"The Georgian" botnet by Canadian Pierre-Marc Bureau. A new master-class for PHDays.
3/26/2012
Spreading over the world recently has been news of the "Georgian" botnet, based on Win32/Georbot, which steals secret documents and also captures audio and video via web-cameras.
It will be possible to learn how Win32/Georbot works, and how to control or neutralize it, in our forum Positive Hack Days on 30 and 31 May. Pierre-Marc Bureau , the leading engineer of the virus laboratory ESET, an expert on cyberwar and cyberespionage, will hold the world's first "georbot master-class".
How does it take screenshots and record sound?
Pierre will show the audience the numerous possibilities of Win32/Georbot. You will see in real time how this malware, managed by the Canadian specialist, will perform the following tricks:
- stealing documents
- taking screenshots via Web-camera, installed on the "victim" computer
- making an audio recording on the built-in microphone
- scanning the network
- causing denial of service
Methods of obfuscation
Like a real resident, the malware is not looking for fame and tends to remain in the shadows. An exclusive and specially complicated code also makes it imperceptible to antivirus. Participants in the master class will learn how the obfuscation (entanglement) of the code of Win32/Georbot is implemented and will be able to clarify the following points:
- Control of obfuscation flow
- sequence of obfuscation
- API of obfuscation call by hash function
How to control the "georbot"
Participants will see how this "combat worm" communicates with its command and control server using HTTP. Pierre will also show how to create an alternative command and the sever control element in the laboratory, and how to give commands to the program and get its feedback.
What is required for the master class
Do not forget to bring a laptop running Windows XP, installed on a virtual machine. It is necessary for the active participants in the master class to install the following applications (which can be downloaded free of charge):
- Python
- IDA Free
- Immunity Debugger (or Olly, if you prefer)
- Wireshark
Required skills for a smooth immersion in the subject:
- understanding of assembly principals
- understanding of the structure of Windows
- understanding of the Python programming language
Briefly about Win32/Georbot
According to Pierre-Marc Bureau, the Win32/Georbot family of malicious applications appeared about a year and a half ago. The virus has many variations, is not intended for "carpet bombing", is used to steal confidential information and is difficult to identify.
Related Links
Detailed analysis: http://blog.eset.com/wp-content/media%5Ffiles/ESET%5Fwin32georbot%5Fanalysis%5Ffinal.pdf.