After our latest blog on Carberp and the Black Hole exploit pack, we thought it would be useful to aggregate the material we've published to date on the topic into a single paper. That actually went up on the white papers page yesterday, but Aleksandr suggested adding some material that we thought would make it (even) more interesting, so version 1.1 has gone up there this evening. (Thanks to Aaron for responding so promptly to a quite unreasonable avalanche of material over a very short timeframe!)
The paper is here: Win32/Carberp: When You're in a Black Hole, Stop Digging. Here, for background information, is the introduction, since it summarizes the content.
ESET and Group-IB researchers have seen and analysed a good deal of Russian malware, but some of the most interesting examples have been malicious programs that steal money from Remote Banking Systems (RBS), targeting major companies that carry out thousands of financial transactions a day. This type of malware was discussed at some length in a presentation at CARO 2011 on “Cybercrime in Russia: Trends and issues” and some later presentations.
In November 2011, we examined some interesting modifications to Win32/Carberp, discussing the use of the Zerokit bootkit builder – also associated with the Rovnix bootkit – and considering the likelihood that the gang concerned is working on the development of more effective ways of evading antivirus detection.
In December, we published another blog discussing the dramatic rise in Carberp-related incidents and linking it with the Black Hole exploit kit, as well as with the parallel development and evolution of SpyEye, indicating the way in which cybercriminal activity has been growing and evolving with respect to various payment systems, in Russia in particular.
This paper summarizes this information in a single document, and also includes a resources list for further reading.
Version 1.1 of this document also includes some slides from a presentation by Aleksandr Matrosov and Eugene Rodionov for the Zero Nights conference in November 2011, as they present some interesting sidelights on the Carberp modus operandi. The resources section has also been slightly expanded.
We have no immediate plans to update it again (unless someone spots a horrible error), so it's quite safe to download it now. :)
David Harley CITP FBCS CISSP
ESET Senior Research Fellow