011 (probably 2010 too)  First advertised in July 2011  Modular and versatile bot  Pings C&C periodically asking for “tasks” • Executes additional malware (and updates) • Executes plugins • Capability to send tasks to specific countries/bots/build_ids  Spread via spam campaigns, loaders and Exploit Kits  Current version: 2.10
  5. 5. Evolution of Andromeda  Binary  Plugins  Panel
  6. 6. Evolution of Andromeda  Binary • Request parameters • Response encryption • Plugins decryption • Anti-analysis (and bypass!)
  7. 7. Evolution of Andromeda  Binary • References - http://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis - http://eternal-todo.com/blog/andromeda-gamarue-loves-json - http://blog.fortinet.com/post/andromeda-2-7-features - http://blog.fortinet.com/post/new-anti-analysis-tricks-in-andromeda-2-08 - http://stopmalvertising.com/spam-scams/cve-2013-2729-and-andromeda- 2.9-a-massive-hsbc-themed-email-campaign/andromeda-botnet.html
  8. 8. Evolution of Andromeda  Binary • Request parameters - <= 2.06  id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu - 2.07/2.08  id:%lu|bid:%lu|bv:%lu|os:%lu|la:%lu|rg:%lu - 2.09  id:%lu|bid:%lu|os:%lu|la:%lu|rg:%lu - 2.10  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu}  {"id":%lu, "bid":%lu, "os":%lu, "la":%lu, "rg":%lu, "bb":%lu}
  9. 9. Evolution of Andromeda
  10. 10. Evolution of Andromeda  Binary • Anti-analysis - Previous versions  BP detection  Custom exception handler  Comodo / Sandboxie  Process blacklist (custom hash)  VM detections  Time check (RDTSC)
  11. 11. Evolution of Andromeda  Binary • Anti-analysis - Newer versions  Just blacklisted processes (CRC32)
  12. 12. Evolution of Andromeda
  13. 13. Evolution of Andromeda avpui.exe (Kaspersky)
  14. 14. Evolution of Andromeda  Binary • Bypassing anti-analysis - Hardcoded system drive volume hash (previous versions)  0x20C7DD84 (CKF81X) - Special registry key (current version)  HKEY_LOCAL_MACHINESOFTWAREPolicies • is_not_vm =botid
  15. 15. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions) - Fake URL - Overwritten code - RC4 algorithm modified - Fake RC4 key
  16. 16. Evolution of Andromeda  Binary • They want to fool you - Fake payload (old versions)  Cmd.exe in port 8000
  17. 17. Evolution of Andromeda
  18. 18. Evolution of Andromeda  Binary • They want to fool you - Fake URLs  thisshitismoresafethanpentagonfuckyoufedsbecausethisisaf.com/im age.php (2.06)  http://www.chudakov.net/goto.php?num=146897 (2.07)  http://s28.postimg.org/wmsgw5s23/image.jpg (2.08)  http://img4.joyreactor.cc/pics/post/... (2.08)
  19. 19. Evolution of Andromeda  Binary • They want to fool you - Code to decrypt URLs removed (since 2.07)
  20. 20. Evolution of Andromeda
  21. 21. Evolution of Andromeda  Binary • They want to fool you - RC4 algorithm modified (2.07/2.08)  Replacing 1 byte (add/sub)  Craziness trying to decrypt
  22. 22. Evolution of Andromeda
  23. 23. Evolution of Andromeda
  24. 24. Evolution of Andromeda
  25. 25. Evolution of Andromeda  Binary • They want to fool you - Fake RC4 key  MD5("go fuck yourself")  754037e7be8f61cbb1b85ab46c7da77d
  26. 26. Evolution of Andromeda  Base plugins (older versions) • Socks4 • Formgrabber • Keylogger • Ring3 Rootkit
  27. 27. Evolution of Andromeda  Base plugins • Socks5 • Formgrabber • Keylogger • TeamViewer
  28. 28. Evolution of Andromeda  Additional plugins • Tutorial/Help on how to write your own plugins
  29. 29. Evolution of Andromeda  Additional plugins • Pony • Powershell + Embedded dlls • Spam • Proxy • …
  30. 30. Evolution of Andromeda  Panel • Show bot information / stats • Create tasks • Check received logs (Formgrabber / Keylogger)
  31. 31. Evolution of Andromeda
  32. 32. Evolution of Andromeda
  33. 33. Evolution of Andromeda  Panel • No too many changes in last version • Just added support for: - TeamViewer - JSON
  34. 34. The Dark Side of Andromeda  Who is behind Andromeda?
  35. 35. The Dark Side of Andromeda d40e75961383124949436f37f45a8cb6
  36. 36. The Dark Side of Andromeda  Business model • Selling bot licenses • Charging per rebuild (bot) • Payment - BTC, Perfect Money
  37. 37. The Dark Side of Andromeda  Builder • Used to create the binaries - URLs - RC4 key - Builder id
  38. 38. The Dark Side of Andromeda  Jabber bot • Fully active since Feb 2012 • Connected to customer DB • Refill credit • Build binaries - Command sent to bot - Bot responds with links to the binaries
  39. 39. The Dark Side of Andromeda  Jabber bot • resident: If the bot will remain installed in the system or not • plugins: Can be disabled if you do not plan on using plug-ins • integrity: Add privilege elevation • services: Add functionality to stop and disable security services • vm: Add functionality to detect the virtual machines and "bad" software • dns: Specifies if the bot will use Google DNS servers to resolve domains • relocs: Relocation of sections in the executable
  40. 40. The Dark Side of Andromeda  Jabber bot • ! set | resident | off • ! build | 123ABC | http://first.com/gate.php | http://second.com/gate.php
  41. 41. The Dark Side of Andromeda  Prices Product Old price Bot v1.* $300 Bot v2.* $500 Socks4 Included Formgrabber $500 Keylogger $200 Ring3 Rootkit $300 Product Current price Bot v2.* $500 Rebuild (bot) $10 Socks5 Free Formgrabber $500 Keylogger $200 TeamViewer $500
  42. 42. Statistics
  43. 43. Statistics
  44. 44. Statistics
  45. 45. Statistics
  46. 46. Statistics
  47. 47. Statistics
  48. 48. Interesting use cases  The Anunak group  Smilex  GamaPOS  Andromeda + TOR  Andromeda + PDF  Andromeda loving AV industry
  49. 49. Interesting use cases  The Anunak group • Report published in December 2014 (Fox-IT+GroupIB) • Russian banks and POS breaches • Andromeda botnet - Gozi/ISFB variant dropping Andromeda - Andromeda dropping Anunak
  50. 50. Interesting use cases  Smilex • Dridex operator • Arrested some months ago in Cyprus • Using Andromeda to distribute spambot (FortDisco) • Spambot distributing Dridex via doc+macro
  51. 51. Interesting use cases  GamaPOS • TrendMicro (July 2015) • Andromeda spread via DOC+Macro and Rig EK • PsExec & Mimikatz • GamaPOS in certain bots
  52. 52. Interesting use cases  Andromeda + TOR • Weird case • Spotted by Jaime Blasco (AlienVault) • Dropper on Malwr • Setting up proxy in the registry…
  53. 53. Interesting use cases  Andromeda + PDF • Curious case • Binary executing Andromeda • Opening decoy PDF file
  54. 54. Interesting use cases
  55. 55. Interesting use cases  Andromeda loving AV industry
  56. 56. Interesting use cases  Veronica´s botnet ;) • Distributed same plugin, different hashes • Spam bot (Jahoo/Otlarda) - S:_src_bor_softJSS_kitJahooReleaseJahoo32.pdb • Documented by Kafeine 5 days ago
  57. 57. malware.dontneedcoffee.com
  58. 58. malware.dontneedcoffee.com
  59. 59. Conclusions  Andromeda is far from dying  Alive “project” and business  Used by serious criminal gangs  Interesting custom plugins
  60. 60. Acknowledgements  Fox-IT InTELL • Ronaldo Vasconcellos • Alberto Ortega • Frank Ruiz  The Honeynet Project  Malware research community • Alexandru Maximciuc (Bitdefender)  Botconf
  61. 61. Thanks!! Jose Miguel Esparza http://eternal-todo.com @EternalTodo

×