Zeus remains the most prolific family of malware throughout the last 18 months, however new players entering the market offer an extensive new feature-set and distribution network challenging existing Trojan detection software. TrustDefender Labs reports the potential impacts and risks of Carberp (pronounced car-ber-Pee), a new Trojan expected to take over if Zeus ever goes away. This Trojan appears to be purpose built, evolving in sophistication at a rapid rate. TrustDefender anticipates Carberp morphing into a major threat “from a financial, political and personal perspective”. Carberp was first seen in May 2010, potentially providing a new class of Trojan for criminals to use.
Why should we be worried about Carberp?
- Disables other Trojans so they do not interfere with attack and do not send stolen info to competitors.
- Ability to run as a non-administrator.
- Ability to infect Windows XP, Vista and 7, which few Trojans can do.
- Sophisticated browser hooking/install to fully control all internet traffic (including HTTPS with EV-SSL) and sessions.
- Browser Hooking also works for Firefox in various versions but still not yet Chrome.
- It will not make any changes to the registry (only in memory modifications).
- Stolen data is transmitted in real-time to a Trojan’s ‘Command and Control’ (C&C) Server.
- Carberp can inject arbitrary HTML into websites.
- Ability to inject dynamic HTML overlays into banking sessions to by-pass dynamic auth schemes (such as 2fa authentication)
Bad guys wish to keep their malicious software working in your environment as long as possible and flying under the radar, and are able to continue to infiltrate in new ways.