June 18, 2013 By Etay Maor 5 min read

The always-lively Russian fraud forums offer amateur and professional hackers a wide variety of tools to assist them in their criminal activity. Authorized dealers offer malware modules, botnets, rootkits, stolen credentials and the like for very reasonable prices. Although commoditized malware variants (such as Zeus) are sold on a daily basis, it is rare to see the source code of known malware being offered for sale. The security team at IBM Trusteer recently identified a Russian forum member who is offering the Trojan’s Carberp source code for $50,000.

The seller, who goes by the alias “=Sj=,” provides a highly detailed description of the new developments and capabilities of the malware. The seller also explicitly writes that the source code is sold in coordination with the Carberp author and that it will only be sold to a trustworthy member. This comment is of particular interest as members of different advanced fraud forums are apparently also attempting to sell the source code at a significantly lower price. One assumption is that a breach of contract by a Carberp seller caused a buyer to take revenge and sell the source code.

The Carberp Source Code Bootkit

The highly elaborate ad provides a detailed overview of numerous functions, processes and modules incorporated into Carberp. One of them is the newly designed bootkit, which the seller claims will significantly improve the infection rate. According to the ad, it “enables you to load a specifically compiled driver from the moment the OS starts. … The driver receives commands before all other loaded drivers (including all drivers at boot-load) and can monitor them or affect the way they load. A digital signature of the driver is unnecessary.”

This is in fact a Master Boot Record (MBR) rootkit. In addition to the advanced features offered, the seller details some functions described as “oldies but goodies,” such as:

  • Form grabbers for the major browsers
  • FTP grabbers
  • RU and UA grabbers (for targeting Russian and Ukrainian applications)
  • Email grabbers
  • Certificate grabbers
  • VNC and RDP

Trusteer analysts have witnessed past occurrences in which a private group acquired malware source code (Citadel), enhanced it, sold variants and offered help and support. With the current feature set this malware offers, it can easily be configured to conduct targeted attacks on a wide variety of businesses as well as for use in data theft and reconnaissance. It remains to be seen if this is an attempt to dilute the Carberp source code due to internal struggles within the Trojan or its buyer groups. Another possibility is that the source code will be acquired and enhanced to create a new malware product for sale to the underground fraud community.

Driver Boot Loader

Enables you to load specifically compiled drivers from the moment the OS starts. The driver is loaded prior to the initialization of the NT core — prior to the initialization of PatchGuard — and can patch any code that runs at core. The driver receives commands before all other loaded drivers (including all drivers at boot-load) and can monitor them or affect the way they load. A digital signature of the driver is unnecessary.

All Windows OS are supported, starting from XP to Windows 8, inclusive. All architectures are supported, x86 and AMD64 (EM64T). The boot-loader works with all types of NTFS-partitions. The compiled project consists of three main parts:

  • Initial loader (IPL)
  • Specially-compiled, with the account of initialization prior to the NT core, driver
  • Installer-software (or library-installer (DLL))

The IPL code is metamorphic, consisting of a certain amount of blocks, which are scrambled randomly with each project compilation. The IPL code is encrypted and is dynamically decrypted at runtime. This way, each IPL code, when fully complied, is different from its predecessor in a binary way. The driver is also encrypted when it is being written to disk and decrypted by the initial loader at startup.

A small limitation to the driver size: In relation to the different technical specifics of the IPL, the driver cannot be more than 100 KB.

The project is compiled through MS Visual Studio 2005 and MS Windows 7 WDK.

Additional Components

The driver can contain the following additional components:

  • A virtual OS manager. Creates a virtual, encrypted (RC6) file system (VFS) within unmapped disk sectors. Offers a user-mode interface to work with files on that FS.
  • Filter of disk-access. Blocks external access to sectors containing IPL and virtual FS. Conceals the virtual FS.
  • DLL injector. Allows to load (inject) DLLs that are on the VFS or attached, independent of the driver-file, in the desired process. Has an interface to control injections from user-mode.
  • Driver loader. Offers an interface to load third-party unsigned drivers.
  • TCP/IP protocol stack (incl: ARP, ICMP, DNS). Provides user-mode add-ons and drivers with an interface for networking outside of BSD-sockets.

