# Carberp - a modular information stealing trojan **Marco Giuliani** Head of Prevx Advanced Malware Research Team **Andrea Allievi** Prevx Malware Analyst ----- # PREFACE ## Nowadays most banking operations and payments are done on the web, through e-banking services and online payment solutions, like MoneyBookers or Paypal. Since online transactions are increasing their volume, malware authors are focusing more and more on the development of malicious software able to steal sensitive data from the infected computers. Today there are several kits sold online, botnet solutions available to everyone, developed to build up in a couple of minutes a brand new version of a specific Trojan able to hide itself from antivirus scanners and armored by some interesting features like remote control and sensitive data stealing routines. With an expense of just 700/800 dollars – such kits are not expensive - a potential attacker could gain several thousands of dollars and he could build up his own botnet that can be then sold or rent, or yet used to attack sensitive websites. The two most infamous botnet kits available online were ZeuS and SpyEye, and we already talked about them in our blog posts here and here. It looks like that between Q3/Q4 2010 ZeuS author decided to stop the development of his trojan and chose to sell the source code to the authors of SpyEye, giving to it the leadership of info stealing trojans. We have already analyzed the last variant of SpyEye with ZeuS enhancements here in our Prevx blog. During the second half of 2010 we have monitored the growth of a new trojans available on the underground market: it is called Carberp. After some cycles of hard development, today Carberp has probably become the second worst threat to customers data, following SpyEye. In this paper we are going to analyze this trojan in depth, looking at how it is evolved and what we can expect in the future from the team behind this trojan. 2 ----- # DROPPER ANALYSIS This trojan is usually dropped by fake webpages containing exploit codes or spread through social engineering. The file itself changed many times during the last few months.The dropper is crypted by a strong encryption layer. While the encryption itself is not really complicated, a manual analysis approach is not trivial because of several tricks implemented by the developer during the layer development. By analyzing droppers caught during past few months, we have seen a wide range of tricks implemented in the decryption layer to make the unpacking job a challenge. In some variants the code was totally messed up. Usually this kind of spaghetti code is enough to stop most reversers from manually analyzing the code. The dropper implements a number of fake API system calls, using invalid parameters. This trick is used to fool antivirus emulators, to stop them from emulating the trojan code. Antivirus emulators usually try to statically or dynamically emulate Windows behavior so that the malicious code can be executed in a controlled environment and it can be checked by the antivirus engine. System emulation is often far from being perfect, and the emulation of system calls doesn’t really emulate all possible situations. By implementing several fake API calls with invalid parameters, the trojan tries to stop antivirus emulators from working correctly. It tries to call uncommon and more rare Windows APIs, those APIs that are sometimes not emulated by antivirus emulators. Carberp doesn’t import API functions by using documented ways. Instead it manually parses system libraries to import needed API addresses. It implements a hashing routine to hide the API names that it’s going to import so that it slows down the analysis of the malicious code. Instead of passing the name of the API that needs to be imported, the trojan uses a hash that is calculated from the name of the function. The hashing routine used by the dropper we have analyzed is the one showed in the image below: EAX register stores the hash. It is rotated left by 7 on every loop and it is then xor’d with the string character pointed by the ESI index. It is a common technique used by malware. Carberp will use this technique again in the unpacked code – however it will implement a different hashing algorithm. The encryption layer is divided into two parts: the first part tries to fool manual analysis and automated emulators analysis – as described above. The second part is the actual decryption layer, which is based on mathematical instructions obfuscated by junk code. After the decryption is finished, the real trojan code is executed. ## 3 ----- # FIRST STAGE TROJAN EXECUTION Here we are at the real trojan code. PE static analysis shows that there isn’t any import table directory. The trojan manually imports all needed APIs by parsing the needed system libraries. This is the technique already used in the decryption loader code, it just changes the hashing algorithm. The new one is showed below: The trojan imports all needed APIs every time they are needed. Carberp