Tweet

We were recently able to sinkhole a CARBERP command-and-control (C&C) server similar to the way by which we sinkholed a ZeuS C&C server in March this year. This post will explain our findings related to the said activity.

The results basically led us to conclude that CARBERP has proven once more that malware creators are getting better at hiding and establishing their creation’s covert communications, and that today’s establishments are ill-prepared to deal with issues such as when a previously undetected botnet exposes private information.

This botnet is purported to have been deployed since early 2010 but managed to avoid attention until September last year. Malware Intelligence reported in February 2010 that new .CAB files were added specifically targeting the theft of certificates, keys, and banking credentials. Trust Defender reported in October last year that CARBERP was able to control Internet traffic by hooking the export table of WININET.dll and USER32.dll. Seculert.com reported at the beginning of February this year how uniquely generated RC4 keys encrypt subsequent exchanges and compromised data.

Easier to Not Ask for Permission

The CARBERP C&C server is a repository of plug-ins designed to compromise various applications running on a version of Windows. After the first logging, CARBERP bots offer the currently running processes by posting a /set/first.html then requesting for plug-ins by posting a /set/plugs.html or acquiring a task by /set/task.html.

CARBERP can also operate within user privileges and not make registry or system file changes. It takes advantage of file system features to hide its presence. It also adds a startup link, as do many applications, and is able to spoof websites, log keystrokes, and establish covert communications using encoded messages. CARBERP may be revealed by processes not associated with a visible file.

Findings on the C&C Traffic

A C&C server for the CARBERP botnet was replaced with a server that only logged connections but did not prompt for subsequent data exchanges. The dummy CARBERP C&C server was also not assigned IPv6 addresses, which may have been a mistake. There was a large disparity with some victims attempting to resolve this server using IPv6 versus IPv4 addresses by more than two orders of magnitude. Subsequent HTTP connections were also minimal. From this, it seems that communications carrying sensitive information may have been relayed elsewhere, blocked by network policies, or prevented because of incomplete C&C exchanges.

Why These Targets?

We contacted identifiable hosts that may have been affected by CARBERP infections monitored by the particular C&C server. Without details on the information that may have been compromised, it would be conjecture as to why these particular victims were the focus of the C&C server.