Andromeda is an infamous modular botnet that has been around for several years now. It is very popular in the underground cybercrime market, with many different variants that use different RC4 keys in encrypting and decrypting its network packets.
Since the beginning of 2014, we have found that the version number, which can be seen in its network traffic, has turned to 2.08. This new version is very similar to the previous version 2.07.
The main difference can be found in the beginning of the codes, which contain Andromeda's anti-analysis tricks. Anti-analysis techniques are employed by most malware nowadays in order to make their codes harder to analyze by security researchers.
In this blog post, we will compare these anti-analysis differences with Andromeda's previous version 2.07.
The previous version 2.07 uses the UnhandledExceptionFilter callback function to redirect the flow of execution after intentionally throwing an exception.
The current variant 2.08 has given up the previous exception mechanism, but instead now adds a priority callback function into the vectored exception handler (VEH) chain.
As we can see, the first parameter passed to the API RtlAddVectoredExceptionHandler is 1, which indicates that the newly added callback function is the FirstHandler. Once an exception occurs, the newly added handler function will take control immediately.
Skipping anti-analysis codes
This trick is not changed. As in version 2.07, the 2.08 version continues to calculate the CRC32 hash of the volume name of drive C:\, which is then compared with the hardcoded value 0x20C7DD84. If it matches, the bot skips all the anti-debugging and anti-VM codes and enters the next stage of execution.
Checking for its unpacked version
For most security researchers, it is much easier to debug or trace the unpacked sample without the original packer. In an unpacked version of a malware sample, most of the code and data are not obscured, making it easy to analyze and locate critical codes.
To make it more dificult for security researchers to reverse the bot sample, Andromeda 2.08 included an additional feature.
The unpacked versions of Andromeda 2.08 samples have the first section name as "1961".
The bot reads the first 0x200 bytes of data from its physical file on the disk into memory, starting from the MZ header. It then compares the first section name, which is at offset 0x178, to "1961". If it matches, the bot will jump to its anti-debugging routine.
Checking for more processes
The previous version of Andromeda checks for 11 process names that could indicate that it is being monitored or is running in a virtual system or sandbox environment. If the presence of any of these processes is found, the bot deviates from its intended codes and instead proceeds to decrypt some dummy code.
Andromeda version 2.08 adds a few more processes to this list, which brings the total to 18 processes. Furthermore, the newer variant does not use the calculated checksum directly in comparing with the hardcoded checksum list, but adds one more calculation. It uses the XOR operation with the constant 0x0E17176F before comparing the values.
After all these new anti-debugging features, the bot stays similar to the previous variant. It will throw an exception by trying to modify data in its PE header, causing an access violation error.
Because of this exception, control will be transferred to the FirstHandler that was set in Figure 2 above.
Andromeda's current version 2.08 increased the barriers that it has set up for security researchers. The new features raises additional difficulty for analysis, but are still easy to skip.
We anticipate that the Andromeda botnet will keep on evolving. Our botnet monitoring system is continuing to track its activities and we will respond immediately when it enters its next generation.