In most cases Carberp will persist undetected by antivirus software on the infected machine using advanced stealth, anti-debugging and rootkit techniques and is controlled from a central administrator control panel that lets the attacker mine the stolen data. Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.
The malware uses multiple layers of obfuscation and encryption to remain hidden and prevent analysis. Once embedded and decrypted, the real infection begins with malicious file dropping and process injection steps that provide a backdoor to the host under attack.
Michael Jordon, research and development manager at Context, said, 'The advanced infection capabilities of Trojans such as Carberp require detailed knowledge of how they operate to detect and analysis attacks.
'While many banks are now using tools such as Rapport from Trusteer to mitigate the risk of financial malware by protecting web communication with customers and preventing the stealing of account credentials, we need to stay one step ahead or at least keep pace with the malware developers to reduce their impact.'
While there is a large body of knowledge around Zeus and Spyeye, the information security industry is still building up detailed picture of newer Trojans such as Carberp. Context researchers are at the forefront of this work and have published a series of blogs to detail the workings of new generation financial malware and provide advice how it is possible to detect infection and mitigate the threats.
The latest blog focused on, 'From Infection to Persistence' can be seen at: http://www.contextis.com/research/blog/malware2/
