Commercial ‘form grabbing’ rootkit spotted in the wild


By Dancho Danchev

Trust is vital. It’s also the cornerstone for the growth of E-commerce in general, largely thanks to the mass acceptable of a trusted model for processing financial data and personally identifiable information. For years, the acceptance and mass implementation of PKI (Public Key Infrastructure) has been a driving force that resulted in a pseudo-secure B2C, B2B, and B2G electronic marketplace, connecting the world’s economies in a 24/7/365 operating global ecosystem.

The bad news? Once the integrity of a host or a mobile device has been compromised, SSL, next to virtually every two-factor authentication mechanism gets bypassed by the cybercriminals that compromised the host/device, leading to a situation where users are left with a ‘false feeling of security‘.

In this post, I’ll profile a recently advertised commercial ‘form grabbing’ rootkit, that’s capable of ‘”grabbing” virtually any form of communication transmitted over SSL

More details:

Sample screenshots of the DIY form grabbing rootkit in action:

Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_01 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_02 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_03 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_04 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_05 Rootkit_Ring3_Form_Grabbing_Malware_Malicious_Software_06

Coded in C++ according to its author, it has Ring 3 rootkit functionality, and currently supports Windows XP/Vista/7/8. The price? $75. Potential customers also don’t get a DIY builder, but a bin file that’s individually crypted per customer. Surprisingly, customers will get the updates over email. Next to the built-in rootkit functionality, the ‘form grabbing’ rootkit also takes advantage of ‘Smart API hooking”, and only hooks the functions responsible of transmitting form related data, making it extremely fast and efficient, according to its author.

Customers would have to use Liberty Reserve, Western Union, Money Gram or PayPal in order to purchase it.

We’ll be definitely keeping an eye on the future development of this commercial rootkit.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.

2 thoughts on “Commercial ‘form grabbing’ rootkit spotted in the wild

  1. Pingback: Cybercriminals experiment with Tor-based C&C, ring-3-rootkit empowered, SPDY form grabbing malware bot | Webroot Threat Blog - Internet Security Threat Updates from Around the World

  2. Pingback: Capturing online passwords and Antivirus… | Business Information Technology Services

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s