Author Topic: Carberp analysis  (Read 7910 times)

0 Members and 1 Guest are viewing this topic.

October 06, 2010, 11:48:27 am
Read 7910 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 26, 2010, 04:27:50 pm
Reply #1

carb0n

  • Newbie

  • Offline
  • *

  • 1
here is carberp's api list

this was a pain to generate and took several custom tools to pull off so I am going to share it so others dont have to go through that.

also including the strings they hide by building one byte at a time on the stack.

this is for the code it injects into svchost. it always appears to be at base 0x90000
it does not show up in the loaded module list similar to PRG.

used imports hashs from nspr4.dll, ssl3.dll, wininet are inline below (forgot to include in attachments)

PR_Close = 3d3ab319  
PR_Connect = bf667ea2  
PR_GetError = 1d3347f  
PR_MillisecondsToInterval = 5bf9111  
PR_Poll = fa1ab4f9  
PR_Read = fa583271  
PR_Write = 7efb3098  
SSL_ImportFD = a1c4e024  
DeleteUrlCacheEntry = a3a80ab6
FindCloseUrlCache = fde87743
FindFirstUrlCacheEntryA = ddcb15d
FindNextUrlCacheEntryA = 8733d614
GetUrlCacheEntryInfoW = 57fbc0cb
HttpAddRequestHeadersA = b5901061
HttpAddRequestHeadersW = b5901077
HttpOpenRequestA = 1510002f
HttpOpenRequestW = 15100039
HttpQueryInfoA = 2f5ce027
HttpSendRequestA = 9f13856a
HttpSendRequestExA = e15b9b85
HttpSendRequestExW = e15b9b93
HttpSendRequestW = 9f13857c
InternetCloseHandle = 7314fb0c
InternetConnectA = be618d3e
InternetConnectW = be618d28
InternetOpenA = 8593dd7
InternetOpenUrlA = b87dbd66
InternetOpenUrlW = b87dbd70
InternetOpenW = 8593dc1
InternetQueryDataAvailable = 7edec584
InternetQueryOptionA = 2ae71934
InternetQueryOptionW = 2ae71922
InternetReadFile = 1a212962
InternetReadFileExA = 2c523864
InternetReadFileExW = 2c523872
InternetSetOptionA = 1ad09c78
InternetSetStatusCallback = 9ef6461

//autogenerated below, in general carberp uses wrappers to access
//specific api, this code was generated to look for the parent function
//the api was used in and use that for the address. if you see doubles it means
//the parent function identified is probably not an api wrapper and something else
//you can prune this list as necessary.

MakeName(0X99F10,"DeleteUrlCacheEntry");
MakeName(0X99F40,"FindCloseUrlCache");
MakeName(0X99EB0,"FindFirstUrlCacheEntryA");
MakeName(0X99EE0,"FindNextUrlCacheEntryA");
MakeName(0X99E50,"GetUrlCacheEntryInfoW");
MakeName(0X99BE0,"HttpAddRequestHeadersA");
MakeName(0X9F430,"HttpAddRequestHeadersA");
MakeName(0X99C50,"HttpAddRequestHeadersW");
MakeName(0X9F430,"HttpAddRequestHeadersW");
MakeName(0X9F430,"HttpOpenRequestA");
MakeName(0X9F430,"HttpOpenRequestW");
MakeName(0X99C10,"HttpQueryInfoA");
MakeName(0X99A30,"HttpSendRequestA");
MakeName(0X9F430,"HttpSendRequestA");
MakeName(0X99A30,"HttpSendRequestExA");
MakeName(0X9F430,"HttpSendRequestExA");
MakeName(0X99A30,"HttpSendRequestExW");
MakeName(0X9F430,"HttpSendRequestExW");
MakeName(0X99A30,"HttpSendRequestW");
MakeName(0X9F430,"HttpSendRequestW");
MakeName(0X99A30,"InternetCloseHandle");
MakeName(0X9BF30,"InternetCloseHandle");
MakeName(0X9F430,"InternetCloseHandle");
MakeName(0X9F430,"InternetConnectA");
MakeName(0X9F430,"InternetConnectW");
MakeName(0X9BEB0,"InternetOpenA");
MakeName(0X9F430,"InternetOpenA");
MakeName(0X9BEF0,"InternetOpenUrlA");
MakeName(0X9F430,"InternetOpenUrlA");
MakeName(0X9F430,"InternetOpenUrlW");
MakeName(0X9F430,"InternetOpenW");
MakeName(0X99A30,"InternetQueryDataAvailable");
MakeName(0X9F430,"InternetQueryDataAvailable");
MakeName(0X99C80,"InternetQueryOptionA");
MakeName(0X99E20,"InternetQueryOptionW");
MakeName(0X99A30,"InternetReadFile");
MakeName(0X9BF60,"InternetReadFile");
MakeName(0X9F430,"InternetReadFile");
MakeName(0X99A30,"InternetReadFileExA");
MakeName(0X9F430,"InternetReadFileExA");
MakeName(0X99A30,"InternetReadFileExW");
MakeName(0X9F430,"InternetReadFileExW");
MakeName(0X99D10,"InternetSetOptionA");
MakeName(0X99CE0,"InternetSetStatusCallback");

any questions feel free to mail, but will only respond to emails from work email addresses.

November 18, 2010, 06:16:46 pm
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

December 12, 2010, 09:47:46 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

January 18, 2011, 11:43:37 am
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 19, 2011, 02:25:33 pm
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

March 04, 2011, 01:30:13 pm
Reply #6

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

July 13, 2011, 09:33:17 am
Reply #7

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

November 21, 2011, 09:59:17 pm
Reply #8

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day