Carberp: Quietly replacing Zeus as the financial malware of choice

[~BD~]

Bad guys know any public exposure is not in their best interest. So,
with Zeus becoming a household word and the recent arrests, they know it's
time to move on. Meet Carberp, a relatively unknown financial malware.
Where do they get these names?
Carberp has the capacity to use both general and targeted attacks. It
also has new capabilities, making it deadlier than Zeus. The following
are some of the new features found in Carberp:

a.. Carberp does not require admin rights to run; it resides in
memory.
b.. It's capable of infecting Windows XP, Windows Vista, and Windows
7.
c.. It's designed to control all Internet traffic, including HTTPS
using EV-SSL.
d.. Stolen data is transmitted to command and control servers before
it's sent to the financial web site. That negates any advantage of using
one-time passwords.
It's scary, knowing Carberp can run without admin rights. It also means
Carberp must reactivate itself after a system restart. It accomplishes
this by copying the required process to the startup section of the
currently logged-in user.

Normally, that would make a file easy to find. But, Carberp's executable
chkntfs.exe is hidden. It can't be found with Windows Explorer or by
using the command line.

Thankfully, the way Carberp hides is also its Achilles Heel (I'll
explain later).

Carberp removes other malware!
Read: http://blogs.techrepublic.com.com/se...29&tag=nl.e036

[Peter Foldes]

David

chkntfs.exe is a valid MS file residing in the System\32 file on the C:\ drive on my
Server. My version is 5.2.3790.0 on this Server machine and it was installed with
the OS when I installed it in 2002. The actual name of the file is NTFS Volume
Maintenance Utility.

May I ask you David, Why on earth did you crosspost and multipost this as per below

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect


"~BD~" <~BD~@nomail.afraid.org> wrote in message
news:i9kfp3$bok$1@news.eternal-september.org...
> Bad guys know any public exposure is not in their best interest. So, with Zeus
> becoming a household word and the recent arrests, they know it's time to move on.
> Meet Carberp, a relatively unknown financial malware. Where do they get these
> names?
> Carberp has the capacity to use both general and targeted attacks. It also has new
> capabilities, making it deadlier than Zeus. The following are some of the new
> features found in Carberp:
>
> a.. Carberp does not require admin rights to run; it resides in memory.
> b.. It's capable of infecting Windows XP, Windows Vista, and Windows 7.
> c.. It's designed to control all Internet traffic, including HTTPS using EV-SSL.
> d.. Stolen data is transmitted to command and control servers before it's sent to
> the financial web site. That negates any advantage of using one-time passwords.
> It's scary, knowing Carberp can run without admin rights. It also means Carberp
> must reactivate itself after a system restart. It accomplishes this by copying the
> required process to the startup section of the currently logged-in user.
>
> Normally, that would make a file easy to find. But, Carberp's executable
> chkntfs.exe is hidden. It can't be found with Windows Explorer or by using the
> command line.
>
> Thankfully, the way Carberp hides is also its Achilles Heel (I'll explain later).
>
> Carberp removes other malware!
> Read: http://blogs.techrepublic.com.com/se...29&tag=nl.e036
>

[Ant]

"~BD~" wrote:

> It's scary, knowing Carberp can run without admin rights.

Maybe it can but it'll have trouble hiding without them and it does
attempt privilege escalation.

> It also means
> Carberp must reactivate itself after a system restart. It accomplishes
> this by copying the required process to the startup section of the
> currently logged-in user.
>
> Normally, that would make a file easy to find. But, Carberp's executable
> chkntfs.exe is hidden. It can't be found with Windows Explorer or by
> using the command line.

That may depend on the OS. The sample I have contains exploits, one of
which was patched in MS08-025 "...addresses several vulnerabilities in
win32k.sys where you can execute arbitrary code in kernel mode". The
sample actually contains code which will only run in the kernel and
appears to manipulate the system service descriptor table (contains
information about ntoskrnl.exe versions of Nt/Zw... routines).

> Thankfully, the way Carberp hides is also its Achilles Heel (I'll
> explain later).

He didn't explain but low-level routines like NtQueryDirectoryFile are
hooked. This is easy to do if the exploit worked and the malware does
it from the kernel. However, I was under the impression that in newer
versions of Windows (where this exploit won't work) hooking system
routines from user-mode (in ntdll, rather than ntoskrnl) is not
possible. Perhaps I'm wrong about that. In any case, logging in as
admin and deleting the malware from the affected account's startup
directory is the way to deal with it.

[Dustin]

"~BD~" <~BD~@nomail.afraid.org> wrote in
news:i9kfp3$bok$1@news.eternal-september.org:

> c.. It's designed to control all Internet traffic, including HTTPS
> using EV-SSL.

Great; it has to establish itself in the tcpip stack; Another place to
look for oddness.

> d.. Stolen data is transmitted to command and control servers
> before
> it's sent to the financial web site. That negates any advantage of
> using one-time passwords.

So the servers can be taken down and neuter the malware.. These guys
should take a lesson from bittorrent.

> It's scary, knowing Carberp can run without admin rights. It also
> means Carberp must reactivate itself after a system restart. It
> accomplishes this by copying the required process to the startup
> section of the currently logged-in user.

I don't understand why this guy is scared. If your a limited user and
you click an icon; that program runs. Should I then be scared because
firefox will run when I ask it too? Startup section of the current
user? Ohh... So what happens when another user with admin rights
logs in BD? This magical thing going to come alive again?

