Carberp: Quietly replacing Zeus as the financial malware of choice

Zeus ushered in a new era of malware, but it's slowly losing its effectiveness. Don't celebrate just yet; Zeus's heir apparent, Carberp is ready to take over.

Financial malware like Zeus provide a significant ROI for the bad guys. Just ask fellow IT security writer Brian Krebs, who tirelessly reports on how much damage ZeuS has caused. I even added my two cents about Zeus and its successes.

What is financial malware?

Automated Clearing House (ACH) transactions and Electronic Fund Transfers (EFT) are the main focus of financial malware. The malcode tries to steal login and accounting information, allowing it to transfer the victim's money to bank accounts of the attacker's choice through the use of EFT.

Security experts focused on financial malware explain there are two types of attacks.

General attacks: This class of malware is designed to steal user-login information for any SSL session, not just banking sites. For example, attackers also gather credentials for web-based email and social-network sites like Facebook, using the following steps:

  1. The user browses to the web site's login page.
  2. The user next inserts the appropriate login information and hits enter.
  3. The financial malware intercepts the login POST request, obtaining the login username and password before it's encrypted.
  4. The malware sends the stolen information back to the attacker's command and control server, usually over HTTP.
  5. The user, none the wiser, is then logged into the account.
  6. The attacker then can gain access to the account and transfer money at will.
  7. General attacks are used against financial institutions that do not use multi-factor authentication.

Targeted attack: This type of attack made Zeus famous. The attacker builds configurations files for specific online-financial institutions. These files are used to instigate what is called a Man-in-the-Browser (MitB) attack, a method where the configuration file delivers a fake web page to the web browser. Here are the steps:

  1. The victim enters the URL for the bank's web site.
  2. The bank's web server attempts to download the login web page.
  3. At the same time, the malcode is checking its configuration files for a matching URL. If it's found, the attacker's replica web page is injected.
  4. The victim then enters the appropriate login credentials, which are sent to the attacker's command and control server.

If sophisticated enough, the targeted attack could also manipulate the victim's transactions, sending money to one of the attacker's bank accounts.

Enter Carberp

As I alluded to earlier, bad guys know any public exposure is not in their best interest. So, with Zeus becoming a household word and the recent arrests, they know it's time to move on. Meet Carberp, a relatively unknown financial malware. Where do they get these names?

Carberp has the capacity to use both general and targeted attacks. It also has new capabilities, making it deadlier than Zeus. The following are some of the new features found in Carberp:

  • Carberp does not require admin rights to run; it resides in memory.
  • It's capable of infecting Windows XP, Windows Vista, and Windows 7.
  • It's designed to control all Internet traffic, including HTTPS using EV-SSL.
  • Stolen data is transmitted to command and control servers before it's sent to the financial web site. That negates any advantage of using one-time passwords.

It's scary, knowing Carberp can run without admin rights. It also means Carberp must reactivate itself after a system restart. It accomplishes this by copying the required process to the startup section of the currently logged-in user.

Normally, that would make a file easy to find. But, Carberp's executable chkntfs.exe is hidden. It can't be found with Windows Explorer or by using the command line.

Thankfully, the way Carberp hides is also its Achilles Heel (I'll explain later).

Carberp removes other malware

At first, I thought malware designed to disable antivirus applications and other malcode was the malware author's ego kicking in. But, in the case of financial malware, there is a valid reason.

Targets of financial malware likely interest more than one attacker. If the login information is used by multiple criminals, it would become obvious to the victim and bank that something was amiss. Besides, criminals don't like other criminals stealing from them.

Protective measures

As for Carberp's Achilles Heel, applications like WinPatrol and Process Explorer should indicate the presence of a foreign hidden process. I have asked Bill Pytlovany, the developer of WinPatrol for suggestions on what we should pay attention to.

A common thread with all financial malware is the copying of the victim's username and password. I do not have enough details about Carberp to explicitly say that an anti-keylogger program will help. But, it seems logical that anti-keylogger applications would be useful against the general attack format.

My anti-keylogger program of choice is KeyScrambler. I consider it valuable insurance against financial malware and other keylogging attacks. I also have asked QFX Software for their opinion on whether KeyScrambler defeats financial malware.

Finally, as of this writing, financial malware's targeted attacks are only successful against Internet Explorer and FireFox. Chrome so far is impervious to targeted attack, because Carberp uses web-browser hooking.

Final thoughts

Financial malware like Carberp isn't going away. Its success assures us of that. Thankfully, we are not helpless. There are options, just make sure to take advantage of them.

I would be remiss if I did not give credit to for their comprehensive report about Carberp.


Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks