While the Zeus Trojan has been the most widespread piece of malware for banks to be concerned about so far this year, a newer entrant called Carberp (pronounced Car-ber-'P') is said to have become popular among European and American cyber criminals. Microsoft defines Carberp as "a trojan that silently downloads and installs other programs without consent, including additional malware or malware components to an affected computer."
According to TrustDefender, a Sydney, Australia security company that has been following Carberp closely, "This Trojan already has a quite impressive feature-set and if it evolves at the same speed as previous Trojans it definitely has the potential to be in the same league as Zeus. But keep in mind that threats only evolve as much as they have to and as security researchers we are always on the lookout for the next greatest technical advancements, but what we learn out from the field is that even phishing is still working fine if used properly." [Or improperly, depending on your point of view.] The Trojan emerged out of an era of highly successful transactional Trojans such as Zeus, Mebroot and Silentbanker, the company notes.
Carberp was first seen in May 2010, however most recently TrustDefender analysts have witnessed the increasing sophistication of the Trojan and point out some of its unique characteristics:
-Ability to disable other Trojans so it does not interfere with its attack and more importantly does not send stolen information to the competition
-Ability to run as a non-administrator
-Ability to infect Windows XP, Windows Vista and Windows 7, which only few Trojans can do
-The Browser Hooking also works for Firefox in various versions but still not yet Chrome
-Sophisticated browser hooking/installation to fully control all internet traffic (including HTTPS with EV-SSL) and the entire internet session
-It will not make any changes to the registry (only in memory modifications)
-Stolen data is transmitted in real-time to a Trojan's 'Command and Control' server
-Carberp also has a configuration file system where it can inject arbitrary HTML into any website
-Ability to inject dynamically HTML overlays into any banking session, similarly to Zeus, Gozi and Spyeye, with the aim to work around dynamic authentication schemes (such as 2fa authentication)
"The evolution of Trojans such as Carberp highlights that the malware problem is here to stay and will only get worse with malware reaching out to new areas such as Windows 7, Apple Mac and mobile devices," says Andreas Baumhof, CTO of TrustDefender. "This highlights the need for financial institutions and enterprises to provide appropriate security for their users so the end user's device is fully protected. This obviously also applies for cloud based applications. While Trojans such as Zeus and Mebroot are successful and high profile; the bad guys obviously wish to stay under the radar and with new malware and configuration files they are able to continue to infiltrate in new ways."