Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool - Win32/Carberp, Win32/Cridex and Win32/Dofoil. In this post, we discuss Win32/Carberp.
The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch, to a full-fledged banking trojan and user-mode rootkit with the ability to load malicious plugins on-the-fly. One distribution method of Win32/Carberp is through drive-by downloads, which can occur when users visit compromised websites or follow spammed links to the malicious webpage. Some of these websites host exploit kits, like JS/Blacole, to install Win32/Carberp in the background on vulnerable computers.
Upon installation, there is no registry data added; however an executable is copied into the Windows startup folder so that it will run when the user logs on to system. The malware file name can appear legitimate (e.g. ‘igfxtray.exe’). However, Win32/Carberp chooses to go one step further, by hiding the executable using its user-mode rootkit code, which hooks ZwQueryDirectoryFile.
The hooking method Win32/Carberp used is not that obvious, because it replaces the pointer to ‘SharedUserData!SystemCallStub’ instead of placing a ‘jmp’ instruction. Under Windows XP SP3 32-bit system, it would look like the following:
Please refer to our Win32/Carberp family description for specific details about the plugins, which are additional to its main functionality - stealing banking credentials.
The command and control (C&C) server can push configuration data that contains a list of targeted online banking sites, and code to inject into HTML pages that are returned to the victim's web browser. This method is known as Man-in-the-Browser (MitB); what you see in the browser is not what is actually returned from the website. Though the configuration is encrypted, after decryption one of records appears as the following: