The authors of the new information-stealing Trojan "Carberp" have added a feature that detects which antivirus program is running on victimized PCs, said Aviv Raff, the chief technology officer at Seculert, an Israeli startup.

Raff said the criminals added security software detection to make sure they're spending their money wisely.

"Cybercriminals for quite some time have paid for 'antivirus test' services," Raff said in an instant message. "So they collect the antivirus information from the infected machines in order to check whether the tests they paid for actually work, and that they indeed evade the [software] successfully."

The test services Raff mentioned are similar to legitimate scanning services such as , which lets users upload suspicious files for scanning by scores of for-a-fee and free antivirus programs. Suspect samples that evade detection are shared with the anti-malware community for use in creating new signatures.

But other, less scrupulous services have popped up to serve criminals. These services, which on as early as December 2009, do not alert security companies when a new piece of malware is detected.