What @Gartner_inc and @Forrester are saying about @IBM acquisition of CrossIdeas - http://t.co/eNk2ObGlZH #ibmsecurity
RT @CarinaKordan: What Are the Best Network Forensics and Data Capture Tools? - cool stuff https://t.co/QJk8m9w0gc
RT @fcarson: Security Is Not a Technology Problem but a Process and People Problem - http://t.co/ZYLH8oN78U via @ibmsecurity #IBM http://t…
Call for Speakers OPEN: Tell your story at all new #IBMInterConnect - #ibmPulse #ibmImpact #ibmInnovate, all in one! http://t.co/nLSsvVs15H
#FinCEN Proposes Changes to Anti-Money-Laundering Requirements - http://t.co/xl9AAXY3rA http://t.co/I7L8oTw7g4
Trusteer researchers recently discovered what is being called the Zberp Trojan, targeting more than 450 financial institutions around the world.

Meet the Zberp Trojan


A New Trojan in Town: Meet Zberp

Trusteer researchers recently discovered a new Trojan that has been targeting more than 450 financial institutions around the world, mainly in the U.S., U.K. and Australia. The new Trojan, which seems to be a variant of the well-known Zeus Trojan (a.k.a. Zbot), also demonstrates behaviors associated with the Carberp Trojan family. Therefore, we named it the Zberp Trojan.

According to an analysis conducted by Trusteer researchers Martin G. Korman and Tal Darsan, the Trojan seems to have been assembled from the leaked source code of two well-known Trojans: Zeus and Carberp. The Zeus source code was exposed to the public in 2011, and it is already used by some criminal groups that customize its behavior and develop new features. The Carberp source code was offered for sale last year.

“Since the source code of the Carberp Trojan was leaked to the public, we had a theory that it won’t take cyber criminals too long to combine the Carberp source code with the Zeus code and create an evil monster,” explained Korman and Darsan. “It was only a theory, but a few weeks ago we found samples of the ‘Andromeda’ botnet that were downloading the hybrid beast.”

The new Zberp Trojan, a variant of the Zeus VM Trojan, enables cyber criminals to grab basic information about the infected computer, including the Computer name, IP and more. It can take screen shots and send them to the attacker. It steals data submitted in HTTP forms, user SSL certificates and even FTP and POP account credentials. The Zberp Trojan also includes optional features that enable Web injections, dynamic Web injections, MITB/MITM attacks and VNC/RDP connections.

Winning the War on Cybercrime: Keys to Holistic Fraud Prevention

In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus and the Carberp Trojans.

Zberp uses an “invisible persistence” feature that is has been used by the Zeus VM variant: the malware deletes its persistence key from the registry during the Windows startup process to prevent security solutions from detecting it during normal system scans that take place after the system boots. To ensure persistency, however, the malware rewrites the persistence key back to the registry during system shutdown.

The Trojan also disguises the configuration code in an image file through steganography, a technique used by malware authors to embed code in a file format that looks legitimate and bypasses malware detection solutions.

The header of the configuration image

Figure 1: The header of the configuration image

 

The configuration is disguised in an

Figure 2: The configuration is disguised in an “Apple” image

 

the base64 encoded configuration hidden within the image

Figure 3: The base64 encoded configuration hidden within the image

 

The Carberp source code contribution to the Zberp Trojan can be seen in its “hooking” technique, commonly used by malware developers to control the browser, grab key strokes and steal information. It also keeps the malware “invisible,” evading detection by anti-virus and anti-malware tools.

The figure below shows that the hook is implemented in the same place, but its implementation is slightly different: The push instruction highlighted in the Carberp code (on the left) was changed by one byte in the Zberp code (on the right), and a ‘mov’ instruction was added to it. These changes ensure that even security solutions capable of detecting Carberp variants will not identify the new code.

the base64 encoded configuration hidden within the image

Figure 4: Comparison between Carberp and Zberp hooks

Another evasion technique that has been embedded in the Zberp Trojan is the use of SSL, which secures the communications with the Command and Control server and evades detection by network security products.

According to a Virus-Total scan, the Zberp Trojan was able to evade most anti-virus solutions when it was first detected. Trusteer’s endpoint protection solutions, which do not require prior knowledge about emerging threats in order to stop them, detected and removed the Zberp Trojan immediately — on ‘day zero.’

How Trusteer Customers Are Protected
Trusteer Customers Are Protected

Trusteer Customers Are Protected!

Trusteer, an IBM company, is the leading provider of endpoint cyber crime prevention. Trusteer solutions combine multi-layer defenses with real-time threat intelligence to achieve sustainable protection against malware and targeted attacks.

Preventing Enterprise Breach

Trusteer Apex protects enterprise endpoints by preventing infections via the exploitation of vulnerabilities in endpoint applications. In addition, it detects, mitigates and removes Zberp (and other Zeus variants) from infected user devices. No product update is needed.

Preventing Online Financial Fraud

Trusteer Rapport protects customer endpoints by detecting, mitigating and removing Zberp (and other Zeus variants) from infected devices. No product update is needed.

Trusteer Pinpoint Malware Detection can identify and warn organizations of malware-infected devices that attempt to log in and transact with their website. No product update is needed.

Topics: , , , , , , , ,

Related News

3 comments
boomer-1980
boomer-1980

How can we see the results of the virus total scan?

boomer-1980
boomer-1980

How can one view the results of the VirusTotal scan?