A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20902  by r3shl4k1sh
 Sun Sep 22, 2013 2:15 am
More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:
  • Owner: the sky daddy
  • Dropped File name: svchost (win)
  • C&C(s):
    Code: Select all
    gate: sentryme.com/order.php
    
    gate: stayattentive.com/order.php
    
From the config of 4046fd4e5ddfc40548c2316d6cd289f4: From the config of c994461c69b02a63d0f1bbcd2a56ba54:
  • Owner: nicksasa
  • Dropped File name: Magic Helper
  • C&C(s):
    Code: Select all
    gate: hxxp://imafaggot.pw/service/order.php
    
    gate: hxxp://winblowservice.hopto.org/service/order.php
    login: hxxp://winblowservice.hopto.org/service/login.php
    
    gate: hxxp://imtheop.redirectme.net/service/order.php
    login: hxxp://imtheop.redirectme.net/service/login.php
    
Attachments
pass: infected
(113.37 KiB) Downloaded 83 times
pass: infected
(113.95 KiB) Downloaded 85 times
pass: infected
(114.62 KiB) Downloaded 82 times
 #20904  by EP_X0FF
 Sun Sep 22, 2013 5:41 am
From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.
Attachments
pass: infected
(241.99 KiB) Downloaded 84 times
 #20906  by Thanat0S
 Sun Sep 22, 2013 10:11 am
EP_X0FF wrote:From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.
so Userbased == betamonkey, EP_X0FF? :o
 #20907  by Thanat0S
 Sun Sep 22, 2013 10:13 am
I think anyone in the scene must create a builder to this shit and stop the game to this skid. bin is compressed with 7zip algo.
 #20908  by EP_X0FF
 Sun Sep 22, 2013 10:48 am
String inside bot doesn't prove anything.
 #20914  by TheExecuter
 Sun Sep 22, 2013 9:42 pm
As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie
it hooks 64bit processes also? if not then procexp-64 could get it.
Innovative injection technique(s) allow bypassing most antivirus HIPS solutions.
found this advert, haven't actually seen the inside. is something new or already used methods?
 #20919  by EP_X0FF
 Mon Sep 23, 2013 3:16 am
TheExecuter wrote:
As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie
it hooks 64bit processes also? if not then procexp-64 could get it.
It has tools blacklist inside, including sysinternals. Bot just wow64 compatible, not x64.
 #20920  by Thanat0S
 Mon Sep 23, 2013 4:28 am
it contains blacklist of a lot of tools ( process monitor not process exp, RKU, tcpview )
also, In the skid forum, he (betamoneky) says it includes x64 support.