Zberp Banking Trojan: A Hybrid of Carberp and Zeus

11431455_s

It’s official: Zeus and Carberp have gotten hitched and hybridized. Malware authors have combined source code from the financial Trojans to produce Zberp, a new variant that targets 450 banking institutions around the world.

Zeus + Carberp = Zberp

For those unfamiliar, Zeus is one of the most capable and popular forms of banking malware around. Most notably, Zeus can perform “man in the middle attacks” to automatically intercept online banking credentials when they are shared in an online session between a customer and their bank. Since Zeus’ source code was leaked on a hacker forum in 2011, the malware has become extremely widespread and has morphed into numerous forms. Similarly, Carberp is also a form of financial malware, which at one time was so advanced and feature-rich that it sold for $40,000 per license in underground marketplaces. One year ago, Carberp’s code was also leaked, leading to an increase in its reach as well.

Zberp is a hybrid combination of Zeus and Carberp, created by someone with access to both Zeus’ and Carberp’s source code. Like its parents, Zberp is designed to steal money from people who bank online. Unlike its parents, Zberp’s relative youth gives it the ability to bypass antivirus products that rely on signature-based detection alone.

Zberp’s Zeus Inheritance

Zberp is a highly capable malware. From Zeus, the malware inherits the ability to steal information transmitted between users and a reported 450 financial institutions around the world. Accordingly, Zberp can:

  • gather IP addresses and computer names
  • take screen shots and upload them to a remote server
  • steal data entered by a user into an HTTP form, steal a user’s SSL certificate, and/or steal FTP and POP3 credentials
  • perform malicious web injections
  • carry out man in the middle attacks
  • initiate a remote desktop session through VNC/RDP protocols, allowing attackers direct access to an infected PC

Additionally, Zberp has what is called “invisible persistence.” Invisible persistence means that Zberp actually deletes its start up registry key during Windows start up and returns it when it detects that Windows is shutting down. This is an evasion technique meant to sneak past antivirus software that scans for malware during system boot.

Zberp also uses the method of steganography to allow for surreptitious configuration updates. With steganography, malware authors will typically disguise their malicious files as harmless images. In the case of Zberp, that image is the Apple logo.

Zberp’s Carberp Inheritance

Zberp’s authors have borrowed significantly less from Carberp, yet what they have borrowed is not insignificant. According to initial reports, Zberp utilizes a modified version of Carberp’s “hooking” technique. In practice, this “hooking” technique allows cybercriminals to hijack a browser session to steal information. The fact that the code responsible for Zberp’s hooking technique is different than Carberp’s means that many antivirus products familiar with Carberp alone will fail to detect it.

Protecting Yourself from Zberp

Much of what makes Zberp powerful is that it is designed to evade signature-based malware scanners. This is precisely why Emsisoft Anti-Malware utilizes an advanced layer of malware prevention, called Behavior Blocking. Behavior Blocking identifies root malicious behaviors, instead of specific signatures. To learn more about Behavior Blocking, you can see our Security Knowledge article, Efficient protection against new malware: Emsisoft’s Behavior Blocker.

In addition, it is crucial to realize that Zberp can only wreak havoc once it has infected your PC. In order for this to occur, you would need to encounter the Trojan somewhere on the web and download it to your computer. This can happen in any number of ways, however two of most common scenarios are through targeted emails, that contain malicious links or attachments.

In the case of a link, clicking would direct you to a “drive-by” download website, which would automatically install Zberp while pretending to do something else. In the case of an attachment, the same trick is used: you click on an executable that installs Zberp but pretends to be and do something else. In both of these scenarios, the single greatest method of prevention is caution.

As an extra measure, you can also consider using Emsisoft’s 3 layered approach to malware prevention, which hybridizes Surf Protection + File Guard + Behavior Blocker to create award winning anti-malware technology.

Have a Great (Zberp-Free) Day!

 

More on Zberp

Zberp was discovered by researchers from IBM security. A full technical report on this new malware can be found at their Security Intelligence blog.