1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Up-And-Coming Banking Trojan Gets Revamped

Discussion in 'Security Updates' started by starbuck, Jan 22, 2011.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Security researchers warn that Carberp, a relatively new banking trojan with features similar to the notorious ZeuS, has received an update which encrypts the traffic with the command and control servers.

    Carberp appeared around May last year, but originally it was mostly used as a trojan downloader to install other malware on computers.

    It has since evolved into trojan capable of stealing financial data and online banking credentials by injecting rogue HTML code into Web pages when victims visit the websites of financial institutions.

    It does this by hooking the Internet Explorer and Firefox processes so it can constantly monitor Web traffic.

    According to Israeli security vendor Seculert, Carberp, which remains most widespread in Russia, has recently been updated to a new version.

    The new variant brings several enhancements, the most important of which is the introduction of RC4-based encryption for the communication protocol.

    "The interesting part is that the RC4 key is randomly generated and is sent as part of the HTTP request. This is the first time we have encountered such behavior," the Seculert researchers note.

    Usually, the RC4 key is contained within the malware itself, like in the case of ZeuS and other encryption-capable trojans.

    Another noteworthy feature is the gathering of antivirus statistics by scanning the infected systems and reporting back what security products are installed.

    This gives attackers a good indication of what AV programs they need to evade best and add to the trojan's antivirus killer plugin.

    The statistics gathered by the particular botnet analyzed by Seculert revealed a 74% use ratio for Kaspersky Lab, which is consistent with its Russian targets.

    Finally, researchers reveal the control panel of the new version displays the name Carberp, which is unusual, because this is an unique alias given to the threat by the security industry, not a name its authors came up with. Nevertheless, they seem to have embraced it.



    Source:
    http:/ ews.softpedia.com ews/Up-and-Coming-Banking-Trojan-Gets-Revamped-179883.shtml
     
    starbuck, Jan 22, 2011
    #1

Share This Page