In the first part of this two part blog post, the issue of anticipating retaliation during an aggressive battle to wrest control of a DDoS botnet was examined. In this part, the issues of dual standards, taking responsibility, and learning lessons to make positive change over time are examined.
Read full post here…
The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?
Taking a look at a couple of samples we were able to identify:
Same API hooks Same encryption routine for configuration file (RC4) Pretty much the same configuration file format Here you can take a look at a decrypted configuration file. It’s possible to realize that it makes use of the same block-based structure of Zeus configuration files.
I’m interested in infostealers and specifically in banking-trojans so I didn’t want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.
Taking a look at how Carberp hooks API it looks like yet another Zeus “clone”. What I found interesting is how it hooks system calls. This is how a normal syscall looks like
MOV EAX,0xce // ZwResumeThread syscall id MOV EDX,0x7FFE0300 // pointer to KiFastSystemCall CALL DWORD PTR DS:[EDX] RETN 0x8 And this is how the hooked syscall looks like