Win32/Betabot (alias Neurevt)

Forum for analysis and discussion about malware.
User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by r3shl4k1sh » Sun Sep 22, 2013 2:15 am

More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:
  • Owner: the sky daddy
  • Dropped File name: svchost (win)
  • C&C(s):

    Code: Select all

    gate: sentryme.com/order.php
    
    gate: stayattentive.com/order.php
    
From the config of 4046fd4e5ddfc40548c2316d6cd289f4: From the config of c994461c69b02a63d0f1bbcd2a56ba54:
  • Owner: nicksasa
  • Dropped File name: Magic Helper
  • C&C(s):

    Code: Select all

    gate: hxxp://imafaggot.pw/service/order.php
    
    gate: hxxp://winblowservice.hopto.org/service/order.php
    login: hxxp://winblowservice.hopto.org/service/login.php
    
    gate: hxxp://imtheop.redirectme.net/service/order.php
    login: hxxp://imtheop.redirectme.net/service/login.php
    
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by EP_X0FF » Sun Sep 22, 2013 5:41 am

From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Thanat0S
Posts: 19
Joined: Tue Aug 21, 2012 10:24 pm

Re: Win32/Betabot (alias Neurevt)

Post by Thanat0S » Sun Sep 22, 2013 10:11 am

EP_X0FF wrote:From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.
so Userbased == betamonkey, EP_X0FF? :o

Thanat0S
Posts: 19
Joined: Tue Aug 21, 2012 10:24 pm

Re: Win32/Betabot (alias Neurevt)

Post by Thanat0S » Sun Sep 22, 2013 10:13 am

I think anyone in the scene must create a builder to this shit and stop the game to this skid. bin is compressed with 7zip algo.

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by EP_X0FF » Sun Sep 22, 2013 10:48 am

String inside bot doesn't prove anything.
Ring0 - the source of inspiration

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: Win32/Betabot (alias Neurevt)

Post by Win32:Virut » Sun Sep 22, 2013 3:29 pm

Detected as Trojan:Win32/Neurevt.A by Microsoft.
You do not have the required permissions to view the files attached to this post.

TheExecuter
Posts: 25
Joined: Sat Aug 10, 2013 5:02 pm

Re: Win32/Betabot (alias Neurevt)

Post by TheExecuter » Sun Sep 22, 2013 9:42 pm

As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie
it hooks 64bit processes also? if not then procexp-64 could get it.
Innovative injection technique(s) allow bypassing most antivirus HIPS solutions.
found this advert, haven't actually seen the inside. is something new or already used methods?

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Betabot (alias Neurevt)

Post by EP_X0FF » Mon Sep 23, 2013 3:16 am

TheExecuter wrote:
As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie
it hooks 64bit processes also? if not then procexp-64 could get it.
It has tools blacklist inside, including sysinternals. Bot just wow64 compatible, not x64.
Ring0 - the source of inspiration

Thanat0S
Posts: 19
Joined: Tue Aug 21, 2012 10:24 pm

Re: Win32/Betabot (alias Neurevt)

Post by Thanat0S » Mon Sep 23, 2013 4:28 am

it contains blacklist of a lot of tools ( process monitor not process exp, RKU, tcpview )
also, In the skid forum, he (betamoneky) says it includes x64 support.

Thanat0S
Posts: 19
Joined: Tue Aug 21, 2012 10:24 pm

Re: Win32/Betabot (alias Neurevt)

Post by Thanat0S » Mon Sep 23, 2013 7:45 am

does anyone has panel src of 1.5 please

Post Reply