A Zeus-Carberp love child is wreaking havoc in the financial sector. Two of the more notorious crimeware strains out there have gotten together and spawned a new hybrid trojan, which is targeting more than 450 financial institutions around the world.
The bug is a variant of the infamous Zeus banking malware, but contains significant aspects of the Carberp trojan family. Thus dubbed “Zberp” by the researchers at Trusteer who discovered it, it is targeting mainly banks in the US, UK and Australia. It can grab basic information about the infected computer, take screen shots and send them to the attacker, and can steal a range of data, including information submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials.
The Zberp trojan also includes optional features that enable web injections, man-in-the-middle (MITM) attacks and VNC/RDP connections.
In many ways this kind of mash-up is inevitable: The Zeus source code was exposed to the public in 2011, and the Carberp source code was meanwhile offered for sale last year.
Zeus’ source code was originally offered for $100,000, a price tag that reportedly fell to $5,000 within a few weeks, culminating with elements of the source code being file-shared on BitTorrent. Soon thereafter, the entire code became available for free online, released to the masses on several underground forums. It didn’t take long for criminal groups to begin customizing its behavior and developing new features.
Carberp, meanwhile, followed a similar trajectory in the middle of last year, when it became available for free.
“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Trusteer researchers Martin G. Korman and Tal Darsan, in an analysis. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”
And a beast it could be: In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus and the Carberp Trojans.
For instance, Zberp uses an “invisible persistence” feature that is has been used by the Zeus VM variant: the malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots. To ensure persistency, the malware rewrites the persistence key back to the registry during system shutdown.
The trojan also disguises the configuration code in an image file through steganography, a technique used by malware authors to embed code in a file format that looks legitimate and bypasses malware detection solutions.
And, it uses SSL to secure communications with the command and control server and evade detection by network security products.