will place itself inside current logged in account startup folder, to make sure it will start at next startup. The used file name is arbitrarily chosen by the attacker during the trojan build up procedure through the Carberp creation kit. It usually uses one of Windows system file names. To hide itself in the system the trojan will use user mode rootkit techniques. We’ll analyze them later in this paper. Carberp is a fully modular trojan, able to download and execute new plugins from the command and control server. Indeed the trojan already contains two plugins embedded in its code. Every plugin is encrypted by using another encryption algorithm. This is the reason why the embedded plugins are well hidden from the user. Carberp plugins have a common file format, which is based on a 14 bytes header followed by the encrypted code. The 14 bytes header contains the encryption key and a string used to identify new downloaded plugins: ‘BJB’. The encryption algorithm is almost trivial, yet it is quite effective. It is a xor algorithm based on the encryption key and index positions of the involved bytes. The algorithm is showed below: ## 4 ----- With the help of the reversed algorithm, we can extract the two embedded plugins and analyze them. The first plugin is r00f_dll.dll and it is extracted at the trojan startup. Carberp trojan is a pure user mode trojan, which means it is able to run completely in user mode, even inside limited accounts. It tries to run some specific code in kernel mode, to restore SSDT hooks, if they are present. r00f_dll.dll’s job is executing code in kernel mode to restore original System Service Descriptor Table. It tries to unhook following native APIs: _NtSetContextThread_ _NTGetContextThread_ _NtCreateThread_ _NtOpenThread_ _NtTerminateThread_ _NtQueueApcThread_ ## 5 _NtResumeThread_ _NtUnmapViewOfSection_ _NtCreateKey_ _NtSetValueKey_ _NtAllocateVirtualMemory_ _NtWriteVirtualMemory_ _NtProtectVirtualMemory_ _NtAdjustPrivilegesToken_ _NtOpenProcess_ _NtTerminateProcess_ ----- This technique would allow the Trojan to evade from security software that monitor the system by hooking the above kernel functions. The trojan maps the original kernel file in memory and gets original kernel pointers, then it prepares the code to be executed in kernel mode. Here the plugin tries to use two different methods to execute code in kernel mode. First attempt is done by using an old Windows vulnerability - MS08-025 - already patched by Microsoft. If the system has not been patched, the vulnerability allows the trojan to gain system privileges and run code in ring0. If the exploit has been patched, the trojan tries to get debug privileges by calling RtlAdjustPrivilege and then tries to write inside the kernel memory by invoking ZwSystemDebugControl API with SysDbgWriteVirtualMemory parameter. These attacks are executed only on Windows 2000, Windows XP and Windows 2003 operating systems. If the trojan is running in a limited account and the system is fully patched, these attacks won’t go succeed. The second embedded plugin, screens_dll.dll, is used to capture display screenshots. After the r00f plugin has been executed, Carberp starts its infection routine. To better hide its behavior, Carberp does not execute its payload from its process, but instead it spawns a new explorer.exe process in a suspended state. This process will host the malicious code. After the explorer.exe process has been created, Carberp creates a new section object and maps itself inside this newly created section. Then, this section is mapped into the explorer.exe process through a call to ZwMapViewOfSection. The malicious code has been injected inside the explorer.exe process. To start it, Carberp has been observed using two different techniques. The first technique is hijacking explorer.exe entry point in memory, patching it with a PUSH/RET instruction to redirect the flow code to the injected malicious code. ## 6 ----- **Original Entrypoint** **Hijacked Entrypoint** The second technique used is queuing an APC routine to the main explorer.exe thread by calling ZwQueueApcThread. Then both techniques start the suspended explorer.exe process by calling ZwResumeThread. The original Carberp dropper terminates, it is now running inside its child explorer.exe. It will then inject its code inside the original system’s explorer.exe process through a CreateRemoteThread call. To find out the original explorer.exe process, the trojan looks for the Shell_TrayWnd class name. The trojan creates a new instance of svchost.exe process, where it will inject the code able to communicate with the command and control server. # USER MODE HOOKS Carberp acts as an information stealing trojan and a user mode rootkit. To hide itself inside the system, it’ll inject a copy of itself in every running process and it will hook ntdll.dll NtQueryDirectoryFile API. By hooking this system function, the trojan is able to hide its file from the user. From a technical perspective, the hook replaces the standard