Trojan.Win32.Carberp (Trojan.Win32.Generic.pak!cobra)

by alexander.adamov on October 3rd, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 448980 bytes
Language: C++
MD5: ae97672ce3937ef4e845bdca86c0971c
SHA1: 0c5e4b9f92a408c92de6ad95ea083664c0992f06

Summary

Trojan.Win32.Carberp is a Trojan spyware designed to steal confidential user’s data from  trade and online banking platforms.

Technical Details

Installation

Once activated, the Trojan resets flags specified for the interceptors in the System Service Descriptor Table (SSDT).

It then copies itself to the current user’s startup folder:

%Documents and Settings%\%Current User%\Start Menu\Programs\Startup\ly3C5hsBUIA.exe

Thus, the Trojan runs automatically on each system boot.

The Trojan executable file has the same creation date and time as the following file:

%System%\smss.exe

To hide its executable file within the system, the Trojan intercepts the following function:

NtQueryDirectoryFile

To avoid a deletion, the Trojan intercepts the following functions:

NtClose
NtDeviceIoControlFile 

Payload

The Trojan searches for the following process:

explorer.exe

and injects malicious code into the address space. In case of failure to inject the malicious code, the Trojan searches for the window with the class name "Shell_TrayWnd" (the window class corresponds to the "explorer.exe" process) or gets a list of all processes. It then compares process name caches to the "explorer.exe" process cache written in the Trojan body.

The injected code launches several samples of the "svchost.exe" process and injects into the address space the malicious code which executes the functionality described below. The original Trojan file is then deleted.

To inject the malicious code into the address space of the processes being run on the system, the Trojan intercepts the following function:

NtResumeThread

The Trojan keeps an open handle for the executable file:

%Documents and Settings%\%Current User%\Start Menu\Programs\Startup\ly3C5hsBUIA.exe

from the "svchost.exe" process to which the malicious code has been injected. Thus, the Trojan prevents its deletion.

The Trojan connects to the intruder server:

stepbox.in

The server did not respond when the description was created.

The server is located in Germany.

Depending on the version, the Trojan can download from the command server the following plugins:

<command server>/cfg/ddos.plug
<command server>/cfg/stopav.plug
<command server>/cfg/miniav.plug
<command server>/cfg/passw.plug
<command server>/cfg/cyberplat.plug

Plugins are used to counteract the antivirus products, rival bot nets, to perform DoS attacks and steal confidential user data.

Downloaded plugins are saved as:

%Documents and Settings%\%Current User%\%ApplicationData%\igfxtray.dat
%Documents and Settings%\%Current User%\%ApplicationData%\igfxtrayhp.dat
%Documents and Settings%\%Current User%\%ApplicationData%\igxpdv32.dat
%Documents and Settings%\%Current User%\%ApplicationData%\igxpgd32.dat

Additional configuration files are also downloaded from the command server:

<command server>/get/key.html
<command server>/<rnd1>.<rnd2>

where <rnd1> is a random sequence of the Latin alphabet letters, e.g.: "maaaaaaukokqiewuqbvaicizlicjtpofvvqrtplmfb".

<rnd2> is one of the following extensions:

.phtml
.php3
.phtm
.inc
.7z
.cgi
.pl
.doc
.rtf
.tpl
.rar

Downloaded files are saved as "fi.dat":

%Documents and Settings%\%Current User%\%ApplicationData%\KYL\fi.dat

When the description was created, additional modules and configuration files were not downloaded.

Depending on the version and data received from the command servers, the Trojan can perform the following actions on the victim machine:

  • Update its original file;
  • Collect information about the infected system:

- user name and computer name;

- information about CPU;

- equipment profile;

- OS version;

- system drive volume serial number;

- IP address;

- physical address;

- list of processes being run on the system.

  • Infect mbr (Master Boot Record);
  • Reboot the system;
  • Intercept all incoming traffic to steal confidential user data by installing interceptors for the following functions:

InternetCloseHandle
InternetQueryDataAvailable
InternetReadFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW

  • Delete cookies;
  • Steal cookies of the browsers:

Microsoft Internet Explorer
Opera
Firefox

  • Steal confidential user data if the resource the user works with contains the following strings:

*bsi.dll*
*paypal.com*
*ibc*

  • Take screenshots with the help of its library when working with internet-banking. The image is saved as a "JPEG" file to the current user's Windows temporary folder:

%Temp%\<tmp>.tmp

where <tmp> is a random alphanumeric sequence.

The file is saved as "screen.jpeg":

%Temp%\screen.jpeg

  • Log keyboard input;
  • Record the activity on your computer screen;
  • End processes on the system;
  • Abort the operating system performance by rewriting the first sectors on a drive;
  • Change system registry key parameter values:

[HKCU\Software\Microsoft\Internet Explorer\Privacy]
"CleanCookies" = " "

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = " "

  • Steal confidential user data from applications to manage Web-Money-purse:

WebMoney Keeper Classic
WebMoney Keeper

  • Steal data of the Cyberplat payment system:

Settings:

Dealer code:
Entry point code:
Key resource:
Key path:
Code phrase:
Serial number of closed key point:
Serial number of open bank key:

User properties:

Login:
Password:
Operator’s code:
Acceptance point code:
Pincode:

database files:

CyberTerm.mdb

closed point key:

secrets.key

  • Steal certificates from the storage:

%Documents and Settings%\%Current User%\%AppData%\Microsoft\SystemCertificates\My\

  • Steal credentials for Internet-banking, trade platforms and RBS (remote banking services):

Raiffeisen Bank
Savings bank
Faktura
iBank
Inist
PSB
BSS
cyberplat
BlackwoodPRO
FinamDirect
GrayBox
MbtPRO
Laser
LightSpeed
LTGroup
Mbt
ScotTrader
SaxoTrader

The Trojan steals an information package with the following key files:

self.cer
cert.pfx
|sign.cer
prv_key.pfx

The stolen information is stored in the following directory:

%Temp%\<tmp>.tmp

where <tmp> is a random alphanumeric sequence.

And it is then written to the file:

%Temp%\Information.txt

The report format may vary depending on the e-commerce system, for example the report may be of the following format:

Program: <program_name >
Wnd Name: <active_window_name>
Server: <аaddress>:<port>
Password: <password>
Certificate: <certificate>
ClipBuffer: <log_of_characters_entered_by_user>

or

Url: <resource_user_worked_with>
Login: <login>
Password: <password>
UserAgent: <UserAgent>

Using functions of the "cabinet.dll" library, the Trojan creates a cab-archive under the following name:

%Temp%\CAB<tmp>.tmp

where <tmp> is a random alphanumeric sequence.

The Trojan stores all stolen data here. The Trojan then encrypts the file and sends it via the intruder server. The file is then deleted.

The collected information is sent to the intruder servers described above.

Removal Recommendations

  1. Restart the computer in safe mode (press and hold the F8 key as the computer restarts, and then select “Safe Mode” on the boot menu).
  2. Delete files:
  3. %Documents and Settings%\%Current User%\Start Menu\Programs\Startup\ly3C5hsBUIA.exe
    %Documents and Settings%\%Current User%\%ApplicationData%\<rnd>.dat

    %Documents and Settings%\%Current User%\%ApplicationData%\igfxtray.dat
    %Documents and Settings%\%Current User%\%ApplicationData%\igfxtrayhp.dat
    %Documents and Settings%\%Current User%\%ApplicationData%\igxpdv32.dat
    %Documents and Settings%\%Current User%\%ApplicationData%\igxpgd32.dat

  4. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  5. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).