14 DAY TRIAL // Win32/Carberp is one of the latest threats that the Microsoft Malicious Software Removal Tool has evolved to hunt down, according to Shawn Wang, MMPC.
Almost two years after it was initially discovered, the attackers behind Carberp have transformed the malware from a downloader into a banking trojan and user-mode rootkit, Wang said.
Even back in 2010, Carberp was a part of attacks designed to steal sensitive user data, but it had to first download the PWS:Win32/Ldpinch password stealer. This is no longer the case.
“One distribution method of Win32/Carberp is through drive-by downloads, which can occur when users visit compromised websites or follow spammed links to the malicious webpage. Some of these websites host exploit kits, like JS/Blacole, to install Win32/Carberp in the background on vulnerable computers,” Wang notes.
Carberp uses a combination of techniques in order to infect a machine, starting with adding an executable to the Windows startup folder, and then hooking into a few APIs including ZwQueryDirectoryFile and ZwResumeThread.
“Aside from the rootkit component, another thing that makes Win32/Carberp interesting is its ability to download and run plugins from a remote server without dropping files to the local computer. The plugins are XOR-encrypted during the transfer process,” Carberp added.
“There are three major plugins that are loaded within a newly created daemon process (e.g. svchost.exe): passw.plug: password stealer, miniav.plug: removes competing malware and stopav.plug: stops and removes antivirus or security components.”
Carberp receives its instructions from a command and control (C&C) server, and is designed to target specific banks.
A typical attack involves the user attempting to navigate to a banking website, at this point the malware starts injecting its own code into the HTML pages that get returned to the user - Man-in-the-Browser (MitB) method. The injected code is designed to hijack the user’s login session, stealing sensitive data.
According to Wang, the latest release of MSRT also tackles two additional pieces of malware, Win32/Cridex and Win32/Dofoil.
Win32/Cridex is also designed to steal sensitive data from end users, including to capture online banking credentials entered in the browser, but is capable of performing a range of additional malicious actions.
The Win32/Dofoil designation is used to refer to a family of trojans which can download and execute malicious files on infected computers.
The Microsoft Malicious Software Removal Tool (MSRT) is available for download here.