Carberp: Quietly replacing Zeus as the financial malware of choice

Discussion in 'malware problems & news' started by MrBrian, Jan 31, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://www.techrepublic.com/blog/se...-zeus-as-the-financial-malware-of-choice/4629:
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Carberp Sniffs Out Antivirus - Computerworld
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Carberp Malware Evolution - Seculert Blog
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Sophisticated HTML and Javascript Injection of Carberp - Trustdefender
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    Question is what kind of methods/protection can we employ to reduce the risk/chances of getting infected by this?
     
  6. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    "Carberp’s executable chkntfs.exe is hidden. It can’t be found with Windows Explorer or by using the command line"

    I assume that this hidden chkntfs.exe is not in System32 or SysWOW64. If that is the case I would think you could set up a software restriction policy to allow that filename to only run from those locations and deny it from any other.
     
  7. katio

    katio Guest

    SRP would have stopped the initial dropper/virust/trojan from running. But if the user is tricked into trusting and executing that all bets are off.

    Hiding from taskmanager means rootkit and admin privileges, most likely it will install itself deep into the Windows folder. It could even patch SRP to whitelist itself AND hide that fact from the registry/gpedit...
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    A user mode rootkit could also do this. See Is Limited User Account enough? Not really... for more info.
     
  9. katio

    katio Guest

    The quote was
    "Carberp’s executable chkntfs.exe is hidden. It can’t be found with Windows Explorer or by using the command line"
    and not
    "Carberp’s executable chkntfs.exe is hidden. It can’t be found with Windows Explorer or by using the command line from within the infected user account"

    I'd very surprised* if it was a "user mode rootkit" (what a terrible name) but let's assume it is, it would still contradict above statement, no? That's how I'm reading it anyway.

    *because the development cost is high and you gain nothing but "security through obscurity" (from the attacker perspective ;)) and none of the rootkit advantages (like bypassing AV, HIPS, Firewall)
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Source
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The article doesn't specify if Carberp may attempt to gain admin privileges. In any event, it's a good reminder that even without admin privileges, malware can hide from other user mode programs in the infected account.
     
  12. katio

    katio Guest

    m00nbl00d
    I know, I read it. From that it's not clear if it only hides itself when it got admin rights. It could also hide itself in SUA via remote injection and such techniques and under "root" with common rootkit techniques or use "user mode rootkit" in both cases. We don't know enough.
    I'm just saying what's the most common/probable scenario and by that I admit my previous conclusion could be a rash assumption.

    MrBrian,
    "Carberp can run without admin rights."
    Looks like it but that's no definite source on this matter.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, you're correct. There's not enough information, but I also wanted to point out that tools like Process Explorer could let the user know about hidden processes.

    For all we know, one of the ways could be the user be tricked into executing something to user space, and this process get administrator privileges using this easy way, still unpatched, AFAIK.

    -edit-

    After all, how difficult is it to make most users run something, believing they need it? It happens all the time. :(
     
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I took a ride happyrider.gif over to kernelmode.info, there's no thread on it yet but people are seeking samples.

    Would be nice to hear about specifics. drool.gif
     
  15. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    I ran into some of the plug-ins Carberp has while doing some malware research (password.plug and stopav.plug) and both of them had very low detection via sigs. Most of them were detected via the av's heru engine.
     
  16. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
Loading...
Thread Status:
Not open for further replies.