Win32/Betabot (alias Neurevt)

Forum for analysis and discussion about malware.

Win32/Betabot (alias Neurevt)

Postby radikal » Tue Mar 05, 2013 2:54 am

I recently got bin of some interesting bot with ring3 rootkit, i executed on XP Vmware, and i cannot kill the process it injects in, someone can do a brief analysis on what techniques it uses ?

http://anubis.iseclab.org/?action=resul ... c290d02258
You do not have the required permissions to view the files attached to this post.
Last edited by EP_X0FF on Tue Jun 04, 2013 3:45 am, edited 2 times in total.
Reason: renamed
radikal
 
Posts: 15
Joined: Tue Dec 18, 2012 8:43 pm
Reputation point: 0

Re: Ring3 Rootkit

Postby EP_X0FF » Tue Mar 05, 2013 5:55 am

Why do you think this is rootkit?

Trivial infostealer backdoor with huge AV blacklist inside + trick inspired by this viewtopic.php?f=11&t=1926 Pretty fresh (compiled 04 March) that's why not detected well.

In order to fool and complicate removal by casual user this malware (original name vBetaLib.exe) creates autorun entry %ProgramFiles\Common Files\CreativeAudio.{2227A280-3AEA-1069-A2DE-08002B30309D} with hardcoded CLSID value which represent standard Windows "Printers" folder. Damages Explorer settings to turn off displaying of "hidden", "system" files.

In oder to communicate with operator this malware uses code injection into wuauclt.exe process it executes. Bugged like hell. Able to spread via Skype Messenger. Contains several Spanish-Turkish-English messages.

Another mad skillz trash from HF?
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Ring3 Rootkit

Postby R00tKit » Tue Mar 05, 2013 6:56 am

Why do you think this is rootkit?

i think this idea come from => wuauclt.exe process cant be kill with procexp ,taskkill , taskmgr and in my os " Rootkit unhooker" faild to start
xuetr kill it and "inaccessible from user mode " in Xuetr and kernel detective
permission of process object in procexp.exe is disable and security tab is empty

but anyway this is not Rootkit
@R00tkitSMM
User avatar
R00tKit
 
Posts: 129
Joined: Tue Nov 16, 2010 8:23 pm
Reputation point: 16

Re: Ring3 Rootkit

Postby EP_X0FF » Tue Mar 05, 2013 7:38 am

Hard to name it rootkit, but

It hooks KiFastSystemCall and filters system calls.

Image

Short jump to PUSH/RET with target inside injected malware binary at 0x7FFXXXXX address range.

Used also for self-propagation purposes. Hooks restoration set on short delay. Due to mass remote threads injection in different processes wuauclt.exe will be respawned from other affected processes if terminated. Need complex cleanup -> terminate everything started from Explorer and Explorer itself, after this it can be cleaned easily. Malware runs from HKCU, HKLM \Run registry key, disposition on disk already mentioned.

Symantec writeup http://www.symantec.com/security_respon ... 16-2352-99
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Win32/Betabot

Postby radikal » Tue Mar 05, 2013 12:47 pm

I am a bit newbie to malware analysis, i am trying to write remover for this bot, i think it injects only in explorer.exe and wuauclt.exe, i tried to kill them both at once via Xuetr, but i got BSOD.
I am going to try to inject code in both processes just to SUSPEND all threads, then i delete file and registry.
Will that work and is it good approach ?

Thanks for time spend to help me :oops:
radikal
 
Posts: 15
Joined: Tue Dec 18, 2012 8:43 pm
Reputation point: 0

Re: Win32/Betabot

Postby EP_X0FF » Tue Mar 05, 2013 3:51 pm

radikal wrote:I am a bit newbie to malware analysis, i am trying to write remover for this bot, i think it injects only in explorer.exe and wuauclt.exe, i tried to kill them both at once via Xuetr, but i got BSOD.
I am going to try to inject code in both processes just to SUSPEND all threads, then i delete file and registry.
Will that work and is it good approach ?

Thanks for time spend to help me :oops:


You want to solve your task programmatically or by using tool?

If first then you will have find a way to open affected processes bypassing KiFastSystemCall hook, for example by direct syscall of NtOpenProcess.
If second then forget about xuetr, its bugfest, use wj32 Process Hacker, it should be able to solve this task as it terminates processes from driver.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Win32/Betabot

Postby radikal » Tue Mar 05, 2013 4:03 pm

I want to solve the issue programmatically, i believe i have to inject code in all malware processes, and to suspend and then kill them from inside.
Injecting code should be easy, i just have to find in which processes exactly it resides.
radikal
 
Posts: 15
Joined: Tue Dec 18, 2012 8:43 pm
Reputation point: 0

Re: Win32/Betabot

Postby EP_X0FF » Tue Mar 05, 2013 4:09 pm

radikal wrote:I want to solve the issue programmatically, i believe i have to inject code in all malware processes, and to suspend and then kill them from inside.
Injecting code should be easy, i just have to find in which processes exactly it resides.


Not necessary, just kill all where this bot injected, there will be not so many. To locate all affected processes do a simple memory scan for example for various strings inside this bot. After this it will be unable to stop you from removing anything from disk or registry. Also make sure you terminated all it injected threads inside your own app.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Win32/Betabot

Postby Userbased » Thu Mar 14, 2013 4:37 pm

Latest version of the bot. Packed with vb6 runpe crypter.
Gate: highroller.pxnet.to:666/sbn-admin/order.php
Backup domains: sbn.pxnet.to, cpstw.santros.ws, ccc.santros.ws, vg.allrounders.cc, zp.swissfaking.biz
You do not have the required permissions to view the files attached to this post.
Userbased
 
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm
Reputation point: 11

Re: Win32/Betabot

Postby Userbased » Mon May 06, 2013 1:56 pm

11 Betabot/Neurevt droppers

MD5
Code: Select all
3E4EC6A3AE42FD65AC7C57B3710CDA22
09ABF42BC0782621124C5F3B1FA3C694
53F1F7EF322FD53D0C606137CBA4A1D6
5938DF09C5DE8E322722CE6C3DDAA474
0563606FC6CD061320C8F2582702D1A0
6943066B573F738DA86838C2A4F90863
A4EDEA3CECE92C31D4C4049850F44A9E
A517E8AE9D14A69E8BE6C3C1B09E4837
C6D35E56AF60025EEC4020B56C0BAD7E
D9C6B16F7EAEEFFF7F754CEFB8376D06
FC457CAF2F2A20EE1C4B21999BDF68A4
You do not have the required permissions to view the files attached to this post.
Userbased
 
Posts: 21
Joined: Tue Oct 09, 2012 11:38 pm
Reputation point: 11

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 9 guests