Beautifying the webinjects of Gootkit

Beautifying the webinjects of Gootkit

At first glance, Gootkit’s webinjects may look like a messy bulk of binary data. But there is an easy way to
decode them very nicely in just a matter of seconds. In this short article we are going to pretty print a
particular webinject file from a recent Gootkit campaign. If you are new to this banking trojan, you might
want to check out our previous article on Gootkit, where we saw how to recover the webinject configuration
file from the Windows registry.
To facilitate this exercise, all of the used artifacts from this article are available on GitHub, including this
unprocessed, raw configuration file:

It clearly has lots of plain texts, but also some binary code which are not understandable for humans. The
keyword to interpret this data is Protocol Buffers, or in short protobufs. Protobufs is a stream-like data
structure developed by Google. It has a very similar syntax to of JSON, but at the end everything will be
encoded in a binary format. The usage of protobufs is not so common amongst today’s websites yet, but a
malware relying on it, definitely shows that malware developers keep up to date with the latest trends.

First attempt

First we need to download protoc, the compiler for Protocol Buffers. If you are on Windows, you can
download it directly from here Download it from here, otherwise you might select from the other available
options here.
Once we have the protoc compiler, we can then execute the following command:

protoc.exe –decode_raw < config.bin

This will generate an output like:

Which is already more pleasant to read, but still not good enough. We only have the numeric IDs instead of
descriptive names. To fix this, we will have to use the parameter for the protoc compiler –decode instead of

Second attempt

However, the –decode_raw option requires a message type to be passed along. Luckily, we can extract it
from the malware’s source code. In client_proto_spyware.js we can find a reference to a base64 encoded
protocol buffer:

var config_processor = require(“config_processor”);
var protobuf = require(‘protocol_buffers’)
var Buffer = require(‘buffer’).Buffer;

var messages = protobuf(

After decoding the above string, we can find between the definitions, one of the following message types,
which is what we exactly need:

message SpywareConfig {
repeated SpywareConfigEntry injects = 1;
repeated VideoConfigEntry recorders = 2;
repeated FragmentConfigEntry fragments = 3;
repeated MailFilterEntry emailfilter = 4;
repeated RedirectionEntry redirects = 5;
repeated PostParamsRecorderEntry post2macros = 6;
optional BotSettings settings = 7;

We have extracted all of the prototypes and saved them in a file called ‘protos.txt’.
Calling this time the protoc compiler, we get the final and clean output that we wanted:

protoc.exe –decode=SpywareConfig protos.txt < config.bin



Jozsef Gegeny Zsolnai y Miguel Lopez Negrete de S21sec




Recent Posts