"Big Georgian Brother" will be dismantled on the bones on PHDays

A couple of days ago, the world spread news - a “Georgian” botnet based on Win32 / Georbot steals secret documents, and also makes audio and video recordings using webcams. If you want to learn how Win32 / Georbot works, if you want to learn how to manage or neutralize it, welcome to PHDays on May 30 and 31. Pierre-Marc Bureau, Pierre-Marc Bureau, a leading engineer in the ESET viral laboratory, cyber-warfare and cyber-espionage specialist, will hold the world's first master class on gear.

How does he take screenshots and write sound?
Pierre will show the audience numerous Win32 / Georbot talents. In real time, you will see how the malware managed by a Canadian specialist performs the following tricks:

• commit theft of documents
• take screenshots of the web-camera installed on the victim's computer,
• make audio recording on the built-in microphone,
• will scan the network
• will cause a denial of service.

Ways of Obfuscation
Like a real resident, malware does not seek fame and seeks to remain in the shadows. Invisible to the antivirus makes it a closed and specially complicated code. Participants in the master class will learn how obfuscation (entanglement) of the Win32 / Georbot code is implemented, and will be able to clarify for themselves the following points:
')
• control of obfuscation flow,
• line obfuscation,
• API call obfuscation through hashing.

How to manage the "girbota"
Participants will see how this “combat worm” communicates with its command and control server using the HTTP protocol. Pierre will also show how to create an alternative command and server control in the laboratory, and how to give commands to the program and get feedback from it.

What is required at the master class
In general, if you are not averse to feeling like a cyber spy, do not forget to have a laptop with Windows XP operating system installed on the virtual machine. Active participants in the master class also need to install the following applications (they can be downloaded for free):
• Python,
• IDA Free,
• Immunity Debugger (or Olly, if you prefer),
• Wireshark.

Required skills for a smoother immersion in the subject:
• understanding of assembly principles,
• understanding of the structure of the Windows operating system
• understanding of the programming language Python.

Win32 / Georbot in brief
According to Pierre-Mark Bureau, the Win32 / Georbot family of malicious applications appeared about a year and a half ago. The virus has many variations, is not intended for "carpet bombing", is used to steal confidential information and is difficult to identify.

Related Links: Win32 / Georbot news , detailed analysis