UPDATE–Researchers have discovered a hybrid Trojan that combines elements of two of the more notorious crimeware strains of the last few years: Zeus and Carberp. It’s not uncommon for malware writers to steal bits and pieces of code from one another, but both Zeus and Carberp were once exclusively private tools, but the source code for each of the Trojans has been leaked and now enterprising malware authors have blended the two together to form what researchers are calling Zberp.

The Zeus source code was leaked four years ago, and at the time, researchers worried that putting the source code in the hands of the masses would lead to many new variants of the Trojans and waves of new attacks. Some of that did come to pass, as malware authors have cobbled together mobile versions of Zeus and the Trojan continues to be a major problem for victims to this day.

Carberp’s source code leak was more recent, with the files showing up in public in June 2013.

Carberp’s source code leak was more recent, with the files showing up in public in June 2013. The Trojan originally was a private tool used by a group of attackers in Russia and later was sold to outside customers for as much as $40,000. Like Zeus, Carberp has the ability to hide from antimalware applications in various ways, steal sensitive data from infected machines and download new data from command-and-control servers.

The Zberp Trojan, identified by the Trusteer team at IBM, combines some of the features of both Zeus and Carberp and has some interesting capabilities to evade security software. Zberp has a feature that will write a registry key to maintain persistence on infected machines, and it will erase that key at startup each time and then rewrite it during shutdown. The function is designed to avoid detection by security software that perform startup scans.

“The new Zberp Trojan, a variant of the Zeus VM Trojan, enables cyber criminals to grab basic information about the infected computer, including the Computer name, IP and more. It can take screen shots and send them to the attacker. It steals data submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials. The Zberp Trojan also includes optional features that enable Web injections, dynamic Web injections, MITB/MITM attacks and VNC/RDP connections,” the Trusteer analysis says.

“The Carberp source code contribution to the Zberp Trojan can be seen in its “hooking” technique, commonly used by malware developers to control the browser, grab key strokes and steal information. It also keeps the malware “invisible,” evading detection by anti-virus and anti-malware tools.”

Although this variant containing pieces of the Zeus and Carberp code may be new, other researchers say that this phenomenon is not.

“In my opinion the code that Trusteer calls and new malware and even dubs with a new name is nothing but a slight modification of KiNS/ZeuSVM. As parts of this code is already available to anyone who would go looking for it, giving a new name for each modification would end up in a naming nightmare,” said Peter Kruse of CSIS in Denmark.

Zberp also adopts a technique that some newer pieces of malware have been using, running their communications with their C&C servers over SSL. Like the registry key deletion technique, using SSL to communicate is meant to help the malware avoid detection.

This article was updated on May 28 to add the comments from Kruse.

Categories: Malware, Web Security

Comments (3)

  1. Soufiane Tahiri
    1

    “it will erase that key at startup each time and then rewrite it during shutdown” This is clever !!! But it must be mush more complicate since the persistence will be lost if the machine just crashes or a a forced reboot is performed.

  2. Eric
    2

    So if it rewrites the reg key at shutdown then AV Vendors need to start thinking the opposite with startup scans, shutdown scans as a new feature???

    At least this makes sense to a point.

  3. Anonymous
    3

    How does it evades detection by anti-tools when it is running at the first time in a new machine?

Comments are closed.