The Project Inventory List

  • IPL Generator (\BkGen)
  • Loader library (\BkLib)
  • Installer software (\BkSetup)
  • Installer library (\SetupDll)
  • Driver-injector (\KLoader)
  • Virtual File-System library (\FsLib)
  • Library for loading third-party drivers (\DrvLdr)
  • Library-filter for defending the sectors of the loader and virtual FS (\BkFilter)
  • Utility for file attachments (\FJ)
  • Utility for controlling the virtual FS (\VFS)
  • Batch files for compiling an example loader with DLL examples (\BkBuild)

IPL Generator

Compiles only under x86 in the executable file BkGen.exe; creates the file VBR.com at run, which contains the metamorphic code of the initial loader. Generates a unique loader with every run.

Loader Library

Compiles under x86 and AMD64 in static library (/lib). Contains functions needed for installing and initializing the loader. Imported via the installer and driver. See file bklib.h. for details.

Installer Software

At compilation, seeks the loader file VBR.com and integrates itself to resources. Compiled only under x86 to the file BkSetup.exe.

Installer Library

Compiles for X86 and X64 to the dynamic library SetupDll.dll. The library exports one function: ULONG BkInstall (BOOL bReboot). When it is called, the loader is installed to the system. In case of an error, the function returns a Win32 error code.

Driver-Injector

Compiles under x86 and AMD64 as an NT driver (kloader.sys). It injects attached DLLs to desired processes. The DLL and processes lists are contained in the configuration file for the FJ utility.

Virtual File-System Library

Compiles for x86 and AMD64, linked in the injector-driver (kloader.sys). Creates a virtual file system in an unmarked section of the system hard drive. In case an unmapped sector does not exist sufficiently, the last section of the disk is reduced in size for this purpose.

The file system is a modified FAT16 system. The cluster size is equal to the physical disk size. The maximum supported volume of the virtual disk is ~32MB. The file names are 8.3, because long names are not supported. Catalogs are unsupported. The FS is completely encrypted (RC6).

Library for Loading Third-Party Drivers

  • Compiled under x86 and AMD64 and linked to the driver-injector (kloader.sys)
  • Allows [users] to load and execute third-party drivers for the NT core
  • Filter-library for Protecting Loader Sectors and Virtual FS

Compiled under x86 and AMD64 and linked to driver-injector (kloader.sys). Filters low-level requests to read/write disk sectors. Prohibits the change (write) of sectors containing the initial loader. Blocks changes by third parties and drivers to the FS sectors. When reading the sectors containing the virtual FS, it nullifies its contents, in turn masking the existence of a file system.

Utility for File Attachments

Compiles only to x86 in the executable, FJ.exe. Used for joining injected DLLs to the driver file and for attaching the driver file to the installer. For details, see \FJ\ReadMe.txt.

Batches for Compiling an Example Installer

  • BkBuild.bat: compiles an installer with the attached drivers kloader.sys for x86 and AMD64, respectively. To each driver, DLL files to inject are attached.
  • BkSetup.cfg: configuration file for compiling the installer and its driver attachments
  • setupdll.cfg: configuration file for compiling the installer library and its driver attachments
  • demo32.dll: a 32-bit demo-library
  • demo 64.dll: a 64-bit demo-library

Compiling Order

  1. With the help of Visual Studio 2005, compile the entire project. First compile for i386, and then for AMD64.
  2. Open a console (cmd.exe), access the folder \BkBuild and launch BkBuild.exe from console.
  3. Fetch the ready installer from \BkBuild\R.

Functionalities

  • Bootkit (MBR Loader)
  • FTP grabbers
  • Browsers, mail programs
  • Form grabbers IE, FF, FTP
  • Sniffer
  • Certification grabber from IE, HTML injections in IE and FF
  • Universal keylogger
  • Grabbers of RU and UA
  • VNC, RDP and many more

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today