Jump to content

Nasty new badboy on the block : beta bot


Vatos Locos

Recommended Posts

Vatos Locos

G-Data Blog wrote:Beta Bot it uses multilingual social engineering techniques to exploit the human user
In the beginning of March 2013, a new bot called “Beta Bot” entered the market. With less than €500, Beta Bot is sold relatively cheap, considering its vast feature list. Even though most of those features are pretty standard for today's bots, like different DOS-attack methods, remote connection abilities, form grabbers and other information stealing capabilities, one particular ability caught our attention: "Disable Anti Virus", says the ad posted in an underground forum, followed by a list of nearly 30 security programs that are said to be disabled by Beta Bot.

What does it do?

When installed on a system, Beta Bot searches for a list of known security products it is said to target. Upon finding one of those programs installed, the bot starts its attacks as described later in the text. Doing so, it prepares itself to attack the av program by killing processes, disabling registry keys or simply by disabling auto updates. Depending on the type of security product, Beta Bot also tries to circumvent firewalls by injecting certain routines into programs that are usually allowed to pass the firewall, like for example Internet Explorer.

User Access Control (UAC) – it’s all about permissions

On modern Windows operating systems, permissions for users are split into standard (low) and administrator permissions (high/elevated). In contrast to an administrator, a standard user cannot alter critical parts of the system. If a user starts a process, the user’s permissions are inherited to the process. Thus they can also be divided into processes with low and high permissions. By default, only a low set of permissions is granted to each process, because a user has only standard permissions by default. On demand, those permissions can be elevated.

Loosely speaking, all processes can be divided into processes with low and elevated permissions, while the ones with low permissions cannot modify the ones with high permissions, but elevated processes can modify both. Additionally, permissions can also be inherited between processes. Thus, if a process with elevated permissions starts another process, this second process also has elevated permissions.

To prevent malware from harming a system severely, the elevation of permissions from low to high is the most critical step. The decision whether to elevate the permission of a running process is handed over to the user, who is prompted by the system in a UAC dialogue to decide "Yes" or "No" on the request for elevation of permissions. The user also gets some additional info about the program requesting the elevation. Beta Bot targets this interface and tries to exploit the human user with a social engineering trick.


Read more: http://blog.gdatasoftware.com/blog/artic...a-bot.html

https://www.youtube.com/watch?feature=player_embedded&v=ISghLq70OPY

Link to comment
Share on other sites

  • Replies 2
  • Views 1.4k
  • Created
  • Last Reply

Err @ 24 seconds in the above video the file antivirus is disabled, if Kaspys file AV is enabled (as it would be by default), can Beta bot still execute, or is it discovered and removed as it should be ?

The above 'test' is mute until it's done correctly.

Dodel.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...