SlideShare a Scribd company logo

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

Alex Matrosov
Alex Matrosov

In this presentation we will be discussing the evolution of the remote banking system attacks (RBS) in Russia. The year 2011 could be described as a year of tremendous growth of attacks on Russian bank clients. In this year alone the quantity of incidents relating to RBS has doubled. The profits available to the malefactor’s are almost beyond imagining; one controller of bank botnet could bring millions in profit to its herder. We will concentrate on these issues with specific reference to examples of incidents associated with the largest cybercriminal group in Russia, employing one of the most dangerous malware families to date: Win32/Carberp: our statistics indicate, among other things, that In November Carberp detections increased up to four times in the Russian region. We will also look at the ways in which this group is cooperating with the developers of the Hodprot, RDPdoor and Sheldor trojans. The presentation starts with a description of the propagation techniques used to deliver Carberp to its victim’s machines from a large number of legitimate web sites, using the BlackHole exploit kit. Different types of attacks used to target the clients of major Russian banks are also considered. Then we will move on to deep in-depth analysis of Сarberp’s features and its evolution in time (webinjects, targeted attacks on RBS, bypassing detections with bootkit technology). Particular attention will be devoted to the bootkit component and the related capabilities which have appeared in the most recent modification of the malware. Finally, we will show the way that the server-side C&C code works and how the client’s money is stolen with a set of dedicated plugins.

Technology
1 of 81
Download to read offline
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon Aleksandr Matrosov, ESET Eugene Rodionov, ESET Dmitry Volkov, Group-IB Vladimir Kropotov, TNK-BP
Agenda  Carberp cybercrime group investigation  evolution of botnet  tracking Carberp affiliate people  What are the next steps of investigation?  Evolution of Carberp distribution scheme  Carberp in-depth analysis  Domain shadow games  Infected legitimate web sites
Carberp cybercrime group investigation
Cybercrime group #1 Carberp ??? GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
Win32/Sheldor C&C
Win32/RDPdoor C&C Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
Autoload C&C
Arrest
Cybercrime group #2 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Sheldor Autoload
Cybercrime group #2
Cybercrime group #2
D****** I*** (10th June Arrested)  D****** I***, 1989, Russia – Botnet administrator («who?» aka benq-sim, also possible Sw1nDleR, Opsos)  Maxim Glotov, 1987, Russia – Malware developer («Robusto», aka «Den Adel», «Mobyart», «On1iner»)
Cybercrime group #3 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» Hodprot NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Shelldor Autoload
Cybercrime group #3
Blackhole C&C
Blackhole C&C
Cybercrime group #3
Cybercrime group #3
Cybercrime group #3
Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
Carberp 3 Sell video  Active sell – January 2011  C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
Carberp 3 Sell video  Active sell – January 2011  C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
Evolution drive by downloads: Carberp case
Exploit kits used in distribution scheme  Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection  Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent  Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
Blackhole migration to Nuclear Pack
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
Carberp detection statistics
Carberp detection statistics by country Cloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
Carberp detections over time in Russia Cloud data from Live Grid 0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0
Evolution of Carberp modifications
Different groups, different bots, different C&C’s Gizmo D****** Hodprot
functionality Gizmo D****** Hodprot Dedicated dropper   Win32/Hodprot Java patcher    Bootkit    based on Rovnix RDP backconnect  Win32/RDPdoor Win32/RDPdoor TV backconnect Win32/Sheldor Win32/Sheldor Win32/Sheldor HTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome Chrome Autoloads    Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
commands Gizmo D****** Hodprot Description ddos    download DDoS plugin and start attack updatehosts    modify hosts file on infected system alert    show message box on infected system update    download new version of Carberp updateconfig    download new version of config file download    download and execute PE-file loaddll    download plugin and load into memory bootkit    download and install bootkit grabber    grab HTML form data and send to C&C killos    modify boot code and delete system files killuser    delete user Windows account killbot    delete all files and registry keys updatepatch    download and modify java runtime deletepatch    delete java runtime modifications
The Story of BK-LOADER from Rovnix.A to Carberp
Interesting Carberp sample (October 2011)
Interesting Carberp sample (October 2011)
Interesting strings inside Carberp with bootkit
Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
Callgraph of bootkit installation routine
Rovnix kit hidden file systems comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
Comparison of Carberp file system with Rovnix.B
Comparison of Carberp file system with Rovnix.B
AntiRE tricks
Removing AV hooks before installation
Calling WinAPI functions by hash
Plugin encryption algorithm
Communication protocol encryption algorithm
Banks attacking algorithms
Bank attacking algorithm Gizmo D****** Hodprot HTML injections    autoload 2010  2011 (Sep) dedicated plugins for major banks    intercepting client-banks activity    patching java    webmoney/cyberplat    stealing money from private persons   
Statistics of real attacks with Carberp
How we get statistics o Large guest network segments and wired Internet access monitored by IDS o Attack attempts on corporate PCs o Attack reproduction to collect exploit and payload samples o Targeted infections of dedicated hosts for activity monitoring
Carberp C&C location Date Domain name IP-Address 02/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.3 03/Apr/2012 mw8f0ieohcjs9n498feuij.org 62.122.79.4 03/Apr/2012 nrf98uehiojsd9jfe.org 62.122.79.3 20/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.9 23/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.72 23/Apr/2012 newf7s9uhdf7ewuhfeh.org 62.122.79.11 23/Apr/2012: ne789gfiujdf98ewyfuhef.org 62.122.79.46 23/Apr/2012 supermegasoftenwe.com 62.122.79.59 02/May/2012 rgn7er8yafh89cehuighv.org 91.228.134.210
Hacked web servers stats Q4 2011 - Q2 2012 Domain Resource type Infection period Times seen Unique hosts ria.ru news 02.11.11 – 01.03.12 10 527064 kp.ru news 04.10.11 – 13.10.11 10 427534 gazeta.ru news 24 Feb 2012 1 380459 newsru.com news 05 Mar 2012 1 321314 lifenews.ru news 26 Mar 2012 1 183984 pravda.ru news 20 Apr 2012 1 164271 eg.ru news 08.10.11 – 13.10.11 6 137332 topnews.ru news 06 Feb 2012 1 139003 infox.ru news 05 Mar 2012 1 137396 rzd.ru National Railroad 13.10.11-24.10.11 12 131578 inosmi.ru news 02.11.2011 -15.02.12 5 113374
Top targeted auditory Domains Domain Resource type Infection period Times seen Unique hosts klerk.ru accountants 20.04.12 - 03.05.12 3 147518 banki.ru finance 24 Feb 2012 1 67804 glavbukh.ru accountants 06.02.12 – 03.05.12 4 43606 tks.ru finance 01.02.12 - 03.05.12 3 23067 bankir.ru finance 24.01.12 - 11.05.12 2 44542
References  Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection  Facebook Fakebook: New Trends in Carberp Activity http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity  Blackhole, CVE-2012-0507 and Carberp http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp  Evolution of Win32Carberp: going deeper http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper  Rovnix Reloaded: new step of evolution http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution  Hodprot: Hot to Bot http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf  Cybercrime in Russia: Trends and issues http://go.eset.com/us/resources/white-papers/CARO_2011.pdf
Thank you for your attention! Aleksandr Matrosov Eugene Rodionov Dmitry Volkov matrosov@eset.sk rodionov@eset.sk volkov@group-ib.ru @matrosov @vxradius @groupib Vladimir Kropotov vbkropotov@tnk-bp.com @vbkropotov

