Online banking trojan developing fast
Trojan construction kit Carberp, which first emerged in the autumn, appears to be undergoing rapid development, according to reports from sources that include security services provider Seculert. F-Secure analyst Toni Koivunen is already calling it the rising star of the banking trojan world.
Where the first versions of Carberp were very simple in their construction, newer versions are equipped with a pretty impressive list of features. It now runs on all versions of Windows, including Windows 7, where, according to TrustDefender, it is able to do its work without requiring administrator privileges. Technically, this is not particularly remarkable – user privileges are, for example, sufficient for it to register as a browser extension. This would allow a trojan to read and modify even encrypted online banking traffic by means of a 'man-in-the-browser' attack.
Carberp can also now clean up infected systems to get shot of any competition. The latest version encrypts stolen data prior to transfer using a random key, which the client registers with the control server. Until now, bots have used static keys encoded into the program itself – which, of course, made life a lot easier for anti-virus specialists.
The most interesting aspect is that these functions have been added to Carberp over a period of just a few months. A war of succession for ZeuS' customer base is currently raging in the online banking fraud sector, since development work on ZeuS appears to have stopped. Carberp and SpyEye are among the frontrunners, but it is difficult to predict the eventual outcome. It is, however, becoming increasingly clear that the battle will in part be fought by means of features and therefore ever more sophisticated trojan versions are to be expected.