Source code for Carberp financial malware is for sale at bargain price
Source code and components priced at $5,000; sale will likely lead to more Trojan programs targeting banks, say researchers at Group-IB
IDG News Service - The source code for the Carberp banking Trojan program is being offered for sale on the underground market at a very affordable price, which could result in additional Carberp-based financial malware being developed in the future, according to researchers from Russian cybercrime investigations firm Group-IB.
A person believed to be a member of the Carberp gang announced on an underground forum that he's willing to sell the source code for the Trojan program and its additional components for $5,000, Andrey Komarov, Group-IB's head of international projects, said Tuesday via email.
That's a very low price, considering that earlier this year the Carberp gang was offering the builder application that can be used to generate customized copies of the Trojan program for $40,000. Compiled-to-order variants of the malware were also being offered on a monthly subscription-based model with prices ranging between $2,000 and $10,000 depending on the number of additional modules included.
Komarov estimates that the source code itself would normally be worth between $50,000 and $70,000.
Carberp started out in 2010 as a private, not-for-sale Trojan program developed and used by a single gang, but after a limited number of sales of the builder in 2011, the number of Carberp-powered fraud operations multiplied.
For a long time the Trojan program was almost exclusively used to target online banking users from Russia, Ukraine, Belarus, Kazakhstan, Moldova and other former Soviet Union states. However, variants and configuration scripts targeting U.S. and Australian banks were found this year.
Some individuals were arrested in the past for their involvement in Carberp operations, Komarov said. Right now there are approximately 12 active members within the Carberp gang, most of them from Ukraine and Russia, but some living in European Union countries, he said.
The group is also known to have hired outside developers to create additional modules for the malware. For example, Chinese hackers were hired to create a bootkit -- a boot-level rootkit -- component that can be used with the Trojan program.
Komarov believes that the sale offer for the source code is caused by a conflict within the Carberp group. The person offering the code for $5,000 uses the nickname madeinrm and claims that he'd love to sell it because another gang member known online as batman, who used to handle support operations for the gang's customers, already sold the source code to others, Komarov said.
The archive file offered by madeinrm is 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that were patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called "Web inject" scripts that allow the malware to interact with different online banking websites.
Komarov expects the sale of Carberp source code to ultimately result in new banking malware based on it, similar to what happened in the case of the ZeuS banking Trojan, whose source code was leaked on file-sharing websites.
The seller likely intends to quit the team and move on to other projects, Komarov said. There are past examples of malware developers giving up on their creations and canceling their identities on cybercrime forums, he said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts