Jan 21, 2011 17:42 GMT  ·  By

Security researchers warn that Carberp, a relatively new banking trojan with features similar to the notorious ZeuS, has received an update which encrypts the traffic with the command and control servers.

Carberp appeared around May last year, but originally it was mostly used as a trojan downloader to install other malware on computers.

It has since evolved into trojan capable of stealing financial data and online banking credentials by injecting rogue HTML code into Web pages when victims visit the websites of financial institutions.

It does this by hooking the Internet Explorer and Firefox processes so it can constantly monitor Web traffic.

According to Israeli security vendor Seculert, Carberp, which remains most widespread in Russia, has recently been updated to a new version.

The new variant brings several enhancements, the most important of which is the introduction of RC4-based encryption for the communication protocol.

"The interesting part is that the RC4 key is randomly generated and is sent as part of the HTTP request. This is the first time we have encountered such behavior," the Seculert researchers note.

Usually, the RC4 key is contained within the malware itself, like in the case of ZeuS and other encryption-capable trojans.

Another noteworthy feature is the gathering of antivirus statistics by scanning the infected systems and reporting back what security products are installed.

This gives attackers a good indication of what AV programs they need to evade best and add to the trojan's antivirus killer plugin.

The statistics gathered by the particular botnet analyzed by Seculert revealed a 74% use ratio for Kaspersky Lab, which is consistent with its Russian targets.

Finally, researchers reveal the control panel of the new version displays the name Carberp, which is unusual, because this is an unique alias given to the threat by the security industry, not a name its authors came up with. Nevertheless, they seem to have embraced it.