carberp trojan reversing

Carberp is a recently (2010) discovered banking Trojan. Although it is not as well known as the currently dominating banking Trojans, such as ZeuS or SpyEye, we can’t simply ignore it due to its powerful capabilities, which may lead it to greater success in the future. The main characteristics of Carberp are:
  • It comes with three plugins: MiniAV, StopAV and Passw. MiniAV is a generic mini-antivirus which was designed to kill specific trojans or other uncategorized possibly malicious applications that had been heuristically considered as malware. It includes a disinfection mechanism against ZeuS, Adrenalin, Limbo, Barracuda and BlackEnergy. That a malicious application would contain a built-in mini antivirus is not something new, we have seen it before with Tatanga as well. The plugin StopAV’s purpose is to take out (kill) various antivirus products, meanwhile the plugin Passw contains password stealing functionality for various applications (ftp, pop3, passwords from Window registry…).
  • It has a very sophisticated installation mechanism which includes remote code injection into the default webbrowser and svchost.exe, and contains a payload which tries to exploit a vulnerability in the operating system (MS08-025). This executes code in the kernel which restores various system hooks used by security applications, thereby concealing the Trojan.
  • Together with backdoor functionality and HTML injection it is able to perform Man-in-the-Browser type attacks against the victims.
Recent variants of Carberp encrypt communication with the C&C, which makes further observation and monitorization of the trojan a more complex task. A Wireshark extension, customized for this purpose, would come in very handy. You can download it from here together with an example .pcap file, source code also included (however it was probed with 32bit version of Wireshark only).

In the above example we can see the plugin in action as the Trojan received an “updateconfig” command from its C&C server. The installation of the plugin is simple; we just have to put it into the “plugins” directory inside Wireshark’s folder. To verify that the plugin is loaded correctly, we have to check that it appears in the list, in the menu Analyze/Enabled Protocols:

There is one more thing to look at that we have not mentioned yet, the algorithm that Carberp uses to encrypt its traffic:
POST /clssvoarsm.phtm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 691
The first and last four bytes of the message (marked in red) are needed for initialize the decryption and they are randomly generated at each POST. The data between are base64 encoded + RC2 algorithm. Apart from the randomly generated “short” keys which are 8 bytes in total, there is a “long” key which consists of 16 bytes and is hardcoded inside the binary and we need to extract it. Fortunately it is not that hard to spot it:

By taking a memory dump of the malware, loading it into a disassembler we can spot the right function by looking for the hash value “618ADDBEh”. It’s not clear the purpose of this hash, most probably this value belongs to a default decryption key. By the way, our “long” key is “rsg7?GhdHB16_Rbf” however we still have to apply a byte XOR with value 05 to get the final wvb2zBmaMG43ZWgc key.

Once we have got the key, we have to pass it to the plugin in order to get it work. Menu Edit/Preferences/Protocols and that’s all, ready to sniff an infected machine 😉
Jozsef Gegeny
S21sec e-crime