Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

4,058 views

Published on

In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,058
On SlideShare
0
From Embeds
0
Number of Embeds
2,243
Actions
Shares
0
Downloads
25
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

  1. 1. Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon Aleksandr Matrosov, ESET Eugene Rodionov, ESET Dmitry Volkov, Group-IB Vladimir Kropotov, TNK-BP
  2. 2. Agenda Carberp cybercrime group investigation  evolution of botnet  tracking Carberp affiliate people What are the next steps of investigation? Evolution of Carberp distribution scheme Carberp in-depth analysis Domain shadow games Infected legitimate web sites
  3. 3. Carberp cybercrime group investigation
  4. 4. Cybercrime group #1 Carberp ??? GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  5. 5. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  6. 6. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  7. 7. Win32/Sheldor C&C
  8. 8. Win32/RDPdoor C&C Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  9. 9. Autoload C&C
  10. 10. Arrest
  11. 11. Cybercrime group #2 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Sheldor Autoload
  12. 12. Cybercrime group #2
  13. 13. Cybercrime group #2
  14. 14. D****** I*** (10th June Arrested) D****** I***, 1989, Russia – Botnet administrator («who?» aka benq-sim, also possible Sw1nDleR, Opsos) Maxim Glotov, 1987, Russia – Malware developer («Robusto», aka «Den Adel», «Mobyart», «On1iner»)
  15. 15. Cybercrime group #3 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» Hodprot NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Shelldor Autoload
  16. 16. Cybercrime group #3
  17. 17. Blackhole C&C
  18. 18. Blackhole C&C
  19. 19. Cybercrime group #3
  20. 20. Cybercrime group #3
  21. 21. Cybercrime group #3
  22. 22. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  23. 23. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  24. 24. Carberp 3 Sell video Active sell – January 2011 C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  25. 25. Carberp 3 Sell video Active sell – January 2011 C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  26. 26. Evolution drive by downloads: Carberp case
  27. 27. Exploit kits used in distribution scheme Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  28. 28. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  29. 29. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  30. 30. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  31. 31. Blackhole drive by download schemelegitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  32. 32. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  33. 33. Blackhole migration to Nuclear Pack
  34. 34. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  35. 35. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  36. 36. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  37. 37. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  38. 38. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  39. 39. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution//images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  40. 40. Carberp detection statistics
  41. 41. Carberp detection statistics by countryCloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  42. 42. Carberp detections over time in Russia Cloud data from Live Grid0.180.160.140.12 0.10.080.060.040.02 0
  43. 43. Evolution of Carberp modifications
  44. 44. Different groups, different bots, different C&C’s Gizmo D****** Hodprot
  45. 45. functionality Gizmo D****** HodprotDedicated dropper   Win32/HodprotJava patcher   Bootkit    based on RovnixRDP backconnect  Win32/RDPdoor Win32/RDPdoorTV backconnect Win32/Sheldor Win32/Sheldor Win32/SheldorHTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome ChromeAutoloads   Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  46. 46. commands Gizmo D****** Hodprot Descriptionddos    download DDoS plugin and start attackupdatehosts    modify hosts file on infected systemalert    show message box on infected systemupdate    download new version of Carberpupdateconfig    download new version of config filedownload    download and execute PE-fileloaddll    download plugin and load into memorybootkit    download and install bootkitgrabber    grab HTML form data and send to C&Ckillos    modify boot code and delete system fileskilluser    delete user Windows accountkillbot    delete all files and registry keysupdatepatch    download and modify java runtimedeletepatch    delete java runtime modifications
  47. 47. The Story of BK-LOADER from Rovnix.A to Carberp
  48. 48. Interesting Carberp sample (October 2011)
  49. 49. Interesting Carberp sample (October 2011)
  50. 50. Interesting strings inside Carberp with bootkit
  51. 51. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  52. 52. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  53. 53. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  54. 54. Callgraph of bootkit installation routine
  55. 55. Rovnix kit hidden file systems comparisonfunctionality Rovnix.A Carberp with bootkit Rovnix.BVBR modification   polymorphic VBR   Malware driver   storageDriver encryption custom custom customalgorithm (ROR + XOR) (ROR + XOR) (ROR + XOR)Hidden file system  FAT16 FAT16 modification modificationFile system  RC6 RC6encryption algorithm modification modification
  56. 56. Comparison of Carberp file system with Rovnix.B
  57. 57. Comparison of Carberp file system with Rovnix.B
  58. 58. AntiRE tricks
  59. 59. Removing AV hooks before installation
  60. 60. Calling WinAPI functions by hash
  61. 61. Plugin encryption algorithm
  62. 62. Communication protocol encryption algorithm
  63. 63. Banks attacking algorithms
  64. 64. Bank attacking algorithm Gizmo D****** HodprotHTML injections   autoload 2010  2011 (Sep)dedicated plugins for major banks   intercepting client-banks activity   patching java   webmoney/cyberplat   stealing money from private persons   
  65. 65. Statistics of real attacks with Carberp
  66. 66. How we get statisticso Large guest network segments and wired Internet access monitored by IDSo Attack attempts on corporate PCso Attack reproduction to collect exploit and payload sampleso Targeted infections of dedicated hosts for activity monitoring
  67. 67. Carberp C&C location Date Domain name IP-Address02/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.303/Apr/2012 mw8f0ieohcjs9n498feuij.org 62.122.79.403/Apr/2012 nrf98uehiojsd9jfe.org 62.122.79.320/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.923/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.7223/Apr/2012 newf7s9uhdf7ewuhfeh.org 62.122.79.1123/Apr/2012: ne789gfiujdf98ewyfuhef.org 62.122.79.4623/Apr/2012 supermegasoftenwe.com 62.122.79.5902/May/2012 rgn7er8yafh89cehuighv.org 91.228.134.210
  68. 68. Hacked web servers stats Q4 2011 - Q2 2012 Domain Resource type Infection period Times seen Unique hostsria.ru news 02.11.11 – 01.03.12 10 527064kp.ru news 04.10.11 – 13.10.11 10 427534gazeta.ru news 24 Feb 2012 1 380459newsru.com news 05 Mar 2012 1 321314lifenews.ru news 26 Mar 2012 1 183984pravda.ru news 20 Apr 2012 1 164271eg.ru news 08.10.11 – 13.10.11 6 137332topnews.ru news 06 Feb 2012 1 139003infox.ru news 05 Mar 2012 1 137396rzd.ru National Railroad 13.10.11-24.10.11 12 131578inosmi.ru news 02.11.2011 -15.02.12 5 113374
  69. 69. Top targeted auditory Domains Domain Resource type Infection period Times seen Unique hostsklerk.ru accountants 20.04.12 - 03.05.12 3 147518banki.ru finance 24 Feb 2012 1 67804glavbukh.ru accountants 06.02.12 – 03.05.12 4 43606tks.ru finance 01.02.12 - 03.05.12 3 23067bankir.ru finance 24.01.12 - 11.05.12 2 44542
  70. 70. References Exploit Kit plays with smart redirectionhttp://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection Facebook Fakebook: New Trends in Carberp Activityhttp://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity Blackhole, CVE-2012-0507 and Carberphttp://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp Evolution of Win32Carberp: going deeperhttp://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper Rovnix Reloaded: new step of evolutionhttp://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution Hodprot: Hot to Bothttp://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf Cybercrime in Russia: Trends and issueshttp://go.eset.com/us/resources/white-papers/CARO_2011.pdf
  71. 71. Thank you for your attention!Aleksandr Matrosov Eugene Rodionov Dmitry Volkovmatrosov@eset.sk rodionov@eset.sk volkov@group-ib.ru@matrosov @vxradius @groupib Vladimir Kropotov vbkropotov@tnk-bp.com @vbkropotov

×