Carberp: Quietly replacing Zeus as financial malware of choice

What is financial malware?
Automated Clearing House (ACH) transactions and Electronic Fund Transfers (EFT) are the main focus of financial malware. The malcode tries to steal login and accounting information, allowing it to transfer the victim’s money to bank accounts of the attacker’s choice through the use of EFT.

Security experts focused on financial malware explain there are two types of attacks.

[Please read about the 2 types of financial malware attacks below before Reading the full report on the making of Carberp (new financial malware) . It will give you a better understanding of what financial malwares are all about.]

General attacks: This class of malware is designed to steal user-login information for any SSL session, not just banking sites. For example, attackers also gather credentials for Web-based email and social-network sites like Facebook, using the following steps:

The user browses to the Web site’s login page.
The user next inserts the appropriate login information and hits enter.
The financial malware intercepts the login POST request, obtaining the login username and password before it’s encrypted.
The malware sends the stolen information back to the attacker’s command and control server, usually over HTTP.
The user, none the wiser, is then logged into the account.
The attacker then can gain access to the account and transfer money at will.
General attacks are used against financial institutions that do not use multi-factor authentication.

Targeted attack: This type of attack made Zeus famous. The attacker builds configurations files for specific online-financial institutions. These files are used to instigate what is called a Man-in-the-Browser (MitB) attack, a method where the configuration file delivers a fake Web page to the Web browser. Here are the steps:

The victim enters the URL for the bank’s Web site.
The bank’s Web server attempts to download the login Web page.
At the same time, the malcode is checking its configuration files for a matching URL. If it’s found, the attacker’s replica Web page is injected.
The victim then enters the appropriate login credentials, which are sent to the attacker’s command and control server.
If sophisticated enough, the targeted attack could also manipulate the victim’s transactions, sending money to one of the attacker’s bank accounts.

Please read the report on Carberp for your own knowledge and safety.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: