Aerosol Posted April 3, 2015 Report Posted April 3, 2015 In this article, I would like to show how an analysis is performed on the Beta Bot trojan to identify its characteristics. The Beta Bot trojan, classified as Troj/Neurevt-A, is a dangerous trojan. This trojan is transferred to the victim machine through a phishing email, and the user downloads the files disguised as a legitimate program. This malicious file, when executed, drops a file in the victim machine, then changes system and browser behaviors and also generates HTTP POST traffic to some malicious domains. Beta Bot has various capabilities, including disabling AV, preventing access to security websites, and changing the settings of the browser.This trojan was initially released as an HTTP bot, and was later enhanced with a wide variety of capabilities, including backdoor functionality. The bot injects itself into almost all user processes to take over the whole system. It also utilizes a mechanism to make use of Windows messages and the registry to coordinate the injected codes. The bot also communicates with its C&C server through HTTP requests. The Beta Bot trojan spreads through USB drives, the messaging platform Skype and phishing emails.Analysis WalkthroughNow let’s see how we can do a detailed analysis on the Beta Bot trojan. First step is to isolate the infected system and analyze the system to find any suspicious files. Upon analysis, we found a suspicious file, crt.exe. The crt.exe file was then uploaded into our automated malware analysis system for deeper analysis and it was able to find malicious traffic to several malicious domains.(DNS request to malicious domains)A list of file manipulations was revealed during automated malware analysis. A malicious file named ‘wfwhhydlr.exe’ that was dropped by Beta Bot was revealed during this analysis.(File creation and modification)Mutexes that were used by the malware were also found during the automated analysis.(Mutex list of Beta Bot Trojan)After that, the analysis was carried out on our dedicated malware analysis machine. This machine consists of all the core tools needed to carry out both the static and dynamic analysis. As the first step of manual analysis, static analysis was carried out to find the time stamp of the malware. We were able to find the compile date of the malware sample. The malware was compiled on March 14th, 2013, and a GUI is also associated with this sample.File properties of the Beta Bot trojan)Later, static malware analysis was carried out, and as a first step the malware was checked to find whether it was packed or not. On analysis we found that the malware was packed with UPX packer.(Packer detection of the malware)A manual unpacking process was carried out to unpack the packer using a user mode debugger. Then we dumped the unpacked malware, and Import Address Table was reconstructed.(Debugger view of the malware before UPX unpacking)After the IAT reconstruction, the malware was analyzed using the debugger and found that there is no data available and the all the strings are functions are obfuscated. Thus it has to be suspected that the malware was multipacked, and we found that it was packed with a sophisticated crypter called VBCrypter. Then we came to a conclusion that this Beta Bot malware was multi-packed with a combination of UPX packer and VBCrypt crypter.VBCrypter is written in Visual Basic and it is more sophisticated that usual packers. During the execution of the packed malware, it creates the unpacked code as a child process itself and executes that code in the memory. Thus this type of packed malware will be very difficult to unpack.Crypter detection of the malware)Then a process of steps was carried out in order to decrypt the malware encrypted with VBCrypt. A user mode debugger was used for this process and by following a series of steps; the malware was decrypted up to an extent and thus the obfuscated code was retrieved for further analysis.Debugger view of the Beta Bot trojan after UPX unpacking)After decrypting the VBCrypt, it showed up with strings and functions that reveal the activity of the malware. The Beta Bot malware tries to find out the Network Interface Card in the infection machine, in order to find out the network adapter device name. The malware also looks for the computer name of the infected machine.(Debugger view of the decrypted Beta Bot trojan)Also using the debugger analysis, it came to an inference that the Beta Bot trojan also has the capability of deactivating the Task Manager of the infected machine.(Debugger view of the malware)The malware was analyzed through a disassembler, and several multi-language strings were retrieved. This reveals the multi-language capability of the Beta Bot trojan. This malware has the ability to configure and behave according to the geo-location of the victim machine.(Disassembler view of the Beta Bot trojan)Dynamic analysis was carried out by executing the malware within our isolated virtual malware lab. On executing the Beta Bot malware was dropped another executable named vuxrwtqas.exe. This file was dropped in the highworker folder under the Program files folder in C drive.(Files dropped by the Beta Bot trojan)Then registry analysis of the Beta Bot trojan was carried out, and on analysis we found that the malware manipulates the Windows registry setting of the infected machine. Registry values are added in order to carry out the debugging of the major security products like MalwareBytes Spybot, Trendmicro Housecall and Hijackthis. This registry setting can used to debug the startup code of the applications and thus the malware can bypass these security applications and thus can execute in the machine.(Registry values added by the Beta Bot trojan)Then packet sniffers were used to study the network behavior of the malware, and we were able to list out several malicious IPs on which the malware were trying to connect.Malicious IPs on which the malware connects)Then the memory analysis of the malware was carried out by executing the malware and taking the dump on the primary memory. On analysis, a large number of trampoline hooks was found. The malware, when executed, hooks almost all the processes in the victim machine and thus takes control of the whole machine.The Beta Bot trojan inserts a trampoline hook on the wuauclt.exe file, and this is a Windows Update AutoUpdate Client which runs as a background process that checks the Microsoft website for updates to the operating system. Thus it can assumed that the malware updates itself or downloads other malicious software by hooking this process.(Trampoline hook by the malware)The Beta Bot trojan, on execution, creates a sub-folder named ‘highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES and creates a file named ‘vuxrwtqas.exe’.The first part of the folder name, ‘highworker’, is obtained from the configuration of the bot. The rest of the strings in the folder name is a special GUID which makes the folder link to the ‘Printers and Faxes’ folder in Windows Explorer, and this folder will act as the initializer when malware restarts.The crt.exe then creates a new file and it exits and this newly created file creates a process of a system application and starts to inject the process.(Folder in which malware is dropped)The dropped file is digitally signed with Texas Instruments Inc., is an American company that designs and makes semiconductors, which it sells to electronics designers and manufacturers globally. Thus we can assume that the file is not genuinely signed.(Metadata of the dropped file)RecommendationsUse a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.Block peer to peer traffic across the organization.Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.Ensure that your Anti-Virus solution is up to date with latest virus definitions.Ensure that your systems are up to date with the latest available patches.Isolate the compromised system immediately if the malware is found to be present.Block traffic to the following domains in your perimeter devices such as Firewalls and IDS/IPS solutions:highroller.pixnet.tosbn.pxnet.tocpstw.santros.wsccc.santros.wsEradicationThe following products can be used to remove the Beta Bot trojan from the infected machine:Symantec Power EraserKaspersky’s TDSSKILLERMicrosoft’s Malicious Software Removal Tool (MSRT)Malwarebytes Anti-MalwareLogin through the victim machine in Safe Mode and manually remove the process crt.exe and vuxrwtqas.exe related to the Beta Bot trojan.Manually delete the registry entries associated with the Beta Bot trojan.Delete the malicious file dropped by the malware in the highworker.{2227A280-3AEA-1069-A2DE- 08002B30309D}’ under %PROGRAM FILES%\ COMMON FILES\vuxrwtqas.exe.ReferencesEndpoint, Cloud, Mobile & Virtual Security Solutions | SymantecSource Quote