With ZeuS currently drawing the industry’s attention in recent days, a new spyware silently but successfully entered the cybercrime scene. CARBERP, as indicated in initial reports, is a new Trojan family that might have been created to challenge the already dominant ZeuS.
TROJ_CARBERP.A uses an ingenious technique to avoid detection. This malware deliberately drops a copy of itself and its component files in directories that do not require administrator privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC). As such, its routines are not detected in the newer Windows versions. More specifically, it drops files in the Startup and Application Data folders and neither creates nor modifies registry entries. Since files dropped in the Startup folder can easily be spotted even by novice users, CARBERP hooks two APIs to hide itself, its thread in Explorer.exe and its component files.
Apart from its stealth tactics, the real danger that CARBERP brings is that it hooks Network APIs in WININET.DLL to monitor browsing activities on the affected system. Furthermore, it contacts its C&C server to download a possible configuration file, send a list of processes running in the affected system, and receive arbitrary commands. These capabilities could enable the cybercriminals behind this malware to steal virtually any information they wish to get.
As of this writing, CARBERP connects to already inaccessible websites and as such, fails to perform its intended routine. Trend Micro will continue monitoring this emerging malware family and we will post updates as we obtain more information.
Also see: New threat set to dethrone Zeus