Deep Dive into an HTTP bot
In this two-part article security researcher Ayoub Faouzi performs a deep analysis of how Beta Bot v184.108.40.206 works from top to bottom. Its custom methods of injection, its sandbox/VM detection, its persistence mechanism from removal or termination and also a detailed look at this bot’s infrastructure, communication protocol and encryption schemes. In addition, the write-up highlights some of the methods that BetaBot uses to both obfuscate and inject code and how to extract the configuration details.
The full analysis report is available here - http://resources.infosecinstitute.com/beta-bot-analysis-part-1/