ฝัง
- เผยแพร่เมื่อ 2 ต.ค. 2024
- This is the final part or our in-depth malware reverse engineering series analyzing an IRC worm from 2010. In this part we perform a final high level analysis of the malware then then use our analysis to build a sinkhole for the botnet!
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Automated Malware Unpacking
www.unpac.me/
IRC Botnet Reverse Engineering Part 1
• IRC Botnet Reverse Eng...
IRC Botnet Reverse Engineering Part 2
• IRC Botnet Reverse Eng...
Unpacked binary (malshare)
malshare.com/s...
SHA256 hash:
4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619
MalwareAnalysisForHedgehogs - Network Worm Basics
• Malware Theory - Netwo...
ShadowServer Foundation
www.shadowserv...
Fakenet-NG
github.com/fir...
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at www.openanalys...
#Botnet #MalwareAnalysis #Sinkhole
![What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]](http://i.ytimg.com/vi/SffxAVWmbk4/mqdefault.jpg)
![What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]](/img/tr.png)
Alate comment but I though it would be funny
at 7:29 minutes the IRC command called Kosomakyad is an Arabic insult, a very dirty one which reference mother private parts in Egyptian Arabic in a very dirty way :D
Thanks for the nice content
Wow man... So interesting stuff in here!! Love your vids, keep it up with this excelent work!!
So does this sinkhole method only works because they used dynamic ddns? Thanks
Well since it was dynamic DNS and their account expired I was able to register it using the dynamic DNS provider. This could have also worked if it was a regular domain but then I would have had to use a registrar to register the domain and there might have been a few extra steps. The key though is that the registration had expired. If it was not expired I would have had to convince the registrar to cancel their registration and give it to me... not an easy task for an independent researcher : )
I imagine at some point, some kind of photodevelopment machine or other types of systems that take a usb key (likely winxp) got owned at somepoint, and they're likely poorly maintained. And its been spreading to mom&pop usb keys since then :p *edit, they might not even have internet access, so they dont get updates (or commands), and will never stop spreading. Atleast as long as the hardware keeps running.
Love the way you stepped through the process of decrypting the strings, loading in the structs, then finally reversing it. Lots of tutorials and "how-to's" don't address those things that are what you actually need to do IRL. (I thought I had f***ed up my IDA settings my first time) Love your work, so glad you are making such High Quality content.
After reading the article about Marcus Hutchins and WannaCry, I was curious how to do this! Thanks for the video, I'll share it around!
Can't you just automate the Delete self command and shut everyone who connects down? essentially cleaning them? Make a MOTD as needed or w/e it's looking for?
Hey so I think Guillaume's question was sort of similar if want a more in-depth answer. But basically, yes we could technically clean this malware by sending the uninstall command. But where I am that would not be legal, even though the intentions were good. There are some ways to do this with the cooperation of law enforcement but it is def not something I could do by myself.
How are you able to register the domain if it's owned already? Does dyndns not own the domain ?
They offer you free subdomains, and the one botnet used was available, so he could register it
@@romangiertych5198 How it was avaliable if the botnet developer has already reserved it to his program? I am a bit confused
@@romangiertych5198 I mean, the malware developer obviously linked his backend code to be run when new requests are recieved on that subdomian, how can it be allowed for anyone in the world to come and buy it while I am using it, that doesn't make sense to me, also didn't it occure to the malware developer to register the domian to prevent sinkholing it?
This is a good question, I think I didn't cover this part as well as I could have. @roman has the right idea. These are subdomains that are rented out like a service. The rental had expired for the C2 subdomains so I was able to register it. When this botnet was active it would have been registered by the botnet operators but they let it lapse, probably because they thought the botnet was dead.
Botnetting, wow such an old skid attack methodz it's in poor taste imo. But yeah man nice video
Hi OALabs , i like the video end i have a question please tell me how can Dump the memory end revealed the encrypted malware from binary files?!!! , I would be grateful if you posted a video on this
KOSOMKYAD is a swear word xD
Really interesting video. You always put out great malware analysis videos, but this series was the best! Did you try to team up with ShadowServers/LEA to issue delete commands to the infected clients? What would be the best way to go here?
I notified the relevant CERT and some folks at shadowserver. There isn't much you can do as an individual while staying on the right side of the law. Where I live sending any commands, even helpful ones that could remove the botnet would not be legal. The usual process is to have an organization that specializes in this handle the notifications etc. Sometimes if there is an active case LE could be involved but for something like this the usual thing would be for a CERT to notify the affect companies and give them guidance on how to remediate the infections.
😺😺thanks for the great videos👏🏻👏🏻👏🏻
Expose malware before it exposes......YOOOOOOU! :3 awesome vid
I miss autorun.inf
such a quality video, love your ad aswell :p
Thanks!! : ))
aww but sending commands is fun! especially that 'fuckoff' one lmao then the virus just deletes itself automatically
How about fast-flux nets ? .
Forgot to mention the methods Microsoft and other international institutions used to take down ZeroAccess. IMO ZeroAccess was ahead of his time in terms of technology and malware concepts.
Good vid btw
Thanks! Yeh we could make a whole series on sink-holing decentralized (p2p) botnets!
I don't understand the idea of sinkholing honestly, so you basically bougth the domian name : selfip.com ?
I have just checked some domain
registrars and I see that doamin has been registered since 2005 :/
How you were able to buy it and why you were allowed to do such thing while the domain is actually registered.
Thank you for the valuable video mate
Good question, sorry that part wasn't more clear in the video. I gave a more detailed explanation responding to a similar question from @Source Code Deleted. These are actually subdomains that are rented out by selfip. The rental on this subdomain had expired, possibly because the operators had abandoned the botnet? In an active case where the domain was not available you would need to work with law enforcement to seize the domain. This was just a special case where I was able to register the domain without needing to seize it.
@@OALABS Thank you!
Hi, on the previous video on the series you said that the 2nd member of the inj_thread_obj struct is a list of pointers to the inj functions and that it will be covered in this video. How can I create a struct of these pointers?
I think we cleared it up in the discord but just for anyone who has the same question...
struct fn_ptrs
{
void *inj_download_and_execute;
void *inj_copy_worm_to_drives;
void *inj_set_run_key;
void *inj_get_rnd_str;
};
@@OALABS A FollowUp Question, how can I configure them so, when I click on them I get on each function's decompilation.
What does APT stand for at 8:36?
Advanced Persistence Threat -- basically I'm not sure if this is just a very poorly coded amateur project or an advanced espionage tool since they both look the same haha
Hey bro did you take a look at new ransomeware .maas ? I am really interested to know how it works and trying to reverse it but i dont have that knowledge :D
It looks like this is a variant of STOP (DJVU) www.bleepingcomputer.com/forums/t/725516/new-ransom-virus-wit-maas-extension/ If you have a hash that you would like us to take a look at just post it in the comments.
@@OALABS hmmm for me i dont but my friend infected with this Ransomeware and i really hope i can help him but i have no idea can you reverse it
please do
Themida & WinLicense 2.0 - 2.4.6
unpack video
i know its old but please make it a longe video
10:21 yellow dollar?
Gotta try and slip a few passed TH-cam 😅😂😂
Hey maybe if you're interested to film stuff about virtualization, theres an awesome project called VTIL which makes deobfuscating / devirtualizing much easier. Also the Creator of that project released an VmProtect 3.x devirtualizer on top of it, its still pretty WIP but works. Heres the Link github.com/can1357/NoVmp
We are huge fans of the work Can has done. It's really awesome!