Carberp - a modular information stealing trojan

Revision as of 21:48, 5 August 2015 by Eric.freyssinet (talk | contribs) (Text replacement - "" to "")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Carberp - a modular information stealing trojan
Botnet Carberp
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2011 / 28 février 2011
Editor/Conference Prevx
Link modular information stealing trojan.pdf (Archive copy)
Author Marco Giuliani, Andrea Allievi


Nowadays most banking operations and payments are done on the web, through e-banking services and online payment solutions, like MoneyBookers or Paypal. Since online transactions are increasing their volume, malware authors are focusing more and more on the development of malicious software able to steal sensitive data from the infected computers.

Today there are several kits sold online, botnet solutions available to everyone, developed to build up in a couple of minutes a brand new version of a specific Trojan able to hide itself from antivirus scanners and armored by some interesting features like remote control and sensitive data stealing routines.
With an expense of just 700/800 dollars – such kits are not expensive - a potential attacker could gain several thousands of dollars and he could build up his own botnet that can be then sold or rent, or yet used to attack sensitive websites. The two most infamous botnet kits available online were ZeuS and SpyEye, and we already talked about them in our blog posts here and here.
It looks like that between Q3/Q4 2010 ZeuS author decided to stop the development of his trojan and chose to sell the source code to the authors of SpyEye, giving to it the leadership of info stealing trojans. We have already analyzed the last variant of SpyEye with ZeuS enhancements here in our Prevx blog. During the second half of 2010 we have monitored the growth of a new trojans available on the underground market: it is called Carberp.
After some cycles of hard development, today Carberp has probably become the second worst threat to customers data, following SpyEye.
In this paper we are going to analyze this trojan in depth, looking at how it is evolved and what we can expect in the future from the team behind this trojan.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR829,
   editor = {Prevx},
   author = {Marco Giuliani, Andrea Allievi},
   title = {Carberp - a modular information stealing trojan},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2011},
   howpublished = {\url{}},