Under the hood of Carberp: Malware & configuration analysis

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Under the hood of Carberp: Malware & configuration analysis
Botnet Carberp
Malware Carberp (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2010 /
Editor/Conference Trusteer
Link http://www.trusteer.com/sites/default/files/Carberp Analysis.pdf (Archive copy)


The following document constitutes an analysis of Carberp, a new variant of

financial malware targeting numerous banks around the world. The analysis provides a detailed description of malware operation, communication and installation on the infected machine. It also contains thorough analysis of Carberp configuration, including targeted banks and attack methods.


Carberp is a new financial malware, which has the ability to intercept user communication through the browser. It controls all Internet communication and is able to manipulate content presented to the user. This ability is used for two attack methods:

  1. General attack, used for stealing user’s login credentials to virtually every site which requires SSL authentication, including online banking, mail accounts etc.
  2. Targeted attack method, which introduces sophisticated HTML injections which target particular banks’ sites, based on the malware configuration.

Trusteer’s malware analysis team has extracted the Carberp configuration data. The malware binary and configuration have been examined in Trusteer labs and key findings of the research are presented herein.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR819,
   editor = {Trusteer},
   author = {},
   title = {Under the hood of Carberp: Malware & configuration analysis},
   date = {23},
   month = Feb,
   year = {2010},
   howpublished = {\url{http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf}},