Reversing the Gophe Spambot: Confronting COM Code and Surmounting STL Snags

BSides Huntsville | Reversing the Gophe Spambot: Confronting COM Code and Surmounting STL Snags | Mike Bailey
Course info
Level
Intermediate
Updated
Feb 29, 2020
Duration
40m
Table of contents
Reversing the Gophe Spambot: Confronting COM Code and Surmounting STL Snags
Description
Course info
Level
Intermediate
Updated
Feb 29, 2020
Duration
40m
Description

Unobfuscated malware can still be overwhelming to analyze. Even accomplished reverse engineers may feel hand-wavey about STL and COM code. Take for example Gophe, a spambot associated with Dyre campaigns and Trickbot C2, which weighs in around 2.6 MB with a 10 KB WinMain, three embedded binaries, copious STL template-generated code, and multiple flavors of atypical COM usage. COM is 27 years old, and plugins are starting to materialize to automate its analysis, but Gophe presents a strong case for understanding COM directly and applying that knowledge to decompilation instead of assembly listings. Meanwhile, C++ reversing is well-covered, but the literature is largely orthogonal to STL code. In this talk, Michael Bailey of FireEye's FLARE Team will share how to tame STL code with knowledge of a few key structures and how to investigate COM usage that doesn't conform to the norm. This will include a guided tour of a Gophe sample to focus on tactics for effective STL and COM reversing by enriching decompilation in Hex-Rays. We'll examine what Gophe is doing with Outlook.Application, Microsoft's Messaging API (MAPI), and one other COM interface that it uses to hide from view. This reverse engineering case study is all ham and no spam, so bring your appetite!

About the author
About the author

BSides Huntsville is for cybersecurity practitioners to engage with others to learn more about the industry.

More from the author
Closing the Cybersecurity Talent Gap
Intermediate
1h 3m
Feb 29, 2020
How to Secure America
Intermediate
1h 11m
Feb 29, 2020
Security 2030: The Next Decade
Intermediate
39m
Feb 29, 2020
More courses by BSides Huntsville