A security vendor Seculert has found that a banking malware Carberp that has been tracked by researchers since its appearance last October is adding more sophisticated capabilities.

Carberp targets Windows OS running machines and can steal a range of data as well as disguise itself as legitimate Windows files and remove antivirus software. The malware is considered as a rival to Zeus.

Researchers found at the time that Carberp communicates with a command-and-controller (C&C) server using encrypted HTTP Web traffic. Previous versions of Carberp encrypted that traffic using RC4 encryption but always used the same encryption key.

The same key usage simplified the analysis of the traffic by the intrusion protection systems which then terminated possible communication between the infected Carberp computers and the C&C servers, said Aviv Raff, CTO and co-founder of Seculert.

A new version of Carberp is mixing it up, using a randomly different key when it makes an HTTP request, said Raff. When it uses the same key, there are some static patterns that can be detected. Even Zeus, which is begrudgingly respected for its high-quality engineering, uses the same key that is embedded in the malware.