In an interview last night, Andreas Baumhof, CTO of Sydney-based TrustDefender, the first company to analyze the newish (as of May) Carberp Trojan, shared details about how this malicious agent is stealing account information from large banks' online banking customers.
BS&T: Who came up with the name Carberp and what were they thinking?
Baumhof: That's part of a wider question about name-setting for any kind of virus or Trojan out there. I don't know who came up with the name first, it's a funny name.
BS&T: What is Carperb capable of doing?
Carberp also maintains configuration files that can target specific financial institutions and request information from them. It gets this information in real time, so it's designed to get around two-factor authentication. Say you log in with a user name and password and the bank asks you to put in a one-time password from your token. Carberp will use this and send it off to the cyber criminal's command and control server in real-time before it's sent to your banking site. So now they've stolen your user name and password and they have at least one one-time password they can use. That's similar to what Zeus is capable of doing as well.
Zeus is the most widely deployed banking Trojan out there. But for a Trojan, it's essential to stay a little bit under the radar. If you are too prominent and cause too much trouble, the security community will take action. Two days ago, Microsoft came out with a Zeus botnet removal tool.
BS&T: Is Carberp completely focused on banks?
Baumhof: It can steal any kind of information submitted over the internet. It could affect any kind of payment gateway. At the moment it's only being used to attack bank sites in the U.S. and Europe.
BS&T: Have some U.S. banks already been attacked?
Baumhof: We know there are three large U.S. banks that are part of the configuration files that are being attacked by this Trojan.
BS&T: Can you say who they are?
Baumhof: It's not about the banks, because they could have configuration files tomorrow for different banks. Whatever information I would give you could be out of date tomorrow. But at the moment it's large, well-known banks in the U.S. and Europe.
BS&T: If you were a bank data security person, what would you be doing about this?
Baumhof: It's limited what you can do from inside a bank. You have a user that authenticates correctly with user name and password and a fully authenticated transaction. How do you distinguish between a good fully authenticated session from a bad fully authenticated session? There are things you can do with cross-referencing, you can look at certain patterns in the times, amounts, locations and recipients of transactions and look for unusual behavior. TrustDefender has a small piece of software that sits on the end user's computer and tells the bank's computer if the customer's machine is infected with any kind of Trojan. If someone logs in with a Zeus Trojan, for instance, the financial institution might allow the person to log in and see their account balance, but if that person wants to do an international wire transfer, the bank will want to make sure the computer is not compromised before putting that through.