10:19 AM
Connect Directly

Carberp Trojan Has Hit 3 Large U.S. Banks, Could Easily Attack More

Q&A with Andreas Baumhof, CTO of TrustDefender, the first company to come out with an analysis of Carberp.

In an interview last night, Andreas Baumhof, CTO of Sydney-based TrustDefender, the first company to analyze the newish (as of May) Carberp Trojan, shared details about how this malicious agent is stealing account information from large banks' online banking customers.

BS&T: Who came up with the name Carberp and what were they thinking?

Baumhof: That's part of a wider question about name-setting for any kind of virus or Trojan out there. I don't know who came up with the name first, it's a funny name.

BS&T: What is Carperb capable of doing?

Baumhof: Carberp has evolved quite a bit in the last six to eight months. We saw the first examples of it in May of this year, and in the beginning it was just a malware download, it wasn't a banking Trojan as such. The group developing this Trojan have evolved it into what it is today: a full-fledged banking Trojan that is fully capable of hijacking an internet connection and stealing any information, even if it's SSL encrypted, and injecting any kind of HTML into a banking site. That's where the similarities to Zeus come from. Zeus can do a lot of things, but it has the ability to have a configuration file that targets specific financial institutions and it's very flexible system that can inject additional Javascript or HTML into a site so it looks and feels like a banking website. The user at home has no way to distinguish what he sees from the bank's website.

Carberp also maintains configuration files that can target specific financial institutions and request information from them. It gets this information in real time, so it's designed to get around two-factor authentication. Say you log in with a user name and password and the bank asks you to put in a one-time password from your token. Carberp will use this and send it off to the cyber criminal's command and control server in real-time before it's sent to your banking site. So now they've stolen your user name and password and they have at least one one-time password they can use. That's similar to what Zeus is capable of doing as well.

Zeus is the most widely deployed banking Trojan out there. But for a Trojan, it's essential to stay a little bit under the radar. If you are too prominent and cause too much trouble, the security community will take action. Two days ago, Microsoft came out with a Zeus botnet removal tool.

BS&T: Is Carberp completely focused on banks?

Baumhof: It can steal any kind of information submitted over the internet. It could affect any kind of payment gateway. At the moment it's only being used to attack bank sites in the U.S. and Europe.

BS&T: Have some U.S. banks already been attacked?

Baumhof: We know there are three large U.S. banks that are part of the configuration files that are being attacked by this Trojan.

BS&T: Can you say who they are?

Baumhof: It's not about the banks, because they could have configuration files tomorrow for different banks. Whatever information I would give you could be out of date tomorrow. But at the moment it's large, well-known banks in the U.S. and Europe.

BS&T: If you were a bank data security person, what would you be doing about this?

Baumhof: It's limited what you can do from inside a bank. You have a user that authenticates correctly with user name and password and a fully authenticated transaction. How do you distinguish between a good fully authenticated session from a bad fully authenticated session? There are things you can do with cross-referencing, you can look at certain patterns in the times, amounts, locations and recipients of transactions and look for unusual behavior. TrustDefender has a small piece of software that sits on the end user's computer and tells the bank's computer if the customer's machine is infected with any kind of Trojan. If someone logs in with a Zeus Trojan, for instance, the financial institution might allow the person to log in and see their account balance, but if that person wants to do an international wire transfer, the bank will want to make sure the computer is not compromised before putting that through.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.