We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool - Win32/Carberp, Win32/Cridex and Win32/Dofoil. In this post, we discuss Win32/Carberp.

The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch, to a full-fledged banking trojan and user-mode rootkit with the ability to load malicious plugins on-the-fly. One distribution method of Win32/Carberp is through drive-by downloads, which can occur when users visit compromised websites or follow spammed links to the malicious webpage. Some of these websites host exploit kits, like JS/Blacole, to install Win32/Carberp in the background on vulnerable computers.

Upon installation, there is no registry data added; however an executable is copied into the Windows startup folder so that it will run when the user logs on to system. The malware file name can appear legitimate (e.g. ‘igfxtray.exe’). However, Win32/Carberp chooses to go one step further, by hiding the executable using its user-mode rootkit code, which hooks ZwQueryDirectoryFile.

The hooking method Win32/Carberp used is not that obvious, because it replaces the pointer to ‘SharedUserData!SystemCallStub’ instead of placing a ‘jmp’ instruction. Under Windows XP SP3 32-bit system, it would look like the following:

 
Figure 1 - Win32/Carberp replaces pointer
Figure 1 - Win32/Carberp replaces pointer
 
The bad pointer points to the address of the hooking function that hijacks the following information classes and remove the records for certain file names, e.g. igfxtray.exe:
FileDirectoryInformation
FileFullDirectoryInformation
FileBothDirectoryInformation
Just like Win32/Cridex, Win32/Carberp injects the payload into the explorer.exe process and exits immediately to hide its presence. By hooking the native API ZwResumeThread, any process created by explorer.exe will be injected with the payload - the injected code can be duplicated into the sub-processes as well.
Aside from the rootkit component, another thing that makes Win32/Carberp interesting is its ability to download and run plugins from a remote server without dropping files to the local computer. The plugins are XOR-encrypted during the transfer process. There are three major plugins that are loaded within a newly created daemon process (e.g. svchost.exe):
  • passw.plug: password stealer
  • miniav.plug: removes competing malware
  • stopav.plug: stops and removes antivirus or security components

Please refer to our Win32/Carberp family description for specific details about the plugins, which are additional to its main functionality - stealing banking credentials.

The command and control (C&C) server can push configuration data that contains a list of targeted online banking sites, and code to inject into HTML pages that are returned to the victim's web browser. This method is known as Man-in-the-Browser (MitB); what you see in the browser is not what is actually returned from the website. Though the configuration is encrypted, after decryption one of records appears as the following:

 
 
Figure 2: Decrypted script
Figure 2: Decrypted script
 
This record instructs Win32/Carberp to insert the specified code into the HTML returned by the online banking website, in this case "sbi.sberbank.ru". The code is long, but it basically defines configuration and loads an external JavaScript to hijack your login session with the bank, which could lead to credential leaking or unauthorized fund transfers.
 
The green part in the below figure is a portion of what the online banking site returns, the red part is portion of the code that is inserted by the compromised web browser:
 
Figure 3: Illustration of code injected by Win32/Carberp
Figure 3: Illustration of code injected by Win32/Carberp
 
The configuration can be updated any time, which means the financial institutions targeted can change as well.
 
Bank on the MMPC when it comes to protecting your interests!
 
 
-- Shawn Wang, MMPC