As ZeuS draws the industry’s attention, a new spyware silently but successfully entered the cybercrime scene. CARBERP, as indicated in initial reports, is a new Trojan family that might have been created to challenge the already dominant ZeuS.
TROJ_CARBERP.A uses an ingenious technique to avoid detection. This malware deliberately drops a copy of itself and its component files in directories that do not require administrator privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. As such, its routines are not detected in newer Windows OS versions. More specifically, it drops files into the Startup and Application Data folders but neither creates nor modifies registry entries. Since files dropped in the Startup folder can easily be spotted even by novice users, CARBERP hooks two APIs to hide itself, its thread in Explorer.exe, and its component files.
Apart from its stealth tactics, the real danger that CARBERP brings is that it hooks network APIs in WININET.DLL to monitor browsing activities on the affected system. Furthermore, it contacts its C&C server to download a possible configuration file, to send a list of processes running in the affected system, and to receive arbitrary commands. These capabilities can enable the cybercriminals behind this malware to steal virtually any information they wish to get their hands on.
As of this writing, CARBERP connects to already inaccessible websites and, as such, fails to perform its intended routine. TrendLabs engineers will continue monitoring this emerging malware family and will post updates as more information is obtained.
Trend Micro protects product users from this attack via the Trend Micro™ Smart Protection Network™, which detects and blocks the Trojan from running on affected systems.