> Normally, that would make a file easy to find. But, Carberp's
> executable chkntfs.exe is hidden. It can't be found with Windows
> Explorer or by using the command line.

I smell... (You know this one!) bull****!
If it's not resident, IE: I didn't sign on with the affected account,
how is it able to still hide, BD?



--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[Dustin]

"Ant" <not@home.today> wrote in
news:yMednahPO6F7eSDRnZ2dnUVZ8r2dnZ2d@brightview.c o.uk:

> "~BD~" wrote:
>
>> It's scary, knowing Carberp can run without admin rights.
>
> Maybe it can but it'll have trouble hiding without them and it does
> attempt privilege escalation.
>
>> It also means
>> Carberp must reactivate itself after a system restart. It
>> accomplishes this by copying the required process to the startup
>> section of the currently logged-in user.
>>
>> Normally, that would make a file easy to find. But, Carberp's
>> executable chkntfs.exe is hidden. It can't be found with Windows
>> Explorer or by using the command line.
>
> That may depend on the OS. The sample I have contains exploits, one
> of which was patched in MS08-025 "...addresses several
> vulnerabilities in win32k.sys where you can execute arbitrary code
> in kernel mode". The sample actually contains code which will only
> run in the kernel and appears to manipulate the system service
> descriptor table (contains information about ntoskrnl.exe versions
> of Nt/Zw... routines).
>
>> Thankfully, the way Carberp hides is also its Achilles Heel (I'll
>> explain later).
>
> He didn't explain but low-level routines like NtQueryDirectoryFile
> are hooked. This is easy to do if the exploit worked and the malware
> does it from the kernel. However, I was under the impression that in
> newer versions of Windows (where this exploit won't work) hooking
> system routines from user-mode (in ntdll, rather than ntoskrnl) is
> not possible. Perhaps I'm wrong about that. In any case, logging in
> as admin and deleting the malware from the affected account's
> startup directory is the way to deal with it.
>
>
>

Thanks for your review Ant. I suspected as much.


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[Peter Foldes]

> Thankfully, the way Carberp hides is also its Achilles Heel (I'll
> explain later).

David

Please do. Very interested in what you say and think about it.
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect

[FromTheRafters]

"Peter Foldes" <okf22@hotmail.com> wrote in message
news:i9krdm$gmf$1@speranza.aioe.org...
>> Thankfully, the way Carberp hides is also its Achilles Heel (I'll
>> explain later).
>
> David
>
> Please do. Very interested in what you say and think about it.

He was quoting again (from the link provided), without specifically
saying so.

It brings to mind something many people will continue to overlook, that
is that stolen user mode processing power (even sandboxed user mode
processing power) can be nearly as valuable to the thieves as admin mode
processing power. If a user mode, update capable botnet, can remain
active long enough, it can escalate its privilege and adopt worm
characteristics when the next vulnerability presents itself. It only
really needs admin level to increase its persistence through stealth and
reboot survivability.

Unfortunately, the existence of an admin account does not guarantee the
existence of an administrator.

[Peter Foldes]

> He was quoting again (from the link provided), without specifically saying so.

I was aware of this and that is why my question to him. Unfortunately he keeps on
repeating this bad posting habit


> It brings to mind something many people will continue to overlook, that is that
> stolen user mode processing power (even sandboxed user mode processing power) can
> be nearly as valuable to the thieves as admin mode processing power. If a user
> mode, update capable botnet, can remain active long enough, it can escalate its
> privilege and adopt worm characteristics when the next vulnerability presents
> itself. It only really needs admin level to increase its persistence through
> stealth and reboot survivability.

It is not that people overlook but rather they are ignorant to this fact


> Unfortunately, the existence of an admin account does not guarantee the existence
> of an administrator.

No sir it does not


--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect


"FromTheRafters" <erratic@nomail.afraid.org> wrote in message
news:i9kvlj$ca0$1@news.eternal-september.org...
> "Peter Foldes" <okf22@hotmail.com> wrote in message
> news:i9krdm$gmf$1@speranza.aioe.org...

[FromTheRafters]

"Peter Foldes" <okf22@hotmail.com> wrote in message
news:i9lass$fd3$1@speranza.aioe.org...
>> He was quoting again (from the link provided), without specifically
>> saying so.
>
> I was aware of this and that is why my question to him. Unfortunately he
> keeps on repeating this bad posting habit

D

>> It brings to mind something many people will continue to overlook, that
>> is that stolen user mode processing power (even sandboxed user mode
>> processing power) can be nearly as valuable to the thieves as admin mode
>> processing power. If a user mode, update capable botnet, can remain
>> active long enough, it can escalate its privilege and adopt worm
>> characteristics when the next vulnerability presents itself. It only
>> really needs admin level to increase its persistence through stealth and
>> reboot survivability.
>
> It is not that people overlook but rather they are ignorant to this fact

Yes, and because many are too focused on recovery rather than prevention.
Making recovery easy or even automatic does not prevent them from stealing
clock cycles during a session, they should focus less on what harm they can
do *to* their computer and focus more on what harm they can do *with* their
computer.

>> Unfortunately, the existence of an admin account does not guarantee the
>> existence of an administrator.
>
> No sir it does not
)