Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on October 06, 2010, 11:48:27 am

Title: Carberp analysis
Post by: SysAdMini on October 06, 2010, 11:48:27 am
http://www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/
Title: Re: Carberp analysis
Post by: carb0n on October 26, 2010, 04:27:50 pm
here is carberp's api list

this was a pain to generate and took several custom tools to pull off so I am going to share it so others dont have to go through that.

also including the strings they hide by building one byte at a time on the stack.

this is for the code it injects into svchost. it always appears to be at base 0x90000
it does not show up in the loaded module list similar to PRG.

used imports hashs from nspr4.dll, ssl3.dll, wininet are inline below (forgot to include in attachments)

PR_Close = 3d3ab319  
PR_Connect = bf667ea2  
PR_GetError = 1d3347f  
PR_MillisecondsToInterval = 5bf9111  
PR_Poll = fa1ab4f9  
PR_Read = fa583271  
PR_Write = 7efb3098  
SSL_ImportFD = a1c4e024  
DeleteUrlCacheEntry = a3a80ab6
FindCloseUrlCache = fde87743
FindFirstUrlCacheEntryA = ddcb15d
FindNextUrlCacheEntryA = 8733d614
GetUrlCacheEntryInfoW = 57fbc0cb
HttpAddRequestHeadersA = b5901061
HttpAddRequestHeadersW = b5901077
HttpOpenRequestA = 1510002f
HttpOpenRequestW = 15100039
HttpQueryInfoA = 2f5ce027
HttpSendRequestA = 9f13856a
HttpSendRequestExA = e15b9b85
HttpSendRequestExW = e15b9b93
HttpSendRequestW = 9f13857c
InternetCloseHandle = 7314fb0c
InternetConnectA = be618d3e
InternetConnectW = be618d28
InternetOpenA = 8593dd7
InternetOpenUrlA = b87dbd66
InternetOpenUrlW = b87dbd70
InternetOpenW = 8593dc1
InternetQueryDataAvailable = 7edec584
InternetQueryOptionA = 2ae71934
InternetQueryOptionW = 2ae71922
InternetReadFile = 1a212962
InternetReadFileExA = 2c523864
InternetReadFileExW = 2c523872
InternetSetOptionA = 1ad09c78
InternetSetStatusCallback = 9ef6461

//autogenerated below, in general carberp uses wrappers to access
//specific api, this code was generated to look for the parent function
//the api was used in and use that for the address. if you see doubles it means
//the parent function identified is probably not an api wrapper and something else
//you can prune this list as necessary.

MakeName(0X99F10,"DeleteUrlCacheEntry");
MakeName(0X99F40,"FindCloseUrlCache");
MakeName(0X99EB0,"FindFirstUrlCacheEntryA");
MakeName(0X99EE0,"FindNextUrlCacheEntryA");
MakeName(0X99E50,"GetUrlCacheEntryInfoW");
MakeName(0X99BE0,"HttpAddRequestHeadersA");
MakeName(0X9F430,"HttpAddRequestHeadersA");
MakeName(0X99C50,"HttpAddRequestHeadersW");
MakeName(0X9F430,"HttpAddRequestHeadersW");
MakeName(0X9F430,"HttpOpenRequestA");
MakeName(0X9F430,"HttpOpenRequestW");
MakeName(0X99C10,"HttpQueryInfoA");
MakeName(0X99A30,"HttpSendRequestA");
MakeName(0X9F430,"HttpSendRequestA");
MakeName(0X99A30,"HttpSendRequestExA");
MakeName(0X9F430,"HttpSendRequestExA");
MakeName(0X99A30,"HttpSendRequestExW");
MakeName(0X9F430,"HttpSendRequestExW");
MakeName(0X99A30,"HttpSendRequestW");
MakeName(0X9F430,"HttpSendRequestW");
MakeName(0X99A30,"InternetCloseHandle");
MakeName(0X9BF30,"InternetCloseHandle");
MakeName(0X9F430,"InternetCloseHandle");
MakeName(0X9F430,"InternetConnectA");
MakeName(0X9F430,"InternetConnectW");
MakeName(0X9BEB0,"InternetOpenA");
MakeName(0X9F430,"InternetOpenA");
MakeName(0X9BEF0,"InternetOpenUrlA");
MakeName(0X9F430,"InternetOpenUrlA");
MakeName(0X9F430,"InternetOpenUrlW");
MakeName(0X9F430,"InternetOpenW");
MakeName(0X99A30,"InternetQueryDataAvailable");
MakeName(0X9F430,"InternetQueryDataAvailable");
MakeName(0X99C80,"InternetQueryOptionA");
MakeName(0X99E20,"InternetQueryOptionW");
MakeName(0X99A30,"InternetReadFile");
MakeName(0X9BF60,"InternetReadFile");
MakeName(0X9F430,"InternetReadFile");
MakeName(0X99A30,"InternetReadFileExA");
MakeName(0X9F430,"InternetReadFileExA");
MakeName(0X99A30,"InternetReadFileExW");
MakeName(0X9F430,"InternetReadFileExW");
MakeName(0X99D10,"InternetSetOptionA");
MakeName(0X99CE0,"InternetSetStatusCallback");

any questions feel free to mail, but will only respond to emails from work email addresses.
Title: Re: Carberp analysis
Post by: SysAdMini on November 18, 2010, 06:16:46 pm
CARBERP - TRICKS AND TRAPS - A TECHNICAL OVERVIEW
http://www.trustdefender.com/trustdefender-labs-blog-carberp-tricks-and-traps-a-technical-overview.html
Title: Re: Carberp analysis
Post by: SysAdMini on December 12, 2010, 09:47:46 pm
MAN-IN-THE-BROWSER: THE POWER OF JAVASCRIPT AT THE EXAMPLE OF CARBERP
http://trustdefender.com/trustdefender-labs-blog-man-in-the-browser-the-power-of-javascript-at-the-example-of-carberp.html?twitter=MalwareScene
Title: Re: Carberp analysis
Post by: SysAdMini on January 18, 2011, 11:43:37 am
The New Trend in "Malware Evolution"
http://blog.seculert.com/2011/01/new-trend-in-malware-evolution.html
Title: Re: Carberp analysis
Post by: SysAdMini on February 19, 2011, 02:25:33 pm
MalwareIntelligence - Inside the Carberp Botnet
http://www.malwareint.com/docs/inside-carberp-botnet-en.pdf
Title: Re: Carberp analysis
Post by: SysAdMini on March 04, 2011, 01:30:13 pm
Carberp - A modular information stealing trojan
http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf
Title: Re: Carberp analysis
Post by: SysAdMini on July 13, 2011, 09:33:17 am
Decrypting Carberp C&C communication
http://securityblog.s21sec.com/2011/07/decrypting-carberp-c-communication.html
Title: Re: Carberp analysis
Post by: SysAdMini on November 21, 2011, 09:59:17 pm
Evolution of Win32Carberp: going deeper
http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper