Beautifying the webinjects of Gootkit

Beautifying the webinjects of Gootkit

At first glance, Gootkit’s webinjects may look like a messy bulk of binary data. But there is an easy way to decode them very nicely in just a matter of seconds. In this short article we are going to pretty print a particular webinject file from a recent Gootkit campaign. If you are new to this banking trojan, you might want to check out our previous article on Gootkit, where we saw how to recover the webinject configuration file from the Windows registry.
To facilitate this exercise, all of the used artifacts from this article are available on GitHub, including this unprocessed, raw configuration file:

It clearly has lots of plain texts, but also some binary code which are not understandable for humans. The keyword to interpret this data is Protocol Buffers, or in short protobufs. Protobufs is a stream-like data structure developed by Google. It has a very similar syntax to of JSON, but at the end everything will be encoded in a binary format. The usage of protobufs is not so common amongst today’s websites yet, but a malware relying on it, definitely shows that malware developers keep up to date with the latest trends.

First attempt

First we need to download protoc, the compiler for Protocol Buffers. If you are on Windows, you can download it directly from here, otherwise you might select from the other available options here.
Once we have the protoc compiler, we can then execute the following command:
protoc.exe –decode_raw < config.bin
This will generate an output like:

Which is already more pleasant to read, but still not good enough. We only have the numeric IDs instead of descriptive names. To fix this, we will have to use the parameter for the protoc compiler –decode instead of –decode_raw.

Second attempt

However, the –decode_raw option requires a message type to be passed along. Luckily, we can extract it from the malware’s source code. In client_proto_spyware.js we can find a reference to a base64 encoded protocol buffer:
var config_processor = require(“config_processor”);
var protobuf = require(‘protocol_buffers’)
var Buffer = require(‘buffer’).Buffer;
var messages = protobuf(
After decoding the above string, we can find between the definitions, one of the following message types, which is what we exactly need:
message SpywareConfig {
repeated SpywareConfigEntry injects = 1;
repeated VideoConfigEntry recorders = 2;
repeated FragmentConfigEntry fragments = 3;
repeated MailFilterEntry emailfilter = 4;
repeated RedirectionEntry redirects = 5;
repeated PostParamsRecorderEntry post2macros = 6;
optional BotSettings settings = 7;
We have extracted all of the prototypes and saved them in a file called ‘protos.txt’.
Calling this time the protoc compiler, we get the final and clean output that we wanted:
protoc.exe –decode=SpywareConfig protos.txt < config.bin

Author: S21sec ACS Department