Page 3 of 6

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 2:15 am
by r3shl4k1sh
More BetaBot:

In attach Unpacked + dump of config:
MD5 c6ca1470501c1d885717104ca9ac51e2
MD5 4046fd4e5ddfc40548c2316d6cd289f4
MD5 c994461c69b02a63d0f1bbcd2a56ba54

From the config of c6ca1470501c1d885717104ca9ac51e2:
  • Owner: the sky daddy
  • Dropped File name: svchost (win)
  • C&C(s):
    Code: Select all
    gate: sentryme.com/order.php
    
    gate: stayattentive.com/order.php
    
From the config of 4046fd4e5ddfc40548c2316d6cd289f4: From the config of c994461c69b02a63d0f1bbcd2a56ba54:
  • Owner: nicksasa
  • Dropped File name: Magic Helper
  • C&C(s):
    Code: Select all
    gate: hxxp://imafaggot.pw/service/order.php
    
    gate: hxxp://winblowservice.hopto.org/service/order.php
    login: hxxp://winblowservice.hopto.org/service/login.php
    
    gate: hxxp://imtheop.redirectme.net/service/order.php
    login: hxxp://imtheop.redirectme.net/service/login.php
    

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 5:41 am
by EP_X0FF
From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 10:11 am
by Thanat0S
EP_X0FF wrote:From the inside - Betabot (c) 2012-2014, coded by Userbased.

As for super-duper stealth loading - well just changed a bit handler of NTDLL registry hook, now it is giving faked registry path representing Betabot as second copy of Explorer.exe. But this entry has randomized name which itself is suspicious by default. Malware body still in Common Files\Betabot folder + hidden attribute. While loading bot starts zombified copy of explorer.exe and injects itself inside, performs hooking of KiFastSystemCall + some winsock routines (GetAddrInfo) and start working, injecting itself in every newly started process. As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie. Adverted AntiRovnix is based on NtCreateFile handler where it monitors for DR(X) write access at boot sector.

As for removal (even considering huge AV blacklist inside with pagefile trick, image execution options etc) it should be no problem for AV if it knowns it by signature. However you can do it much faster in few clicks with WinHex. Just open disk in raw mode, navigate to malware folder and wipe MZ header. After reboot malware will be dead. This is similar to old RkU wipe file feature.

What about new "small" size. Well it is marketing trick. Betabot is now 3 staged. First - script-kiddie vbrun cryper, second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then. Main bot using function pointers obtained by hashes (see for decoding 004203AD in 3 stage). Clean 2, 3 stages in attach.
so Userbased == betamonkey, EP_X0FF? :o

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 10:13 am
by Thanat0S
I think anyone in the scene must create a builder to this shit and stop the game to this skid. bin is compressed with 7zip algo.

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 10:48 am
by EP_X0FF
String inside bot doesn't prove anything.

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 3:29 pm
by Win32:Virut
Detected as Trojan:Win32/Neurevt.A by Microsoft.

Re: Win32/Betabot (alias Neurevt)

PostPosted:Sun Sep 22, 2013 9:42 pm
by TheExecuter
As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie
it hooks 64bit processes also? if not then procexp-64 could get it.
Innovative injection technique(s) allow bypassing most antivirus HIPS solutions.
found this advert, haven't actually seen the inside. is something new or already used methods?

Re: Win32/Betabot (alias Neurevt)

PostPosted:Mon Sep 23, 2013 3:16 am
by EP_X0FF
TheExecuter wrote:
As it hooks NtOpenProcess in every injected process you can't simple kill this explorer.exe zombie
it hooks 64bit processes also? if not then procexp-64 could get it.
It has tools blacklist inside, including sysinternals. Bot just wow64 compatible, not x64.

Re: Win32/Betabot (alias Neurevt)

PostPosted:Mon Sep 23, 2013 4:28 am
by Thanat0S
it contains blacklist of a lot of tools ( process monitor not process exp, RKU, tcpview )
also, In the skid forum, he (betamoneky) says it includes x64 support.

Re: Win32/Betabot (alias Neurevt)

PostPosted:Mon Sep 23, 2013 7:45 am
by Thanat0S
does anyone has panel src of 1.5 please