New threat set to dethrone Zeus

The position of the infamous Zeus trojan may be usurped by a new upstart that is unknown to four of the six largest antivirus companies and has already been used by a criminal group to empty bank accounts across Europe and America.

The position of the infamous Zeus trojan may be usurped by a new upstart that is unknown to four of the six largest antivirus companies and has already been used by a criminal group to empty bank accounts across Europe and America.

Zeus

(Credit: Microsoft)

The latest incarnation of the Carberp trojan possesses most of the tricks used by Zeus to steal millions of dollars from bank accounts around the world, and targets the most popular operating systems and web browsers including Microsoft's Windows 7, Vista and XP, as well as the Internet Explorer and Mozilla Firefox web browsers.

It also attempts to seek and destroy or disable rival bank account-stealing trojans, including Zeus. However, it is not known if the malware possesses the capability to remove the malware.

Security companies have yet to agree on the characteristics of Carberp. To some security companies Carberp is considered a derivative of Zeus. Less harmful variants of Carberp exist including malware downloaders and generic trojans, but this latest instance is considered the first fully-capable banking trojan of its kind.

"Carberp is different. It is very, very sophisticated and I expect the infection rates to be the same as Zeus," said Andreas Baumhof, co-founder and chief technology officer of secure banking authentication firm TrustDefender. He said the trojan is as yet unknown to the big antivirus companies.

"However, Zeus has a much bigger distribution network which is why Carberp is under the radar and used only in targeted attacks."

Infection could spread quickly to other nations with a small modification to the trojan's configuration file, Baumhof said.

The company's research arm identified the new Carberp variant three months ago and has now deconstructed it.

Technicians report that Carberp can hijack the two-factor authentication used by some of the most popular banks by borrowing the capabilities of rival trojans Zeus, Gozi and Spyeye to inject HTML overlays.

It can also install onto PCs without the need for administration rights, meaning it can bypass the tougher access controls of Microsoft's latest operating systems, and has a sophisticated and rarely-seen browser-hijacking capability that can commandeer all internet traffic, including secure HTTPS with Extended Validation-SSL.

From the labs

Carberp can install on a machine without the need for administrative access, but will only infect the current logged-in user and does not infect the kernel, according to the security company.

"The creators don't care if Carberp is removed after a couple of days, because by then, they have done what they need to do," Baumhof said.

He said Carberp lacks the full functionality of Zeus, but it has the same "high-level of sophistication".

The TrustDefender report states that Carberp:

  • Will not make any changes to the registry (only in memory modifications)
  • Transmits stolen data in real time to a command and control (C&C) server
  • Will automatically make a few requests to download additional files. The first request will transmit a unique ID of the computer to the C&C server (POST /set/task.html with id). It will then request an upload of all running processes, including a POST request to /set/first.html, and will then immediately download three files.