Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    We were recently able to sinkhole a CARBERP command-and-control (C&C) server similar to the way by which we sinkholed a ZeuS C&C server in March this year. This post will explain our findings related to the said activity.

    The results basically led us to conclude that CARBERP has proven once more that malware creators are getting better at hiding and establishing their creation’s covert communications, and that today’s establishments are ill-prepared to deal with issues such as when a previously undetected botnet exposes private information.

    This botnet is purported to have been deployed since early 2010 but managed to avoid attention until September last year. Malware Intelligence reported in February 2010 that new .CAB files were added specifically targeting the theft of certificates, keys, and banking credentials. Trust Defender reported in October last year that CARBERP was able to control Internet traffic by hooking the export table of WININET.dll and USER32.dll. Seculert.com reported at the beginning of February this year how uniquely generated RC4 keys encrypt subsequent exchanges and compromised data.

    Easier to Not Ask for Permission

    The CARBERP C&C server is a repository of plug-ins designed to compromise various applications running on a version of Windows. After the first logging, CARBERP bots offer the currently running processes by posting a /set/first.html then requesting for plug-ins by posting a /set/plugs.html or acquiring a task by /set/task.html.

    CARBERP can also operate within user privileges and not make registry or system file changes. It takes advantage of file system features to hide its presence. It also adds a startup link, as do many applications, and is able to spoof websites, log keystrokes, and establish covert communications using encoded messages. CARBERP may be revealed by processes not associated with a visible file.

    Findings on the C&C Traffic

    A C&C server for the CARBERP botnet was replaced with a server that only logged connections but did not prompt for subsequent data exchanges. The dummy CARBERP C&C server was also not assigned IPv6 addresses, which may have been a mistake. There was a large disparity with some victims attempting to resolve this server using IPv6 versus IPv4 addresses by more than two orders of magnitude. Subsequent HTTP connections were also minimal. From this, it seems that communications carrying sensitive information may have been relayed elsewhere, blocked by network policies, or prevented because of incomplete C&C exchanges.

    Apparent Victims Ranked by DNS Query Frequency
    Victim Sectors Victim Domains
    Government
    [U.S.] Government Agency
    [U.S.] Government Agency
    [U.S.] Government Agency
    Business
    [U.S.] Investment Firm
    [U.S.] Pharmaceutical Firm
    [C.A.] Life Insurance Firm
    [U.S.] Electronics Manufacturer
    [C.H.] Luxury Item Retailer
    [G.B.] Law Office
    [U.S.] Mutual Insurance Firm
    [U.S.] Credit Card Provider
    [U.S.] Investment Firm
    [U.S.] Electronics Manufacturer
    Schools
    University in North America
    University in North America
    University in EMEA
    University in EMEA
    Educational institution in North America
    Educational Institution in EMEA
    University in North America
    University in North America
    Educational Institution in North America
    University in EMEA
    University in North America
    University in North America

     

    Why These Targets?

    We contacted identifiable hosts that may have been affected by CARBERP infections monitored by the particular C&C server. Without details on the information that may have been compromised, it would be conjecture as to why these particular victims were the focus of the C&C server.

    Click for larger view Click for larger view Click for larger view




    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice