The latest research on the Win32 Carberp gang and the technicalities and evolution of the malware, as presented at CARO 2012.
In 2011 we made available a presentation from the 2011 CARO workshop in Prague about the first phases of our investigation into the Win32/Carberp cybercrime group (Cybercrime in Russia: Trends and issues). CARO Workshops are unusual in that they do not permit media to join and because they follow a strict no recording policy during talks, all of which makes them a really good place to present investigation results to researchers who are prepared to give their closest attention and make the best of the opportunities for live discussion.
This year we have continued our investigation into the Carberp group with Dmitry Volkov, of Group-IB, and have presented the results of subsequent research. The Carberp cybercrime group is one of the most complex and powerful groups working in the banking fraud field and concentrating on attacks on major Russian banks and payment systems, or rather their clients.
We have already published and highlighted many publications about Carberp activity in our blog and we published a summary report on the beginning of this year (When You’re in a Black Hole, Stop Digging). But in our preso “Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon” we present new investigation results and botnet details. At this time we are continuing our investigation in association with Group-IB and we can’t publish some of the details from our original presentation right now, but we are pleased to offer as many of the slides as we are currently able to make public.
So far we've been working on the Carberp investigation for two years, in cooperation with Group-IB. And even now our investigation continues. The February arrests did not include all the main participants and developers in this gang (Carberp Gang on the Carpet). The Carberp story started in 2010 and over the whole period we have tracked the activities of three main groups.
The biggest botnet was developed by the third “Hodprot” group (we have tracked millions of active bots in that botnet). At the end of 2011 Carberp developers stopped selling Carberp services and support to third-party groups and are now concentrating on supporting one main botnet.
The Carberp botnet landscape over the whole period looks like this:
As the investigation is ongoing we can’t disclose more details of this graph right now. Over the whole period the Hodprot botnet has become even bigger and more powerful. This botnet has the following interesting technical features:
- Dedicated dropper Win32/Hodprot (“Hodprot: Hot to Bot”)
- Bootkit functionality (“Evolution of Carberp: going deeper”)
- DDoS plugin
- Java patcher plugin
The Java patcher plugin is used for modifications to java runtime processes and for logging activity from java banking applets. And the disassembed code looks like this:
A file containing logged activity from the java applet is stored in the file system before being sent to the C&C server and looks like this:
In April 2012 we noted a change to the type of exploit kit used for Carberp’s drive-by-download distribution scheme (“Exploit Kit plays with smart redirection”). Currently, the Carberp gang has changed from Blackhole to the latest version of the Nuclear pack. Nuclear uses a more sophisticated scheme for drive-by-download and has algorithms for detecting real user activity so as to lessen the risk of being picked up by AV-crawlers and sandboxes.
The Carberp group uses tactics based on the infection of legitimate websites, which has a bearing on the growth of detections after November 2011: these tactics continue to be used right now. Our detection statistics from Live Grid cloud look like this:
And we can see that there is a growth here of detections from the distribution scheme by legitimate websites. The Russian Federation is the region where the largest number of installations of Carberp has been seen, as confirmed by the statistics below:
Our research continues, and at the PHDays conference we will be presenting our talk “Smartcard vulnerabilities in modern banking malware” which will address tricks with the APDU (application protocol data unit) command for programming smartcard at low-level (“Dr. Zeus: the Bot in the Hat”).
The public version of slides “Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon” is available here: Carberp Evolution and BlackHole [public].
Aleksandr Matrosov, Security Intelligence Team Lead