Recommended

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Open shift
Open shiftOpen shift
Open shiftmarcolof
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 

Recommended

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Open shift
Open shiftOpen shift
Open shiftmarcolof
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
42054960
4205496042054960
42054960andres castillo
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralContributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralBarkha Manral
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 
A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityGene Gotimer
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 

More Related Content

Viewers also liked

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralContributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralBarkha Manral
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 

Viewers also liked (20)

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralContributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 

Similar to Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityGene Gotimer
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Syllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptxSyllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptxsachinsb1980
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortDigging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortCyphort
 
ChefConf 2012 Spiceweasel
ChefConf 2012 SpiceweaselChefConf 2012 Spiceweasel
ChefConf 2012 SpiceweaselMatt Ray
 
Aloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRubyAloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRubyCharles Nutter
 
Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Charles Nutter
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 

Similar to Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon (10)

A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Syllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptxSyllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptx
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortDigging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
 
ChefConf 2012 Spiceweasel
ChefConf 2012 SpiceweaselChefConf 2012 Spiceweasel
ChefConf 2012 Spiceweasel
 
Aloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRubyAloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRuby
 
Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 

Recently uploaded

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

  • 1. Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon Aleksandr Matrosov, ESET Eugene Rodionov, ESET Dmitry Volkov, Group-IB Vladimir Kropotov, TNK-BP
  • 2. Agenda  Carberp cybercrime group investigation  evolution of botnet  tracking Carberp affiliate people  What are the next steps of investigation?  Evolution of Carberp distribution scheme  Carberp in-depth analysis  Domain shadow games  Infected legitimate web sites
  • 3. Carberp cybercrime group investigation
  • 4.
  • 5. Cybercrime group #1 Carberp ??? GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 6. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 7. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 9. Win32/RDPdoor C&C Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 12. Cybercrime group #2 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Sheldor Autoload
  • 15. D****** I*** (10th June Arrested)  D****** I***, 1989, Russia – Botnet administrator («who?» aka benq-sim, also possible Sw1nDleR, Opsos)  Maxim Glotov, 1987, Russia – Malware developer («Robusto», aka «Den Adel», «Mobyart», «On1iner»)
  • 16. Cybercrime group #3 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» Hodprot NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Shelldor Autoload
  • 23. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  • 24. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  • 25. Carberp 3 Sell video  Active sell – January 2011  C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  • 26. Carberp 3 Sell video  Active sell – January 2011  C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  • 27. Evolution drive by downloads: Carberp case
  • 28. Exploit kits used in distribution scheme  Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection  Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent  Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  • 29. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 30. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 31. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 32. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 33. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  • 34. Blackhole migration to Nuclear Pack
  • 35. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 36. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 37. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 38. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 39. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 40. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 42. Carberp detection statistics by country Cloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  • 43. Carberp detections over time in Russia Cloud data from Live Grid 0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0
