March 5, 2011

Carberp: Silent trojan, eventual successor to ZeuS

Today the vast majority of consumer banking and bill payment is done online. Due to the fact that online transactions are growing in volume, malware authors are increasingly focused on developing malicious software designed to steal personal data from infected PCs.

A online black market exists where different crimeware packages (Kits for the creation of malware) are for sale. These kits can build personalized Trojans, capabable of escaping dection from antivirus scanners, and have some interesting functionalities that help them to steal data, while protecting themselves from AV and other malware.

The two most popular botnet packages available have been the ZeuS and SpyEye crimeware families. In late 2010, the creator of ZeuS decided to halt development of the trojan and opted to sell the source code to their former rivals at SpyEye. These new ZeuS/SpyEye hybrids have already been seen in the wild, and the combined botnet is now believed to be one of the largest and most active data-stealing botnets in the world.

That being said, ZeuS/SpyEye is not the only large-scale threat affecting banking and online transactions. In the second half of 2010, security firms such as Prevx, have been closely monitoring the growth of a new silent trojan called Carberp, which has been showing potential to be the eventual successor of SpyEye.

Carberp is a completely modular, data-stealing trojan, which is capable of downloading and executing new plugins with additional functionality. Additionally, it can carry out encrypted communication with a list of Command & Control servers, and uses rootkit techniques to hide itself. It can run in user mode, even inside limited and guest accounts, and can be remotely controlled, turning an infected PC into a zombie and part of a botnet.

Carberp is capable of detecting and blocking antivirus programs on the infected machine, as well as killing rival malware such as ZeuS, Zbot, Limbo, Barracuda, Adrenalin, MyLoader, BlackEnergy and SpyEye.

Carberp quietly slipped in through the back door without much fanfare last year, but it is expected to grow exponentially in 2011, becoming one the largest data stealing threats of this year.

Prevx says their own product, SafeOnline has been capable of proactively protecting browsers from Carberp’s malicious hooks, preventing bank accounts and passwords while users conduct online transactions. An extensive report on Carberp can be found on Prevx Malware Research Team’s website.