Español | English
rss facebook linkedin Twitter

Decrypting Carberp C&C communication

Carberp is a recently (2010) discovered banking Trojan. Although it is not as well known as the currently dominating banking Trojans, such as ZeuS or SpyEye, we can’t simply ignore it due to its powerful capabilities, which may lead it to greater success in the future. The main characteristics of Carberp are:
  • It comes with three plugins: MiniAV, StopAV and Passw. MiniAV is a generic mini-antivirus which was designed to kill specific trojans or other uncategorized possibly malicious applications that had been heuristically considered as malware. It includes a disinfection mechanism against ZeuS, Adrenalin, Limbo, Barracuda and BlackEnergy. That a malicious application would contain a built-in mini antivirus is not something new, we have seen it before with Tatanga as well. The plugin StopAV’s purpose is to take out (kill) various antivirus products, meanwhile the plugin Passw contains password stealing functionality for various applications (ftp, pop3, passwords from Window registry…).
  • It has a very sophisticated installation mechanism which includes remote code injection into the default webbrowser and svchost.exe, and contains a payload which tries to exploit a vulnerability in the operating system (MS08-025). This executes code in the kernel which restores various system hooks used by security applications, thereby concealing the Trojan.
  • Together with backdoor functionality and HTML injection it is able to perform Man-in-the-Browser type attacks against the victims.
Recent variants of Carberp encrypt communication with the C&C, which makes further observation and monitorization of the trojan a more complex task. A Wireshark extension, customized for this purpose, would come in very handy. You can download it from here together with an example .pcap file, source code also included (however it was probed with 32bit version of Wireshark only).

In the above example we can see the plugin in action as the Trojan received an "updateconfig" command from its C&C server. The installation of the plugin is simple; we just have to put it into the "plugins" directory inside Wireshark’s folder. To verify that the plugin is loaded correctly, we have to check that it appears in the list, in the menu Analyze/Enabled Protocols:

There is one more thing to look at that we have not mentioned yet, the algorithm that Carberp uses to encrypt its traffic:

POST /clssvoarsm.phtm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 691

The first and last four bytes of the message (marked in red) are needed for initialize the decryption and they are randomly generated at each POST. The data between are base64 encoded + RC2 algorithm. Apart from the randomly generated "short" keys which are 8 bytes in total, there is a "long" key which consists of 16 bytes and is hardcoded inside the binary and we need to extract it. Fortunately it is not that hard to spot it:

By taking a memory dump of the malware, loading it into a disassembler we can spot the right function by looking for the hash value "618ADDBEh". It’s not clear the purpose of this hash, most probably this value belongs to a default decryption key. By the way, our "long" key is "rsg7?GhdHB16_Rbf" however we still have to apply a byte XOR with value 05 to get the final wvb2zBmaMG43ZWgc key.

Once we have got the key, we have to pass it to the plugin in order to get it work. Menu Edit/Preferences/Protocols and that’s all, ready to sniff an infected machine ;)

Jozsef Gegeny
S21sec e-crime

3 comentarios:

Nick Enukov said...

Good day!
link to the plug-in to Wireshark does not work.
may be asked to update it?
Thank you very much

Ion said...

We have updated it, sorry for the inconveniences.

Kevin Lopez said...

looks like the ? in the key is actually 7F or the del key

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved