We have talked in the last blog post about how SpyEye trojan evolved during the time, illustrating some of its technical features and the encryption algorithm used by the trojan to decrypt the configuration file. Yesterday we have uploaded a new technical video that shows how to unpack this new variant of SpyEye in just few minutes with the help of a free debugger.
While SpyEye goes ahead and quickly becomes yet more widespread after the SpyEye-ZeuS joint-venture, we should focus on another threat which is silently raising its status in the ranking of the infostealing trojan family.
Carberp quietly appeared in Q3/Q4 2010 (even if some traces of its code could be found in the months before) and immediately showed great potential. It appears that the team behind this trojan has been very active as of late.
This trojan shows great potential and a modular architecture used to easily and quickly expand its features. All plugins downloaded from the C&C are encrypted with a custom encryption algorithm to evade from classic antivirus scanners. Its features include a module able to disable a list of antivirus software and an antivirus-like module that cleans the infected PC from other infostealing trojan families.
We have written an in depth analysis of the Carberp trojan, illustrating all the technical features of the malware. The paper can be downloaded from the link below:
Carberp – A modular information stealing trojan
Related Posts
- Trend Micro Sinkholes and Eliminates a ZeuS Botnet C&C
In February 2011, we successfully collaborated with CDMON, a registrar, to gain control of a ZeuS botnet command-and-control (C&C) server, thereby rendering it ineffective. Our success gave us the... - ZeuS Source Code Already in the Wild
For about two weeks now, the ZeuS source code has been making its way around to different people. Many people have been offering it up for sale on multiple forums, but lots of times it is only pieces ... - LizaMoon mass injection hits over 28000 URLs including iTunes
Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classific... - Improve your Security #4: Update your Software often
Every week or even day we see new vulnerabilities popping up in all software packages which we use daily: In the operating system (Windows, Mac, Linux), PDF Readers, Web browsers, Mail clients, Office... - ZeuS 2.0.8.9 and the Ghost Panel
Before ZeuS author Monstr/Slavik handed over his source code to SpyEye author Harderman/Gribodemon, the last known ZeuS version was 2.0.8.9. The ZeuS crimeware, which exponentially grew in popularity ... - Fake Security Software Websites – Still popular in 2011
Fake security software is a form of computer malware that misleads users into installing and potentially paying for fake security software. The sites convince users to download the malicious software ... - ZeuS Targets Mobile Users
As early as 2006, Trend Micro already recognized the fact that the BlackBerry technology could be exploited by cybercriminals. The smartphone may have remained spared from malware attacks over the yea... - “ACH Transaction Rejected” payments lead to Zeus
On February 23rd, our friends at Trend Micro reported that ACH Leads to Fake Java Update. Looking into this campaign in the UAB Spam Data Mine we found some interesting characteristics about the spam... - ZeuS Mitmo Strikes Again: Polish ING Bank
Breaking news from Poland today: A variant of the ZeuS trojan is targeting the mobile phone based, two-factor authentication used by ING Bank Slaski (Polish ING Bank).Security consultant and b... - Zeus and SpyEye: Old Dogs Repeat Old Tricks
There is a lot of buzz in the security community lately about the merger of two widespread password-stealing malware families, Zbot (maker of Zeus) and SpyEye.
Some reports says that the Zbot source ...
Posted on 04 March 2011. Tags: CARBERP, hits, Software, Zeus
The above information is reprinted from and copyrighted © by Prevx.
