Source code for Carberp financial malware is up for sale at a very low price, researchers say

This will likely result in other banking Trojan programs being created, researchers from Group-IB said

The source code for the Carberp banking Trojan program is being offered for sale on the underground market at a very affordable price, which could result in additional Carberp-based financial malware being developed in the future, according to researchers from Russian cybercrime investigations firm Group-IB.

A person believed to be a member of the Carberp gang announced on an underground forum that he's willing to sell the source code for the Trojan program and its additional components for US$5,000, Andrey Komarov, Group-IB's head of international projects, said Tuesday via email.

That's a very low price, considering that earlier this year the Carberp gang was offering the builder application that can be used to generate customized copies of the Trojan program for $40,000. Compiled-to-order variants of the malware were also being offered on a monthly subscription-based model with prices ranging between $2,000 and $10,000 depending on the number of additional modules included.

Komarov estimates that the source code itself would normally be worth between $50,000 and $70,000.

Carberp started out in 2010 as a private, not-for-sale, Trojan program developed and used by a single gang, but after a limited number of sales of the builder in 2011, the number of Carberp-powered fraud operations multiplied.

For a long time the Trojan program was almost exclusively used to target online banking users from Russia, Ukraine, Belarus, Kazakhstan, Moldova and other former Soviet Union states. However, variants and configuration scripts targeting U.S. and Australian banks were found this year.

Some individuals were arrested in the past for their involvement in Carberp operations, Komarov said. Right now there are approximately 12 active members within the Carberp gang, most of them from Ukraine and Russia, but some living in European Union countries, he said.

The group is also known to have hired outside developers to create additional modules for the malware. For example, Chinese hackers were hired to create a bootkit -- a boot-level rootkit -- component that can be used with the Trojan program.

Komarov believes that the sale offer for the source code is caused by a conflict within the Carberp group. The person offering the code for $5,000 uses the nickname madeinrm and claims that he'd love to sell it because another gang member known online as batman, who used to handle support operations for the gang's customers, already sold the source code to others, Komarov said.

The archive file offered by madeinrm is 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that have been patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called "Web inject" scripts that allow the malware to interact with different online banking websites.

Komarov expects the sale of Carberp source code to ultimately result in new banking malware based on it, similar to what happened in the case of the ZeuS banking Trojan, whose source code was leaked on file-sharing websites.

The seller likely intends to quit the team and move on to other projects, Komarov said. There are past examples of malware developers giving up on their creations and canceling their identities on cybercrime forums, he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags Group-IBsecurityspywaremalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?