Carberp Trojan Continues Active and Undamaged, States Kaspersky

Kaspersky Labs recently disclosed that the banking Trojan namely Carberp continued to be largely active and was being used even after Russian authorities executed arrests, during the 4th-week of March 2012, of one gangsters' group, comprising 8 individuals, that allegedly utilized the malicious software's network-of-bots in the maximum number of login-theft incidences.

Actually, security researchers at Kaspersky found that just following the declaration by the Russian law-enforcement, a variously usable bank info-stealing bot was offered to interested buyers on a secret, illegitimate website.

Further, one associate program from amongst several that has the greatest role in Carberp's dissemination is traffbiz.ru, a site which's being touted as a connecter between masters of the Web and buyers of its traffic, however, the researchers state that cyber-criminals are the chief users of this site for distributing their wares.

Besides, one other Carberp distribution came to light which contaminated the radio-moswar.ru website that solely caters to MosWar an Internet game.

Kaspersky's investigators found that a page of radio-moswar.ru underwent modification so it could harbor a malevolent code that following many diversions onto freely-available URLs, placed the affected Web surfer on traffbiz.ru. Immediately one more code emerged which kicked off 2 other diversions linking up with 2 separate web-links.

The first web-link took onto PDF (CVE-2010-0188) and Java (CVE-2011-3544) attack codes, which pulled down and ran Trojan-Spy.Win32.Carberp.epm onto the affected end-user's computer. This Trojan linked up with the central C&C computer server after dispatching queries to 3 URLs that were registered recently, dated March 20th, 2012.

Also, the Carberp-related C&C server was currently functional as it instructed to get the malware pull down configuration files outlining the info it must steal and the technique for doing so. Thus, the Carberp assault tapped the Raiffeisen Bank and Citibank websites' content from the target PC along with web-pages, which utilized BSS-developed software, the firm that specialized in mechanized remote-banking tools.

In the meantime, the other web-link took onto the BlackHole attack kit that downloaded as also executed Trojan-Spy.Win32.Varberp.epl, a Carberp variant and Trojan-PSW.Win32.Agent.acne, a password-capturing malware.

Finally, Carberp further established link with one Germany-based central server, registered also recently, dated March 21st, 2012.

Related article: Corporate End Users Disdainful to IT Security

» SPAMfighter News - 4/3/2012