A New Banking Trojan Takes on ZeuS

Researchers warn that a new banking trojan, which appeared earlier this year, has many features similar to the infamous ZeuS crimeware and displays the same level of sophistication.

Dubbed Carberp, the trojan was first discovered back in May, but it started out as a delivery platform for other malware and was probably part of a pay-per-install scheme.

However, according to security researchers from Australia-based security vendor TrustDefender, the threat is evolving very rapidly and its creators are constantly adding new features.

The latest versions seem particularly designed to assist in financial fraud operations in a similar way to ZeuS, which currently holds the supremacy in this area of cybercrime.

Carberp can infect computers running Windows XP, as well as Windows Vista and Windows 7, and can operate from a non-administrative account.

The trojan can hook the processes of various versions of Internet Explorer and Firefox in order to intercept and monitor all Web traffic.

Like ZeuS, it has the ability to inject arbitrary HTML code into any pages displayed inside the browsers and forwards the captured sensitive information, like online banking credentials or credit card details, to a remote server.

However, Carberp's data collection server seems different from the command & control (C&C) one, probably for security reasons.

As a security researcher has recently demonstrated, a bug in the data receiving module of the ZeuS C&C servers, can lead to full system compromise.

In Carberp's case if the data server is compromised, the attackers still have control over the botnet and can update it to upload the stolen information to a new location.

Similarly to SpyEye, another threat viewed as a ZeuS killer, once installed on a system, Carberp attempts to disable other known information stealing trojans.

"While Trojans such as Zeus and Mebroot are successful and high profile; the ‘bad guys’ obviously wish to stay under the radar and with new malware and configuration files they are able to continue to infiltrate in new ways," says TrustDefender's CTO Andreas Baumhof.

"TrustDefender anticipates Carberp will further develop and could morph into a problematic threat from a financial, political and personal perspective," he adds.