9/23/2013

How to extract BetaBot config info

BetaBot 

In this article i will show you how to extract the configuration section of the bot, this section is encrypted inside the bot and decrypted while the bot is running.

Few months ago i built a tool that can extract the configuration of the bot in offline mode (that is without running the bot in debugger) i achieved that by reverse engineer and studying how to get the key from the bot and build  in order to decrypt the configuration section from the sample.

Lately when new versions of the bot came out i found that it is much simpler to extract the info i needed using a debugger than to update the tool, this method is what i am going to guide you through in this article.

In order to follow along you need an unpacked sample of the bot (you can get the one i am using in this article here, password is: infected).

This article targets the latest version of the bot (1.5), the technique presented here do work on earlier versions too.

Beta Stage

First step is to open the sample under debugger (BetaBot contains many Anti-Debug techniques so you should use the right plugins and the right configs in the VM and the debugger accordingly in order to avoid detection by the bot) right after that you should find the Base Address the bot has loaded into (you can get that info by looking at the memory map list of the debugger).




With the Base Address at our hands we need to open the sample in IDA and rebase the segment addresses to be the same as the Base Address we got earlier.

In later versions of the bot there is a second stage in the loading process that is done before the main code of the bot actually starts executing as EP_X0FF wrote:
second is self-made Betabot pre-loader -> purpose allocate ERW memory, decrypt main bot to it and transfer control then

If your bot contains the following commands at the entry point you are actually in the start of the second stage.



In order to pass this stage we need to search for the assembly command call using IDA (ALT+T) then set a breakpoint in the debugger at the address of the call command that is similar to this (0xE116AB).



Find the decryption routine

Right after that call we are at the real main code of the bot and now we need to dump the process in its current state to a new executable file (PE Tools full dump works great).



Right after the bot finish to run the second-stage we have a new Base Address  that is bot is loaded into hence we need to take a look again at the memoy map pane of the debugger  and find the new Base Address (mine is 0x290000).

Next let's open the dumped image in IDA (rebase if needed) and find the global variable at offset 0x3ddf8 from the current Base Address (0x290000 + 0x3ddf8) mine is at 0x2CDDF8 in the .data section.



Now we need to go to the middle xref  that this global variable is referenced, there we can see some functions that are related to the decryption routine the bot is using.




The function that we are looking for is the decryptEncrypt function at offset 0x255A from the Base Address (mine is at 0x29255A), this function is the main encryption\decryption routine the bot is using to crypt\decrypt data (even the C&C server itself is using this same encryption scheme in order to encrypt the packets it sends to the bot although that it using a different key ).

We are going to take the address of the decryptEncrypt function and set a breakpoint right at the start of the function.

Extract the data

In order to get the data that is being decrypted using this function we need to set a breakpoint at the start address of the function and let the bot run, after few seconds the debugger hit the breakpoint and stop, now the EDX register (C++ code) has the address of the destination buffer this buffer is going to contain the decrypted data right after this function finish to run.

Let's view the address contained in the EDX register at the dump pane of the deubgger.

Before the decryptEncrypt function run

Now we let the function run till return (Ctrl+F9) and you can see that the dump pane now contains the  data that has been decrypted (The EAX register contains the length of the data).

After the decryptEncrypt function run

The first hit of the breakpoint is just some code (that is going to be run in a thread the bot is creating later on) that the bot is decrypting but the second hit is the configuration information that we are looking for.

Decrypted Config Info seen at the dump pane

That's all to it, now we can copy that data to a file and have fun.

Some notes

  • The configuration information contains:
    • Address of the C&C servers:
      • b19jdn167t.in/M_jsh1/order.php 
      • n18b7273u1j.in/M_jsh1/order.php 
      • (note that usually order.php is the gate page and if you try login.php you get the login page).
    • The nickname of the owner of the bot (d8902659 in our case).
    • The file name the bot will have once it copies itself to the computer (jhgvy76765guhb in our case)
    • The key that the bot use in order to decyrpt packets it gets from the C&C server.
    • Some more info that i am not able to recognize yet.
  • When you discover the offset to the decryption routine once you don't actually need to do all the process we have done here all over again if you have a  different bot, just set a breakpoint at the appropriate offset using the global variable xref trick that i presented above by searching for the global variable in the disassembly.


6 comments:

  1. Nice tutorial! Can you give us please the two encryption keys that the bot uses? I am trying to create a builder for the bot.

    Thanks for your time!

    ReplyDelete
  2. Sorry but i can't give you or direct you to where it is found in the config section.
    My intention with this post is to decrease the use of this bot not to increase it, by giving you the ability to create a builder i am doing the wrong thing in my point of view.

    You will have to do that part of the research by yourself.

    Thanks.

    ReplyDelete
    Replies
    1. What if we're just trying to observe and decode the bot so we can simply build it to test how it works and submit to AV companies? You're not really making the job easier my withholding information.

      Delete
  3. Hello r3shl4k1sh,
    Nice article

    Did you find anything interesting about it's entry point global hook (ring 3) ? it hooks entrypoint of every exe being loaded in memory.

    ReplyDelete
  4. two encryption keys give me plz? hmm.. if give not two encryption keys...About Samples share pcapfile?

    ReplyDelete
  5. Can you give e please the Tools so i can try this my self please bro?

    ReplyDelete