Beautifying the webinjects of Gootkit

Beautifying the webinjects of Gootkit

At first glance, Gootkit’s webinjects may look like a messy bulk of binary data. But there is an easy way to
decode them very nicely in just a matter of seconds. In this short article we are going to pretty print a
particular webinject file from a recent Gootkit campaign. If you are new to this banking trojan, you might
want to check out our previous article on Gootkit, where we saw how to recover the webinject configuration
file from the Windows registry.
To facilitate this exercise, all of the used artifacts from this article are available on GitHub, including this
unprocessed, raw configuration file:

It clearly has lots of plain texts, but also some binary code which are not understandable for humans. The
keyword to interpret this data is Protocol Buffers, or in short protobufs. Protobufs is a stream-like data
structure developed by Google. It has a very similar syntax to of JSON, but at the end everything will be
encoded in a binary format. The usage of protobufs is not so common amongst today’s websites yet, but a
malware relying on it, definitely shows that malware developers keep up to date with the latest trends.

First attempt

First we need to download protoc, the compiler for Protocol Buffers. If you are on Windows, you can
download it directly from here Download it from here, otherwise you might select from the other available
options here.
Once we have the protoc compiler, we can then execute the following command:

protoc.exe –decode_raw < config.bin

This will generate an output like:

Which is already more pleasant to read, but still not good enough. We only have the numeric IDs instead of
descriptive names. To fix this, we will have to use the parameter for the protoc compiler –decode instead of
–decode_raw.

Second attempt

However, the –decode_raw option requires a message type to be passed along. Luckily, we can extract it
from the malware’s source code. In client_proto_spyware.js we can find a reference to a base64 encoded
protocol buffer:

var config_processor = require(“config_processor”);
var protobuf = require(‘protocol_buffers’)
var Buffer = require(‘buffer’).Buffer;

var messages = protobuf(
new
Buffer(‘bWVzc2FnZSBSZWRpcmVjdGlvbkVudHJ5IHsNCiAgICBvcHRpb25hbCBzdHJpbmcgbmFtZSA9IDE7DQogICAgb3B0
aW9uYWwgc3RyaW5nIHVyaSA9IDI7DQogICAgb3B0aW9uYWwgc3RyaW5nIGtleXdvcmQgPSAzOw0KICAgIG9wdGlvbmFsIHN0
cmluZyB1cmlwYXNzd29yZCA9IDQ7DQogICAgb3B0aW9uYWwgc3RyaW5nIGRhdGFwYXNzd29yZCA9IDU7DQp9DQoNCm1lc3Nh
Z2UgUHJvY2Vzc01vZHVsZSB7DQoJb3B0aW9uYWwgc3RyaW5nIHN6RXhlUGF0aCA9IDE7DQoJb3B0aW9uYWwgdWludDMyIEds
YmxjbnRVc2FnZSA9IDI7DQoJb3B0aW9uYWwgdWludDY0IGhNb2R1bGUgPSAzOw0KCW9wdGlvbmFsIHVpbnQ2NCBtb2RCYXNl
QWRkciA9IDQ7DQoJb3B0aW9uYWwgdWludDY0IG1vZEJhc2VTaXplID0gNTsNCglvcHRpb25hbCB1aW50MzIgUHJvY2NudFVzYWdlID0gNjsNCglvcHRpb25hbCB1aW50MzIgcGNQcmlDbGFzc0Jhc2UgPSA3Ow0KCW9w…

After decoding the above string, we can find between the definitions, one of the following message types,
which is what we exactly need:

message SpywareConfig {
repeated SpywareConfigEntry injects = 1;
repeated VideoConfigEntry recorders = 2;
repeated FragmentConfigEntry fragments = 3;
repeated MailFilterEntry emailfilter = 4;
repeated RedirectionEntry redirects = 5;
repeated PostParamsRecorderEntry post2macros = 6;
optional BotSettings settings = 7;
}

We have extracted all of the prototypes and saved them in a file called ‘protos.txt’.
Calling this time the protoc compiler, we get the final and clean output that we wanted:

protoc.exe –decode=SpywareConfig protos.txt < config.bin

Output:

 

Jozsef Gegeny Zsolnai y Miguel Lopez Negrete de S21sec

 

 

 

Recent Posts