The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?
Taking a look at a couple of samples we were able to identify:
- Same API hooks
- Same encryption routine for configuration file (RC4)
- Pretty much the same configuration file format
I'm interested in infostealers and specifically in banking-trojans so I didn't want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.
Taking a look at how Carberp hooks API it looks like yet another Zeus "clone". What I found interesting is how it hooks system calls. This is how a normal syscall looks like
- "it bypasses DEP and ASLR using impressive tricks and unusual methods" - Vupen
- "it uses a previously unpublished technique to bypass ASLR" - Metasploit Blog
- "exploit uses the ROP technique to bypass the ASLR and DEP" - ZDnet/Kasperky
I'll tell you the truth: Export Address Table Filtering, the feature of the upcoming release of EMET, "designed to break nearly all shell code in use today", intrigued me a bit.