Malware 2 - from infection to persistence
(Publication) Google search: [1]
| Malware 2 - from infection to persistence | |
|---|---|
| Botnet | Carberp |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012-01 |
| Editor/Conference | Context |
| Link | http://www.contextis.com/research/blog/malware2/ (Archive copy) |
| Author | Mark Nicholls |
| Type | |
Abstract
“ In my previous posting, a malicious PDF was analysed that originated from a targeted email campaign that exposed a number of users to infection. The PDF file implemented standard exploitation techniques to exploit issues in Adobe PDF reader to download an executable from a known malicious URL (Malware 1 - From Exploit to Infection). In this post I will look at how the malware sample persists on the infected host using stealth, anti-debugging and common userland hooking and rootkit techniques.
The initial analysis of this sample identified that the subsequent download was in fact a dangerous data theft Trojan known as Carberp. This Trojan is primarily associated with financial and data theft and has been compared to the more prevalent ZeuS and SpyEye families. This is due to the similar data exfiltration capabilities of the Carberp family.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR813,
editor = {Context},
author = {Mark Nicholls},
title = {Malware 2 - from infection to persistence},
date = {01},
month = Jan,
year = {2012},
howpublished = {\url{http://www.contextis.com/research/blog/malware2/}},
}