Malware 2 - from infection to persistence

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Malware 2 - from infection to persistence
Botnet Carberp
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-01
Editor/Conference Context
Link http://www.contextis.com/research/blog/malware2/ (Archive copy)
Author Mark Nicholls
Type

Abstract

In my previous posting, a malicious PDF was analysed that originated from a targeted email campaign that exposed a number of users to infection. The PDF file implemented standard exploitation techniques to exploit issues in Adobe PDF reader to download an executable from a known malicious URL (Malware 1 - From Exploit to Infection). In this post I will look at how the malware sample persists on the infected host using stealth, anti-debugging and common userland hooking and rootkit techniques.

The initial analysis of this sample identified that the subsequent download was in fact a dangerous data theft Trojan known as Carberp. This Trojan is primarily associated with financial and data theft and has been compared to the more prevalent ZeuS and SpyEye families. This is due to the similar data exfiltration capabilities of the Carberp family.

Bibtex

 @misc{Nicholls2012BFR813,
   editor = {Context},
   author = {Mark Nicholls},
   title = {Malware 2 - from infection to persistence},
   date = {01},
   month = Jan,
   year = {2012},
   howpublished = {\url{http://www.contextis.com/research/blog/malware2/}},
 }