Quick update to Carberp

Thanks for all the responses to the in-depth report about Carberp. Wow. We didn’t anticipate such a huge response…

As Carberp has developed quite heavily over the last couple of month and also because there are many different Carberp versions out there, I just wanted to quickly give you an update to our research and answers to many questions we got (that we thought might be interesting for you as well)

  • The Browser Hooking also works for Firefox in various versions (!). We haven’t seen it working for Chrome yet.
  • Carberp was originally a malware that was used to distribute other malware. Especially earlier samples will download additional malware as well.
  • Carberp also has a configuration file system where it can inject arbitrary HTML into any website. This is similar to the configuration file of Zeus and while they can inject anything, we have seen mostly injection of JavaScript that is dynamically sending information to to a server.
    • Similarly to Zeus where the receiving server is an addon to the “normal” C&C Zeus server, Carberp will  send the information to a different server than the C&C server.

We’ll keep an eye on this as this trojan develops (and there is no doubt that it will)

3 thoughts on “Quick update to Carberp”

  1. “We haven’t seen it working for Chrome yet.”

    Carberp is working for chrome, ie, opera…. Carberp isn’t new of this month, carberp operates since january of this year… recently had an update with moduls of stopav and miniav and another update for list of grabber, but this trojan is in the wild since januray.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>