Trojan Carberp

11 Oct 2010 Guido Landi carberp trojan zeus
I’m interested in infostealers and specifically in banking-trojans so I didn’t want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing. Taking a look at how Carberp hooks API it looks like yet another Zeus “clone”. What I found interesting is how it hooks system calls. This is how a normal syscall looks like MOV EAX,0xce // ZwResumeThread syscall id MOV EDX,0x7FFE0300 // pointer to KiFastSystemCall CALL DWORD PTR DS:[EDX] RETN 0x8 And this is how the hooked syscall looks like