The Carberp bank login Trojan is very much alive and in operation despite last week’s arrests in Russia of an eight-man gang accused of being core users of the malware’s botnet, security company Kaspersky Lab has said.
The company has already detected criminals selling the Trojan on malware forums and at least one new campaign launched against Russian users of a games website.
To all intents and purposes, the new campaign detected by Kaspersky is nearly identical to those which landed the men arrested by Russian police in trouble, using the same mixture of BlackHole Exploit Kit-infected websites hitting visitors with a similar mix of Java and Adobe software exploits from 2010 and 2011.
Rubbing in that this is a separate gang from that arrested by the Russian police, the command and control domain was registered on the day the men’s arrests became public, 20 March.
“In short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the Trojan remain active. In other words, victory is a long way off,” said Kaspersky’s Vyacheslav Zakorzhevsky.
The importance of the suspects arrested by Russian police remains to be revealed but the involvement of several police services from inside the country was almost unprecedented.
Carberp’s activities have centred on Russia to a much greater degree than any other single malware platform, a profile that could have prompted the Russian authorities to act after acquiring a reputation for turning a blind eye to organised cybercrime affecting foreigners.
From its first appearance in 2009, Carberp was certainly dangerous, able to sidestep Windows User Account Control (UAC) without the need for admin privileges. As banking Trojans go, it was over-shadowed by better-known rivals such as Zeus and SpyEye.
By coincidence, the Zeus bank Trojan platform was finally hit hard this week (or at least the world hopes it was) after a coalition of security organisations led by Microsoft successfully seized servers at a small service provider in Scranton, PA being used to host its botnet command and control infrastructure.
“There’s two types of consumers, those who have been hacked and those who are about to be hacked,” said former Department of Homeland Security Cyberchief, Greg Garcia in a Microsoft video on the raid.