Carberp: Quietly replacing Zeus as the financial malware of choice

From http://www.techrepublic.com/blog/se...-zeus-as-the-financial-malware-of-choice/4629:

 

Carberp Sniffs Out Antivirus - Computerworld

 

Carberp Malware Evolution - Seculert Blog

 

Sophisticated HTML and Javascript Injection of Carberp - Trustdefender

 

Question is what kind of methods/protection can we employ to reduce the risk/chances of getting infected by this?

 

"Carberp’s executable chkntfs.exe is hidden. It can’t be found with Windows Explorer or by using the command line"

I assume that this hidden chkntfs.exe is not in System32 or SysWOW64. If that is the case I would think you could set up a software restriction policy to allow that filename to only run from those locations and deny it from any other.

 

SRP would have stopped the initial dropper/virust/trojan from running. But if the user is tricked into trusting and executing that all bets are off.

Hiding from taskmanager means rootkit and admin privileges, most likely it will install itself deep into the Windows folder. It could even patch SRP to whitelist itself AND hide that fact from the registry/gpedit...

 

A user mode rootkit could also do this. See Is Limited User Account enough? Not really... for more info.

 

The quote was
"Carberp’s executable chkntfs.exe is hidden. It can’t be found with Windows Explorer or by using the command line"
and not
"Carberp’s executable chkntfs.exe is hidden. It can’t be found with Windows Explorer or by using the command line from within the infected user account"

I'd very surprised* if it was a "user mode rootkit" (what a terrible name) but let's assume it is, it would still contradict above statement, no? That's how I'm reading it anyway.

*because the development cost is high and you gain nothing but "security through obscurity" (from the attacker perspective ) and none of the rootkit advantages (like bypassing AV, HIPS, Firewall)

 

Source

 

The article doesn't specify if Carberp may attempt to gain admin privileges. In any event, it's a good reminder that even without admin privileges, malware can hide from other user mode programs in the infected account.

 

m00nbl00d
I know, I read it. From that it's not clear if it only hides itself when it got admin rights. It could also hide itself in SUA via remote injection and such techniques and under "root" with common rootkit techniques or use "user mode rootkit" in both cases. We don't know enough.
I'm just saying what's the most common/probable scenario and by that I admit my previous conclusion could be a rash assumption.

MrBrian,
"Carberp can run without admin rights."
Looks like it but that's no definite source on this matter.

 

Yes, you're correct. There's not enough information, but I also wanted to point out that tools like Process Explorer could let the user know about hidden processes.

For all we know, one of the ways could be the user be tricked into executing something to user space, and this process get administrator privileges using this easy way, still unpatched, AFAIK.

-edit-

After all, how difficult is it to make most users run something, believing they need it? It happens all the time.

 

I took a ride over to kernelmode.info, there's no thread on it yet but people are seeking samples.

Would be nice to hear about specifics.

 

I ran into some of the plug-ins Carberp has while doing some malware research (password.plug and stopav.plug) and both of them had very low detection via sigs. Most of them were detected via the av's heru engine.

 

Carberp paper from Marco:
http://www.prevx.com/blog/169/Carberp-hits-ZeuS-and-AV-software.html