Home / malwarePDF  

Carberp


First posted on 01 April 2015.
Source: SecurityHome

Aliases :

Carberp is also known as Trojan-Spy:W32/Carberp, Trojan.Downloader.Carberp, Trojan.Carberp, TrojanDownloader:Win32/Carberp.A, TROJ_DLOADER.A.

Explanation :

Carberp has the capacity to use both general and targeted attacks. It also has new capabilities, making it deadlier than Zeus. The following are some of the new features found in Carberp:
Carberp does not require admin rights to run; it resides in memory.
It's capable of infecting Windows XP, Windows Vista, and Windows 7.
It's designed to control all Internet traffic, including HTTPS using EV-SSL.
Stolen data is transmitted to command and control servers before it's sent to the financial web site. That negates any advantage of using one-time passwords.

It's scary, knowing Carberp can run without admin rights. It also means Carberp must reactivate itself after a system restart. It accomplishes this by copying the required process to the startup section of the currently logged-in user.

Normally, that would make a file easy to find. But, Carberp's executable chkntfs.exe is hidden. It can't be found with Windows Explorer or by using the command line.

Thankfully, the way Carberp hides is also its Achilles Heel.

Carberp removes other malware
At first, I thought malware designed to disable antivirus applications and other malcode was the malware author's ego kicking in. But, in the case of financial malware, there is a valid reason.

Targets of financial malware likely interest more than one attacker. If the login information is used by multiple criminals, it would become obvious to the victim and bank that something was amiss. Besides, criminals don't like other criminals stealing from them.

Solution :

As for Carberp's Achilles Heel, applications like WinPatrol and Process Explorer should indicate the presence of a foreign hidden process. I have asked Bill Pytlovany, the developer of WinPatrol for suggestions on what we should pay attention to.

A common thread with all financial malware is the copying of the victim's username and password. I do not have enough details about Carberp to explicitly say that an anti-keylogger program will help. But, it seems logical that anti-keylogger applications would be useful against the general attack format.

My anti-keylogger program of choice is KeyScrambler. I consider it valuable insurance against financial malware and other keylogging attacks. I also have asked QFX Software for their opinion on whether KeyScrambler defeats financial malware.

Finally, as of this writing, financial malware's targeted attacks are only successful against Internet Explorer and FireFox. Chrome so far is impervious to targeted attack, because Carberp uses web-browser hooking.

Last update 05 April 2015

 

TOP

Malware :