Carberp can persist undetected by anti-virus software on the infected machine using advanced stealth, anti-debugging, and rootkit techniques and is controlled from a central administrator control panel that allows the attacker to mine the stolen data, explained Mark Nicholls, lead security consultant with Context.
The malware uses multiple layers of obfuscation and encryption to remain hidden and prevent analysis. Once embedded and decrypted, the infection begins with malicious file dropping and process injection steps that provide a backdoor to the host under attack, Nicholls told Infosecurity.
Carberp is part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.Tatanga is another example of the more advanced financial malware typified by Carberp, he noted.
In a recent blog, Nicholls explained:
“Carberp exhibits similar functionality to that of Zeus and may be controlled from a central administrator control panel that provides statistics related to infections and allows the owner to control various hosts and mine the data that has been stolen. Carberp includes functionality for data theft and credential harvesting from an infected system and can also target user credentials for specific websites. Carberp is considered to be an information theft Trojan, but it also forms part of a botnet that offers full control over infected hosts. Although Carberp was originally designed for attacks motivated by financial gain; its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.”
What distinguishes Carberp from Zeus is that Carberp can detect and remove infections, such as Zeus, and has the ability to stop anti-virus products from working, Nicholls told Infosecurity. In addition, newer versions of Carberp use a third-party bootkit to infect the computer at a level level than traditional financial malware and remain hidden on the system, he added. In addition, Carberp is able to call on more advance capability through use of the dynamic-link library (DLL) loading.
“Carberp is one of the more advanced financial malware, which doesn’t have the same reach of Zeus”, Nicholls said. The malware was first discovered in 2010 in the Eastern European market, but Nicholls expects Carberp infections in the West to increase significantly in the coming year.