Carberp Trojan Removes Antivirus Scanners, Other Malware from Host

The latest banking malware Carberp has gone through three versions since it came on the scene last year and continues to add on new features.

A piece of banking malware is evolving more sophisticated capabilities to stay hidden on victims' PCs, according to several security researchers.

The information-stealing malware Carberp, discovered last October, can steal a range of data, disguise itself as a legitimate Windows file and remove any antivirus software installed on the host, according to Seculert. As the latest banking malware to emerge, it has been changing very rapidly and adding on new features and capabilities, Seculert said.

Carberp is considered the next big banking threat, alongside SpyEye, especially since the new Trojan attack kit was becoming the weapon of choice over Zeus, TrustDefender said. Development for the Zeus Trojan, the well-known banking Trojan that may have stolen millions of dollars, appears to have stopped, and the code has been merged with SpyEye, various researchers said.

Carberp runs on all versions of Windows, including Windows 7, without needing administrator privileges, according to TrustDefender. It can register itself as a browser extension in order to constantly monitor all Web traffic, even the encrypted online banking traffic. It can inject rogue HTML code into Web pages that can steal data, Seculert said.

Carberp has gone through three generations, Jorge Mieres, a malware analyst at Kaspersky Lab, told eWEEK. The first versions of Carberp were very simple Trojan downloaders that downloaded other pieces of malware, Mieres said. Each succeeding version has added on sophisticated features.

The second generation incorporated features for managing a command and control Web-based botnet, Mieres said. Carberp is one of the "largest private botnets," he said. The kit also contained a small plug-in called "passw.plug," which is designed to steal information from more than 90 applications installed on the infected computer, he said.

The third and current generation added two new components that interfere with computers' security software. The "stopav.plug" disables the antivirus software already installed, and "miniav.plug" acts as a cleaner to remove other pieces of malware, Mieres said. Seculert said the miniav plug-in can remove well-known malware families including Zeus, BlackEnergy, Limbo and MyLoader.

Carberp does the cleaning to prevent other malware from interfering with its activities, according to Seculert.

The latest version of Carberp has updated how it communicates with a command-and control server. Like most advanced malware, including the highly sophisticated Zeus, previous versions encrypted that traffic using RC4 encryption and used the same encryption key all the time, Seculert wrote on the blog. This made things easier for security administrators because intrusion protection systems could analyze traffic and pick out possible packets using that key.

The developers have caught on, and now Carberp uses a randomized key that it registers with the control server. Since the malware uses a different key every time, it is harder to detect.

The update has also changed Carberp's target. The previous version targeted banks in the Netherlands and the United States. The latest version is targeting users in Russian-speaking markets.

Seculert said Carberp will likely incorporate links to a scanning service in future versions, similar to SpyEye and other attack kits.

Regardless of which version infected a computer, Carberp collected information about the host's operating system, browsers and antivirus, said Mieres. This gives attackers an idea of what kind of antivirus software they need to evade. Security researchers have long warned that malware developers run new samples through antivirus software to make sure it can't be detected before releasing them into the wild.

The other twist is that the collected statistics tell the malware authors what antivirus needs to be added to the "stopav.plug" so that Carberp can deactivate it, Seculert said.

The statistics gathered by the botnet, as analyzed by Seculert, showed Kaspersky Lab's antivirus software had a "74 percent use ratio."