"The Georgian" botnet by Canadian Pierre-Marc Bureau. A new master-class for PHDays.

3/26/2012

Spreading over the world recently has been news of the "Georgian" botnet, based on Win32/Georbot, which steals secret documents and also captures audio and video via web-cameras.

It will be possible to learn how Win32/Georbot works, and how to control or neutralize it, in our forum Positive Hack Days on 30 and 31 May. Pierre-Marc Bureau , the leading engineer of the virus laboratory ESET, an expert on cyberwar and cyberespionage, will hold the world's first "georbot master-class".

How does it take screenshots and record sound?

Pierre will show the audience the numerous possibilities of Win32/Georbot. You will see in real time how this malware, managed by the Canadian specialist, will perform the following tricks:

stealing documents
taking screenshots via Web-camera, installed on the "victim" computer
making an audio recording on the built-in microphone
scanning the network
causing denial of service

Methods of obfuscation

Like a real resident, the malware is not looking for fame and tends to remain in the shadows. An exclusive and specially complicated code also makes it imperceptible to antivirus. Participants in the master class will learn how the obfuscation (entanglement) of the code of Win32/Georbot is implemented and will be able to clarify the following points:

Control of obfuscation flow
sequence of obfuscation
API of obfuscation call by hash function

How to control the "georbot"

Participants will see how this "combat worm" communicates with its command and control server using HTTP. Pierre will also show how to create an alternative command and the sever control element in the laboratory, and how to give commands to the program and get its feedback.

What is required for the master class

Do not forget to bring a laptop running Windows XP, installed on a virtual machine. It is necessary for the active participants in the master class to install the following applications (which can be downloaded free of charge):

Python
IDA Free
Immunity Debugger (or Olly, if you prefer)
Wireshark

Required skills for a smooth immersion in the subject:

understanding of assembly principals
understanding of the structure of Windows
understanding of the Python programming language

Briefly about Win32/Georbot

According to Pierre-Marc Bureau, the Win32/Georbot family of malicious applications appeared about a year and a half ago. The virus has many variations, is not intended for "carpet bombing", is used to steal confidential information and is difficult to identify.