Your SlideShare is downloading. ×
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

3,389
views

Published on

In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian …

In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,389
On Slideshare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon Aleksandr Matrosov, ESET Eugene Rodionov, ESET Dmitry Volkov, Group-IB Vladimir Kropotov, TNK-BP
  • 2. Agenda Carberp cybercrime group investigation  evolution of botnet  tracking Carberp affiliate people What are the next steps of investigation? Evolution of Carberp distribution scheme Carberp in-depth analysis Domain shadow games Infected legitimate web sites
  • 3. Carberp cybercrime group investigation
  • 4. Cybercrime group #1 Carberp ??? GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 5. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 6. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 7. Win32/Sheldor C&C
  • 8. Win32/RDPdoor C&C Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 9. Autoload C&C
  • 10. Arrest
  • 11. Cybercrime group #2 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Sheldor Autoload
  • 12. Cybercrime group #2
  • 13. Cybercrime group #2
  • 14. D****** I*** (10th June Arrested) D****** I***, 1989, Russia – Botnet administrator («who?» aka benq-sim, also possible Sw1nDleR, Opsos) Maxim Glotov, 1987, Russia – Malware developer («Robusto», aka «Den Adel», «Mobyart», «On1iner»)
  • 15. Cybercrime group #3 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» Hodprot NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Shelldor Autoload
  • 16. Cybercrime group #3
  • 17. Blackhole C&C
  • 18. Blackhole C&C
  • 19. Cybercrime group #3
  • 20. Cybercrime group #3
  • 21. Cybercrime group #3
  • 22. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  • 23. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  • 24. Carberp 3 Sell video Active sell – January 2011 C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  • 25. Carberp 3 Sell video Active sell – January 2011 C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  • 26. Evolution drive by downloads: Carberp case
  • 27. Exploit kits used in distribution scheme Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  • 28. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 29. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 30. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 31. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 32. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  • 33. Blackhole migration to Nuclear Pack
  • 34. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 35. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 36. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 37. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 38. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 39. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 40. Carberp detection statistics
  • 41. Carberp detection statistics by countryCloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  • 42. Carberp detections over time in Russia Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02 0
  • 43. Evolution of Carberp modifications
  • 44. Different groups, different bots, different C&C’s Gizmo D****** Hodprot
  • 45. functionality Gizmo D****** HodprotDedicated dropper   Win32/HodprotJava patcher   Bootkit    based on RovnixRDP backconnect  Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome ChromeAutoloads   Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  • 46. commands Gizmo D****** Hodprot Descriptionddos    download DDoS plugin and start attackupdatehosts    modify hosts file on infected systemalert    show message box on infected systemupdate    download new version of Carberpupdateconfig    download new version of config filedownload    download and execute PE-fileloaddll    download plugin and load into memorybootkit    download and install bootkitgrabber    grab HTML form data and send to C&Ckillos    modify boot code and delete system fileskilluser    delete user Windows accountkillbot    delete all files and registry keysupdatepatch    download and modify java runtimedeletepatch    delete java runtime modifications
  • 47. The Story of BK-LOADER from Rovnix.A to Carberp
  • 48. Interesting Carberp sample (October 2011)
  • 49. Interesting Carberp sample (October 2011)
  • 50. Interesting strings inside Carberp with bootkit
  • 51. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 52. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 53. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 54. Callgraph of bootkit installation routine
  • 55. Rovnix kit hidden file systems comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
  • 56. Comparison of Carberp file system with Rovnix.B
  • 57. Comparison of Carberp file system with Rovnix.B
  • 58. AntiRE tricks
  • 59. Removing AV hooks before installation
  • 60. Calling WinAPI functions by hash
  • 61. Plugin encryption algorithm
  • 62. Communication protocol encryption algorithm
  • 63. Banks attacking algorithms
  • 64. Bank attacking algorithm Gizmo D****** HodprotHTML injections   autoload 2010  2011 (Sep)dedicated plugins for major banks   intercepting client-banks activity   patching java   webmoney/cyberplat   stealing money from private persons   
  • 65. Statistics of real attacks with Carberp
  • 66. How we get statisticso Large guest network segments and wired Internet access monitored by IDSo Attack attempts on corporate PCso Attack reproduction to collect exploit and payload sampleso Targeted infections of dedicated hosts for activity monitoring
  • 67. Carberp C&C location Date Domain name IP-Address02/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.303/Apr/2012 mw8f0ieohcjs9n498feuij.org 62.122.79.403/Apr/2012 nrf98uehiojsd9jfe.org 62.122.79.320/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.923/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.7223/Apr/2012 newf7s9uhdf7ewuhfeh.org 62.122.79.1123/Apr/2012: ne789gfiujdf98ewyfuhef.org 62.122.79.4623/Apr/2012 supermegasoftenwe.com 62.122.79.5902/May/2012 rgn7er8yafh89cehuighv.org 91.228.134.210
  • 68. Hacked web servers stats Q4 2011 - Q2 2012 Domain Resource type Infection period Times seen Unique hostsria.ru news 02.11.11 – 01.03.12 10 527064kp.ru news 04.10.11 – 13.10.11 10 427534gazeta.ru news 24 Feb 2012 1 380459newsru.com news 05 Mar 2012 1 321314lifenews.ru news 26 Mar 2012 1 183984pravda.ru news 20 Apr 2012 1 164271eg.ru news 08.10.11 – 13.10.11 6 137332topnews.ru news 06 Feb 2012 1 139003infox.ru news 05 Mar 2012 1 137396rzd.ru National Railroad 13.10.11-24.10.11 12 131578inosmi.ru news 02.11.2011 -15.02.12 5 113374
  • 69. Top targeted auditory Domains Domain Resource type Infection period Times seen Unique hostsklerk.ru accountants 20.04.12 - 03.05.12 3 147518banki.ru finance 24 Feb 2012 1 67804glavbukh.ru accountants 06.02.12 – 03.05.12 4 43606tks.ru finance 01.02.12 - 03.05.12 3 23067bankir.ru finance 24.01.12 - 11.05.12 2 44542
  • 70. References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection Facebook Fakebook: New Trends in Carberp Activityhttp://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp Evolution of Win32Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Rovnix Reloaded: new step of evolutionhttp://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Cybercrime in Russia: Trends and issueshttp://go.eset.com/us/resources/white-papers/CARO_2011.pdf
  • 71. Thank you for your attention!Aleksandr Matrosov Eugene Rodionov Dmitry Volkovmatrosov@eset.sk rodionov@eset.sk volkov@group-ib.ru@matrosov @vxradius @groupib Vladimir Kropotov vbkropotov@tnk-bp.com @vbkropotov