  • 44. Evolution of Carberp modifications
  • 45. Different groups, different bots, different C&C’s Gizmo D****** Hodprot
  • 46. functionality Gizmo D****** Hodprot Dedicated dropper   Win32/Hodprot Java patcher    Bootkit    based on Rovnix RDP backconnect  Win32/RDPdoor Win32/RDPdoor TV backconnect Win32/Sheldor Win32/Sheldor Win32/Sheldor HTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome Chrome Autoloads    Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  • 47. commands Gizmo D****** Hodprot Description ddos    download DDoS plugin and start attack updatehosts    modify hosts file on infected system alert    show message box on infected system update    download new version of Carberp updateconfig    download new version of config file download    download and execute PE-file loaddll    download plugin and load into memory bootkit    download and install bootkit grabber    grab HTML form data and send to C&C killos    modify boot code and delete system files killuser    delete user Windows account killbot    delete all files and registry keys updatepatch    download and modify java runtime deletepatch    delete java runtime modifications
  • 48. The Story of BK-LOADER from Rovnix.A to Carberp
  • 49.
  • 50.
  • 51.
  • 52.
  • 53. Interesting Carberp sample (October 2011)
  • 54. Interesting Carberp sample (October 2011)
  • 55. Interesting strings inside Carberp with bootkit
  • 56. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 57. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 58. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 59. Callgraph of bootkit installation routine
  • 60. Rovnix kit hidden file systems comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
  • 61. Comparison of Carberp file system with Rovnix.B
  • 62. Comparison of Carberp file system with Rovnix.B
  • 64. Removing AV hooks before installation
  • 69. Bank attacking algorithm Gizmo D****** Hodprot HTML injections    autoload 2010  2011 (Sep) dedicated plugins for major banks    intercepting client-banks activity    patching java    webmoney/cyberplat    stealing money from private persons   
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75. Statistics of real attacks with Carberp
  • 76. How we get statistics o Large guest network segments and wired Internet access monitored by IDS o Attack attempts on corporate PCs o Attack reproduction to collect exploit and payload samples o Targeted infections of dedicated hosts for activity monitoring
  • 77. Carberp C&C location Date Domain name IP-Address 02/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.3 03/Apr/2012 mw8f0ieohcjs9n498feuij.org 62.122.79.4 03/Apr/2012 nrf98uehiojsd9jfe.org 62.122.79.3 20/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.9 23/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.72 23/Apr/2012 newf7s9uhdf7ewuhfeh.org 62.122.79.11 23/Apr/2012: ne789gfiujdf98ewyfuhef.org 62.122.79.46 23/Apr/2012 supermegasoftenwe.com 62.122.79.59 02/May/2012 rgn7er8yafh89cehuighv.org 91.228.134.210
  • 78. Hacked web servers stats Q4 2011 - Q2 2012 Domain Resource type Infection period Times seen Unique hosts ria.ru news 02.11.11 – 01.03.12 10 527064 kp.ru news 04.10.11 – 13.10.11 10 427534 gazeta.ru news 24 Feb 2012 1 380459 newsru.com news 05 Mar 2012 1 321314 lifenews.ru news 26 Mar 2012 1 183984 pravda.ru news 20 Apr 2012 1 164271 eg.ru news 08.10.11 – 13.10.11 6 137332 topnews.ru news 06 Feb 2012 1 139003 infox.ru news 05 Mar 2012 1 137396 rzd.ru National Railroad 13.10.11-24.10.11 12 131578 inosmi.ru news 02.11.2011 -15.02.12 5 113374
  • 79. Top targeted auditory Domains Domain Resource type Infection period Times seen Unique hosts klerk.ru accountants 20.04.12 - 03.05.12 3 147518 banki.ru finance 24 Feb 2012 1 67804 glavbukh.ru accountants 06.02.12 – 03.05.12 4 43606 tks.ru finance 01.02.12 - 03.05.12 3 23067 bankir.ru finance 24.01.12 - 11.05.12 2 44542
  • 80. References  Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection  Facebook Fakebook: New Trends in Carberp Activity http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity  Blackhole, CVE-2012-0507 and Carberp http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp  Evolution of Win32Carberp: going deeper http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper  Rovnix Reloaded: new step of evolution http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution  Hodprot: Hot to Bot http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf  Cybercrime in Russia: Trends and issues http://go.eset.com/us/resources/white-papers/CARO_2011.pdf
  • 81. Thank you for your attention! Aleksandr Matrosov Eugene Rodionov Dmitry Volkov matrosov@eset.sk rodionov@eset.sk volkov@group-ib.ru @matrosov @vxradius @groupib Vladimir Kropotov vbkropotov@tnk-bp.com @vbkropotov