Using Windows for banking online, increases your risk of theft.
Summary: Carberp malware targets the bank accounts of Windows users
The latest banking malware Carberp has gone through three versions since it came on the scene last year and continues to add on new features.
Banks, businesses and customer may gradually have to accept the fact that Microsoft is not their friend. Losses incurred by security issues alone are said to have cost the economy over one trillion dollars.
Dr. Phillip R. Romig III, Mines’ Chief Information Security Officer, told Mines’ Department Heads recently that cyber-crime is a one-trillion dollar industry that rivals the international drug trade in size and complexity. And cyber-crime is an industry as complex as any other, but fueled and enabled by malware.
According to this article (brought up by Chips B. Malroy this morning), “Carberp, which targets computers running Microsoft’s Windows OS, was discovered last October by several security companies and noted for its ability to steal a range of data as well as disguise itself as legitimate Windows files and remove antivirus software. It has been billed as a rival to Zeus, another well-known piece of malware.”
Banking malware is evolving more sophisticated capabilities to stay hidden on victims’ PCs, according to several security researchers.
The information-stealing malware Carberp, discovered last October, can steal a range of data, disguise itself as a legitimate Windows file and remove any antivirus software installed on the host, according to Seculert. As the latest banking malware to emerge, it has been changing very rapidly and adding on new features and capabilities, Seculert said.
Carberp is considered the next big banking threat, alongside SpyEye, especially since the new Trojan attack kit was becoming the weapon of choice over Zeus, TrustDefender said. Development for the Zeus Trojan, the well-known banking Trojan that may have stolen millions of dollars, appears to have stopped, and the code has been merged with SpyEye, various researchers said.
Carberp runs on all versions of Windows, including Windows 7, without needing administrator privileges, according to TrustDefender. It can register itself as a browser extension in order to constantly monitor all Web traffic, even the encrypted online banking traffic. It can inject rogue HTML code into Web pages that can steal data, Seculert said.
Carberp has gone through three generations, Jorge Mieres, a malware analyst at Kaspersky Lab, told eWEEK. The first versions of Carberp were very simple Trojan downloaders that downloaded other pieces of malware, Mieres said. Each succeeding version has added on sophisticated features.
The second generation incorporated features for managing a command and control Web-based botnet, Mieres said. Carberp is one of the “largest private botnets,” he said. The kit also contained a small plug-in called “passw.plug,” which is designed to steal information from more than 90 applications installed on the infected computer, he said.
The third and current generation added two new components that interfere with computers’ security software. The “stopav.plug” disables the antivirus software already installed, and “miniav.plug” acts as a cleaner to remove other pieces of malware, Mieres said. Seculert said the miniav plug-in can remove well-known malware families including Zeus, BlackEnergy, Limbo and MyLoader.
Carberp does the cleaning to prevent other malware from interfering with its activities, according to Seculert.
The latest version of Carberp has updated how it communicates with a command-and control server. Like most advanced malware, including the highly sophisticated Zeus, previous versions encrypted that traffic using RC4 encryption and used the same encryption key all the time, Seculert wrote on the blog. This made things easier for security administrators because intrusion protection systems could analyze traffic and pick out possible packets using that key.
The developers have caught on, and now Carberp uses a randomized key that it registers with the control server. Since the malware uses a different key every time, it is harder to detect.
The update has also changed Carberp’s target. The previous version targeted banks in the Netherlands and the United States. The latest version is targeting users in Russian-speaking markets.
Seculert said Carberp will likely incorporate links to a scanning service in future versions, similar to SpyEye and other attack kits.
Regardless of which version infected a computer, Carberp collected information about the host’s operating system, browsers and antivirus, said Mieres. This gives attackers an idea of what kind of antivirus software they need to evade. Security researchers have long warned that malware developers run new samples through antivirus software to make sure it can’t be detected before releasing them into the wild.
The other twist is that the collected statistics tell the malware authors what antivirus needs to be added to the “stopav.plug” so that Carberp can deactivate it, Seculert said.
The statistics gathered by the botnet, as analyzed by Seculert, showed Kaspersky Lab’s antivirus software had a “74 percent use ratio.”
“A piece of banking malware that researchers have been keeping an eye on is adding more sophisticated capabilities to stay hidden on victims’ PCs, according to the vendor Seculert,” says the rest. “No problem,” writes Malroy, “it’s just malware designed to drain your banking account if you run Windows.” This contributes perhaps to trillions of dollars in damages. A lot of people are still shocked by these numbers because they have not been paying enough attention.
Many articles (at least half a dozen) were written about a recommendation from the Australian police, which advised peers to use GNU/Linux for online banking. This was followed by a column from the Washington Post, which sent waves across the Web. Several other articles were then published to suggest that people use a Live CD or an additional partition for their banking purposes, unless they already use the platform or might move to it on a full-time basis.
I wrote about this some time ago:
Anyone that does online banking on a Windows machine is taking a huge risk. Don’t take my word for it, read what the FBI, FDCI and American Bankers Association are saying.
- http://jet-computing.com/doing-online-banking-with-windows-why/
- http://jet-computing.com/businesses-should-conduct-online-banking-from-dedicated-computers/
Most likely they don’t understand how sophisticated the bad guys are at writing malware. Or, perhaps, they put way too much trust in their antivirus program. Or, they may fail to appreciate how hard it is to keep all the installed software up to date with the latest patches. Perhaps the worst type of infection, a man-in-the-browser, can even defeat two factor authentication schemes.
The Register now has this report
A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account.
Microsoft has been working quite a lot with banks recently. Alas, banks not only abandon Microsoft but unintentionally they also lead to GNU/Linux being advocated for desktop use.
Attackers going after end users rather than servers
Rather than targeting Web and email servers, attackers these days are prone to going after enterprises from the inside out, compromising end user systems and then using them to access confidential data, according to a Web traffic analysis report by security-as-a-service provider Zscaler.
I would highly advise that anyone doing their banking over the web, use a dedicated computer for that purpose only and not day-day browsing, nor email use. One could either use a Linux Live CD to accomplish this or create a virtual image of an alternate operating system to do the same, without bearing the expense of another computer.
http://jet-computing.com/?cat=&s=livecd
http://jet-computing.com/running-windows-xp-and-7-on-linux-mint/
“Our products just aren’t engineered for security.” -Brian Valentine, Microsoft executive”
Here are two images showing details of this subject:
