Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Technical Workshop - Win32/Georbot Analysis


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Technical Workshop - Win32/Georbot Analysis

  1. 1. Technical Workshop - Win32/Georbot Analysis
  2. 2. Introduction• Based in Montreal• Studies in computer engineering at Ecole Polytechnique• Malware analysis• Focus on investigation and understanding trends
  3. 3. Labs’ Objectives• Gain hands-on knowledge on malware analysis • Obfuscation • Persistence • C&C traffic• This case is *NOT* cutting edge but a good summary of common things we see nowadays
  4. 4. Win32/Georbot• One of our analyst reported an interesting string in a binary (• Started investigation, we thought it was time sensitive and involved 3 guys for 3 days.• Interesting feature • Document stealing • Audio / Video capture • Etc
  5. 5. Win32/Georbot• Further analysis showed thousands of variants• We were able to track the evolution of the features• Track AV evasion techniques
  6. 6. Win32/Georbot
  7. 7. Workshop Outline1. Data obfuscation2. Control flow obfuscation3. API call obfuscation4. Answer basic malware analysis questions5. C&C network protocol
  8. 8. Tools Required1. IDA 6.x (you can use the demo)2. Python interpreter w/ some modules for web server3. Immunity Debugger / Olly Debugger
  9. 9. IDA Python• Automate repetitive tasks in IDA• Read data (Byte, Word, Dword, etc)• Change data (PatchByte, PatchWord, PatchDword, etc)• Add comments (MakeComm)• Add cross references• User interaction• Etc.
  10. 10. Data Obfuscation• Where’s all my data?!• Debug the malware (in a controlled environment), do you see something appear? (0x407afb)• What happened? Find the procedure which decodes the data• Understand obfuscation• Implement deobfuscation with IDA Python
  11. 11. Data Obfuscation
  12. 12. Control Flow Obfuscation
  13. 13. Control Flow Obfuscation• Identify common obfuscation patterns• Find a straight forward replacement• Implement substitutions with IDA Python• Reanalyze program, does it look better?
  14. 14. Control Flow ObfuscationObfuscated Deobfuscatedpush <addr>; ret Jmp <addr>Push <addr> Call <addr> (will return to addr)jmp <addr>
  15. 15. API Call Obfuscation• Where are all my API calls?• Find and understand hashing function• Brute force API calls and add comments to IDB using IDA Python
  16. 16. API Hashing Function
  17. 17. Let’s understand what’s going on!• Can multiple instances of the malware run at the same time?• Is the malware persistent? How?• What is the command and control server?• What is the update mechanism for binaries?• Is there a C&C fallback mechanism?
  18. 18. Additional work• Write a detection mechanism for an infected system• Implement a cleaner for this malware • Kill the process • Remove persistence• At what time interval does the malware probe its C&C server?
  19. 19. 0x403AFD - cpuid
  20. 20. C&C Protocol Analysis• What’s the chain of event in the communication• What is the information provided by the bot• What type of answer is the bot expecting?• What are the different actions?
  21. 21. C&C Commands 0A029h ; find 1675h ; dir 0A8FEh ; load? 22C4C1h ; upload 42985 ; main? 0A866h ; list? 1175972831 ; upload_dir 9C9Ch ; ddos 0B01Dh ; scan 47154 ; word 2269271 ; system 9FCCh ; dump 310946 ; photo 440F6h 18FEh ; rdp 4F5BBh ; video 3D0BD7C6h ; screenshot 741334016 ; password 0DA8B3Ch ; history
  22. 22.• What is this DNS query?• What can we do with it?
  23. 23. GUID• What is at 0x0040A03D, how is it used in program?
  24. 24. Conclusions• The set of questions to answer is often similar.• Don’t focus on details, remember your objective, its easy to get lost.• A mix of dynamic and static analysis is often the best solution for quick understanding of a new malware family.
  25. 25. Thank You