MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Inside Carberp Botnet

In early 2010, from MalwareIntelligence started researching a new botnet designed to agglutination of sensitive information relating to bank accounts, and theft of credentials to exploit a disturbing list of programs.

NOTE: At the bottom of this article may find the link to download the complete white paper, called "Inside Carberp Botnet", which describes the various internal components that make up Carberp.

Carberp, unlike SpyEye and ZeuS, was not (and neither is today) a crimeware mass marketed, but rather to a small group of people. Proof of this were (and are) a few C&C to operate the botnet. Also, to implement, require use licenses to use the constructor and the administration panel.

After a while with high levels of activity through these C&C, we are surprised when we noticed that gradually disappeared and even more so when the vast majority upgraded to the new version for less than two months. Still had a few C&C refused to disappear, although we believe that in fact the operating botmaster refused to set aside this malware.

During January this year Seculert published an article which talks about the new version of Carberp, with an entirely new panel and developments in the bot.

In MalwareIntelligence found only one C&C with these features, and we have several indications for which we believe is not an "official" version of Carberp, but a modification of the bot original interface and some features of crimeware.

These unique signs also be evidence of a possible breakup of the group behind the development, commercialization and exploitation of crimeware.

In recent weeks we have begun to notice an increased activity of new C&C Carberp. However, these do not correspond to the earlier version discussed in "Inside Carberp Botnet" but they are the same crimeware activity ceased in December 2010. This reinforces our theory that in fact the administration panel referenced by Seculert, it is not really the new Carberp.

Decided to resume research for more information about this "resurrection" of Carberp and, based on the knowledge we had of this botnet, publish our internal report. But also exposed through this the first results of the second part of the investigation.

Carberp has begun to be announced from the crimeware community, which until now had not happened and no doubt this is precisely why this has again become popular in the media.

Change of business model? Actually we can not guarantee yet, but it may be that this botnet is beginning to be marketed to expand coverage of the bid, or that some other criminal group (perhaps made by any member of the original group Carberp developer) has taken the opportunity to take a new version inspired by the original and try to commercialize it.

The following text corresponds to the notice by which this new variant of Carberp is trying to be marketed (plain text):

Carberp. Multi-banking Trojan
Works on any system: Windows XP/Vista/7 with limited accounts.
The bot contains:

  • Loader
  • FTP Grabber
  • Password Grabber
  • Forms Grabber
  • FTP Sniffer 
  • Backconnect (Supports up to 500 connections)
  • Delete cookies in IE and Firefox.
  • Injections in IE and Firefox.
  • Ability to take screenshots directly from the js.
  • % user_id% html insert in the uid.
  • The constructor
  • A sample injection and much more.
  • System plugins. 
  • Command multidownload can simultaneously lose 20 exe
Detects and removes the following malware:
ZeuS, Limbo, Barracuda, Adrenalin, MyLoader, BlackEnergy, SpyEye.

NOTE: Unlike the previous version, this features a "Kill SpyEye" whereby also tries to get rid of this crimeware.

Lock antivirus updates:
vg8, avg9, arca2009, arca2008, avast5, ESET NOD32 Antivirus 3.x/4.x, ESET Smart Security 3.x/4.x, Avira Premium Security Suite, Avira AntiVir Premium, Avira AntiVir Professional, BitDefender Antivirus 2010, McAfee AntiVirus Plus 10, Microsoft Security Essentials, DrWeb     .

Grabber program list:
Messengers, Miranda, ICQ2003, RQ, Trillian, ICQ99b, MSN, Yahoo, AIM, Gaim, QIP, Odigo, IM2, SIM, GTalk, PSI, Faim, LiveMessenger, PalTalk, Excite, Gizmo, Pidgin, AIMPRO, MySpace, Pandion, QIPOnline, JAJC, Digsby, Astra, Post clients, Becky, The_Bat, Outlook, Eudora, Gmail, MRA, IncrediMail, GroupMailFree, VypressAuvis, PocoMail, ForteAgent, Scribe, POPPeeper, MailCommander, Windows_Mail_Live, Windows_Mail_Vista.

FTP Clients:
TotalCommander, Far Manager, WS_FTP, CuteFtp, FlashFXP, FileZilla, FTP Commander, FTP Navigator, BulletProof, SmartFTP, TurboFTP, FFFTP, CoffeCup, CoreFTP, FTP Explorer, Frigate3, UltraFXP, FTPRush, SecureFX, WebPublisher, BitKinex, ExpanDrive, Classic FTP DC, Fling, SoftX FTP Client, Directory Opus, FTP Uploader, Free FTP, DirectFTP, LeapFTP, WinSCP.

Firefox, Safari, Opera, IE, Chrome.

SysInfo, WinVNC, ScreenSaver, ASPNET, RDP, FreeCall, CamFrog, PCRemoteControl, NetCache, CiscoVPN, Credentials.

Backconnect system:

  • For receipt of bots used win32-appendix.
  • Allows you to use the bots as SOCKS5-Proxy.
  • There are options to configure the ports to stop, number of bots, times, etc.
  • Possibility of authentication proxies.
  • You can disconnect a bot mandatory when required.
    • The injections work in IE and Firefox.
    • A program to configure the injections.
    • Ability to configure 3 domains. 
    • Requires a license.
      Autocrypt system: 
      There is a metamorph cryptor to be checking with the antivirus.
        • Works with the user's session, bot, even if it is unprivileged (limited account).
        • You can get screenshots of the user and other parts of the system.
        • dormant mode, the user will not notice anything strange.
        • The browser is entirely invisible to the user.
        • The browser is not or when filling a form.
        • You can hijack a user's browser and work with. 
        • Look bot files as well as download them.
          • The license takes a panel + builder.
          • Restrictions on the number of servers under license.
          • To operate more than one botnet requires a second license.
          • It is forbidden to reorient the botnet to another server than the one provided.
          • We looked carefully at all the licenses, any violation will result in the loss of license and a DDoS on the servers and domains offenders.
          • The panel is protected with IonCube.
          • The bot is protected by our security system. In each update changes the way the bot, making it difficult the task that is listed.
          • resale is prohibited.
          Upcoming updates:
          • Bilder (60%).
          • Module DDoS (90%).
          • Shots chrome (50%).
          • Module fakes (70%).
          • p2p (10%).
          • Opera formgrabber (90%)
          • Chrome formgrabber (40%)
          • Grabber for Basic Auth in Firefox and IE (90%).
          • Updates the current modules and small changes are free.
          • Updates on new modules and major changes, require an extra fee.
          • Price module browser bot 5k wmz
          • Price with browser module: 8k wmz.
          • Autocrypt System: wmz 1k/month

          Undoubtedly, since the present keep you informed of our progress Carberp and around his botnet.

          Download full whitepaper Inside Carberp Botnet

          Francisco Ruiz
          Crimeware Research of MalwareIntelligence

          0 comentarios:

          Post a Comment