SystemCallStub address with its own routine: **Original ZwQueryDirectoryFile** **Hijacked ZwQueryDirectoryFile** The call dword ptr [edx] instruction will invoke the trojan routine, able to filter out the trojan file from file enumeration. While this technique is easy to be bypassed in several ways – direct sysenter call, direct file opening, unhooking – it is actually quite effective and it does its job. ## 7 ----- The trojan hooks ntdll.dll NtResumeThread in the same way. Carberp uses a a Man-In-The-Browser approach to steal information data. It hooks following APIs: _HttpSendRequestA_ _HttpSendRequestW_ _HttpSendRequestExA_ _HttpSendRequestExW_ _InternetReadFile_ _InternetWriteFile_ _InternetReadFileExA_ _InternetReadFileExW_ _InternetQueryDataAvailable_ _InternetCloseHandle_ _CreateFileW_ _TranslateMessage_ _InternetWriteFile, TranslateMessage and CreateFileW hooks are set on the fly if one of the following strings are found in the URL:_ _*cyberplat*_ _*/ibc/*_ _*bsi.dll*_ Previous variants of the trojan hooked only HttpSendRequestA/W and HttpSendRequestExA/ExW APIs – still TranslateMessage and CreateFileW were set on the fly. Moreover those previous versions tried to steal information data only if *cyberplat* or *bsi.dll* strings were found in the URL. Current Carberp releases upload every relevant data to the collector server, with particular attention to the strings listed above. There isn’t any watchdog thread monitoring the presence of the malware hooks, so a trivial code restore can help in fixing the malware. # C&C COMMUNICATION Carberp is not just an information stealing trojan, it is a remote controlled malware that turns the infected PC in a zombie. Carberp can communicate with a list of servers, usually embedded inside the binary. In previous variants of the trojan, those servers were not encrypted, and they could be read in plain text. More updated variants of Carberp encrypt them with a trivial xor-based encryption algorithm. ## 8 ----- The algorithm –and relative decoded string – are showed below: Carberp can be configured to contact even more servers. When the infected computer contacts the C&C for the first time, the trojan will send back to the server some information about the victim machine – operating system version, process lis, along with a unique ID calculated from the infected computer. The trojan could download a specific configuration file from the server. The file name of the configuration file is stored inside the trojan binary and it’s encrypted using the same algorithm described in the previous page. This configuration file name will be even used when generating the unique name of the infected machine used by the C&C server. Then the trojan will contact a specific webpage of the C&C server - /set/task.html – looking for specific commands from the server. The version of Carberp we have analyzed can receive the following commands:  _Download_  _update_  _grabber_  _loaddll_  _startsb_  _getwm_ It can update itself, download and execute new executable files or load dll, and even start a remote VNC session by downloading a specific Carberp plugin (vnc.plug). As written before in the paper, Carberp is a fully modular trojan, able to download and execute specific plugins written by Carberp developers. We have been able to download and analyze three of most used plugins. They are passw.plug, stopav.plug, miniav.plug. All these plugins are encrypted with the encryption algorithm described earlier in this paper. Stopav.plug is a plugin used to disable a number of specific antivirus software. Currently it tries to disable following security software:  _Arcavir Antivirus_  _Avast4 Antivirus_  _Avast5 Antivirus_  _AVG Antivirus_ ## 9 -----  _Avira Antivirus_  _BitDefender Antivirus_  _Dr.Web Antivirus_  _McAfee Antivirus_  _Microsoft Security Essentials_  _Eset Antivirus_  _Eset Smart Security_  _Sophos Antivirus_ The plugin looks into the Windows registry looking for specific registry keys related to these antivirus products. If found, the common procedure is to try to disable the security software by creating a specific antivirus process in a suspended state and then injecting there the payload to delete one or more antivirus core files. Process is then resumed. **Security software** **Newly created process** **Files attempted to be deleted** **Arcavir Antivirus** arcavir.exe adc.%#^.462 update_tmp.exe (killed) **Avast4 Antivirus** ashDisp.exe \Setup\setiface.ovr \Setup\setiface.dll **Avast5 Antivirus** AvastUI.exe \Setup\setiface.ovr \Setup\setiface.dll **AVG Antivirus** avgtray.exe avgupd.exe **Avira Antivirus** avconfig.exe updaterc.dll **BitDefender Antivirus** livesrv.exe upgrepl.exe v_live_s.xml **Dr.Web Antivirus** SpIDerAgent.exe DrWebUpW.exe update.drl **McAfee Antivirus** mcshell.exe mcupdmgr.exe **Microsoft Security Essentials** msseces.exe MsMpLics.dll **Eset Antivirus** - \updfiles\upd.ver **Eset Smart Security** - \updfiles\upd.ver **Sophos Antivirus** AlMon.exe scf.dat **stopav plugin screenshot** This plugin has been written in Borland Delphi. ## 10 |Security software|Newly created process|Files attempted to be deleted| |---|---|---| |Arcavir Antivirus|arcavir.exe|adc.