Raashid Bhat

Malware Research Blog.

Page 2


Andromeda Gamarue Botnet Gets An Update

Recently I saw some spam emails exploiting an adobe PDF vulnerability ( thanks to Conrad Longmore ( https://twitter.com/ConradLongmore) )

upload.jpg

This PDF file seems to be exploiting CVE-2013-2729 vulnerability. The shellcode is small and simple . It just downloads the file from a server and executes it .

upload.jpg

After unpacking the file , analysis reveal that this is a new update for Andromeda - Gamarue botnet . The version is upgraded to 2.9 . Although there is no significant change in the Botnet , the version number from the request string has been removed

upload.jpg

upload.jpg

Raashid Bhat

http://twitter.com/raashidbhatt

Continue reading →


Understanding Neverquest Banking Trojan Polymorphic Engine

Neverquest packer uses polymorphic engine and junk code in its important subroutines. By using polymorphic engine to some extent static signature rules will fail. For example you can see the difference in between two main decoding subroutines

Untitled.jpg

The output of this subroutine is a LZ compressed buffer, which later on is submitted to APLIB decompression subroutine.

The main parts of this algorithm are*

1 :Key = variable length array of bytes rounded to 0 after list is exhausted

2 :Data Chunk Structure = variable length Array of structure defining length of block to be decoded +
pointer to that block

If we study the decoding algorithm we can fairly strip download the algorithm to a following simple
representation


IF CHUNKSIZE > COUNTER : REPEAT
OUPUT := DATACHUNK – KEYBYTE_AT_VARIABLE_DISTANCE

The main challenge with the algorithm is to get the base and the end of key . In some...

Continue reading →


Stripping Upatre Trojan Downloader

Upatre is a trojan downloader widely used to download banking botnets . It recently started using compression and XOR encoding . Upatre comes with a custom packer . After unpacking real nasty evil code is revealed . Unpacking Upatre is little bit tricky . Following Blog post will show you how to unpack and rebuild Upatre.

This is what Upatre looks like when you open it up in a debugger .

Untitled.jpg

If we skip the decoding routine . We land at OEP which looks something like this.
[Untitled.jpg]

Untitled.jpg

Calls like CALL DWORD PRT SS :[EBP + 30] are windows API calls. Before jumping to the OEP all the API call addresses are pushed on to the stack . So building a IAT for this type of packer would be a tricky job .

Tracing API calls.

For tracing the destination of all these indirect API calls made after OEP , we will parse a trace file . One thing to take care of is the installer and downloader . So we...

Continue reading →