May 17, 2013 By Dancho Danchev

Commercial ‘form grabbing’ rootkit spotted in the wild

By Dancho Danchev

Trust is vital. It’s also the cornerstone for the growth of E-commerce in general, largely thanks to the mass acceptable of a trusted model for processing financial data and personally identifiable information. For years, the acceptance and mass implementation of PKI (Public Key Infrastructure) has been a driving force that resulted in a pseudo-secure B2C, B2B, and B2G electronic marketplace, connecting the world’s economies in a 24/7/365 operating global ecosystem.

The bad news? Once the integrity of a host or a mobile device has been compromised, SSL, next to virtually every two-factor authentication mechanism gets bypassed by the cybercriminals that compromised the host/device, leading to a situation where users are left with a ‘false feeling of security‘.

In this post, I’ll profile a recently advertised commercial ‘form grabbing’ rootkit, that’s capable of ‘”grabbing” virtually any form of communication transmitted over SSL

More details:

Sample screenshots of the DIY form grabbing rootkit in action:

Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_01 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_02 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_03 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_04 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_05 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_06

Coded in C++ according to its author, it has Ring 3 rootkit functionality, and currently supports Windows XP/Vista/7/8. The price? $75. Potential customers also don’t get a DIY builder, but a bin file that’s individually crypted per customer. Surprisingly, customers will get the updates over email. Next to the built-in rootkit functionality, the ‘form grabbing’ rootkit also takes advantage of ‘Smart API hooking”, and only hooks the functions responsible of transmitting form related data, making it extremely fast and efficient, according to its author.

Customers would have to use Liberty Reserve, Western Union, Money Gram or PayPal in order to purchase it.

We’ll be definitely keeping an eye on the future development of this commercial rootkit.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

Share Button

Trackbacks

  1. […] in today’s cybercrime ecosystem that continues to be over-supplied with modified and commoditized malicious software. This is achieved primarily through either leaked source code or a slightly […]

true