%#^.462 update_tmp.exe (killed)| |Avast4 Antivirus|ashDisp.exe|\Setup\setiface.ovr \Setup\setiface.dll| |Avast5 Antivirus|AvastUI.exe|\Setup\setiface.ovr \Setup\setiface.dll| |AVG Antivirus|avgtray.exe|avgupd.exe| |Avira Antivirus|avconfig.exe|updaterc.dll| |BitDefender Antivirus|livesrv.exe|upgrepl.exe v_live_s.xml| |Dr.Web Antivirus|SpIDerAgent.exe|DrWebUpW.exe update.drl| |McAfee Antivirus|mcshell.exe|mcupdmgr.exe| |Microsoft Security Essentials|msseces.exe|MsMpLics.dll| |Eset Antivirus|-|\updfiles\upd.ver| |Eset Smart Security|-|\updfiles\upd.ver| |Sophos Antivirus|AlMon.exe|scf.dat| ----- The second plugin, written in Borland Delphi too, is miniav.plug. This plugin is responsible of scanning the system looking for other **trojan infections. It looks for – and try to clean – following trojans:**  _Adrenalin_  _Barracuda_  _BlackEnergy_  _Generetic_  _Limbo_  _MyLoader_  _ZeuS_ **miniav plugin screenshot** The plugin also checks the Image File Execution Options registry key, looking for “Debugger” value inside every subkey. This is a common technique used by malware to deny the creation of specified processes or to get their code to be executed when the specified process is run. The third plugin, passw.plug, is a grabber able to scan the infected PC looking for passwords and user accounts. It can grab a lot of information from an infected PC, for example:  Live Messenger, Yahoo, Trillian, Pidgin, MySpace, Gaim, QIP, Odigo, ICQ, GTalk, Gizmo, Jabber, Gadu-Gadu, AOL, Miranda accounts;  Password and forms data saved in most common browsers (Opera, Internet Explorer, Safari, Firefox, Chrome);  Mail accounts and relative passwords from most common e-mail clients (Outlook, Windows Live Mail, The Bat!, Becky, _Eudora, Mail.Ru, IncrediMail, PocoMail, ForteAgent, Scribe, POP Peeper, MailCommander etc…);_  User accounts and passwords from most common FTP clients (CuteFTP, WS_FTP, FileZilla, FTPCommander, BProofFTP, _SmartFTP, CoffeeCup, CoreFTP, Frigate3, UltraFXP, FlashFXP, FTPRush, WebSitePublisher, BitKinex, FreeFTP, WinSCP,_ _TotalCommander etc…);_  System Information along with credential passwords for desktop remote control, VNC passwords, Cisco VPN accounts; All stolen information are stored in a database and uploaded to the remote server. ## 11 ----- # CONCLUSIONS While SpyEye leads the world of infostealing trojans after ZeuS code has been sold, Carberp silently appeared on the underground market and showed the world a lot of potential. Its modular structure along with the ability to run even in limited accounts and the active development team behind it make this trojan a very dangerous threat. Its encryption layer looks very effective in bypassing classic antivirus scanners, showing the need of a multi-layered security approach to fight against today’s threats. **Prevx SafeOnline has been able to proactively protect our customers' navigation sessions from Carberp infostealing hooks –** successfully preventing it from stealing bank accounts and passwords put in the browser while surfing on the online banking webpage. We expect to see Carberp to be much more widespread during 2011, quickly becoming one of the top infostealing threats. ## ABOUT PREVX ### Prevx provides cloud-based products with unparalleled capabilities for protecting consumers, SMEs and enterprises, banks, and government organizations from the latest malware threats. The entire Prevx suite is underpinned by its award-winning flagship security agent, Prevx 3.0, and connects to the world's largest cloud-based threat database. Prevx 3.0 is the world's smallest, fastest, and lightest endpoint security agent yet its detection, protection and removal capabilities rival the largest antivirus solutions. Prevx specializes in detecting zero day attacks, reducing the time exposed to danger and providing real-time protection against the latest and the most malicious forms of malware, including keyloggers, Trojans, and rootkits - catching the threats that are missed by traditional antivirus providers. Prevx is a division of Internet security service company Webroot. With its main operations in the United Kingdom, Prevx products are also sold and supported across Europe and in the United States. Before acquisition by Webroot in 2010, Prevx was formed by IT entrepreneur Mel Morris who acquired Immunify Ltd in 2005 and re-launched it as Prevx. Now vice president and general manager of the Prevx division at Webroot, Morris named Prevx to reflect the organization's mission to help customers - from consumers and small businesses to the largest financial institutes and global organizations - to best protect themselves against the evolving and unknown nature of malicious software. Prevx: preventing the unknown. Prevx's family of security software is deployed by leading banks, enterprises, and government agencies and supports over 15 million users worldwide. ## 12 -----