Source code for Carberp financial malware is up for sale at a very low price, researchers say

This will likely result in other banking Trojan programs being created, researchers from Group-IB said

The source code for the Carberp banking Trojan program is being offered for sale on the underground market at a very affordable price, which could result in additional Carberp-based financial malware being developed in the future, according to researchers from Russian cybercrime investigations firm Group-IB.

A person believed to be a member of the Carberp gang announced on an underground forum that he's willing to sell the source code for the Trojan program and its additional components for US$5,000, Andrey Komarov, Group-IB's head of international projects, said Tuesday via email.

That's a very low price, considering that earlier this year the Carberp gang was offering the builder application that can be used to generate customized copies of the Trojan program for $40,000. Compiled-to-order variants of the malware were also being offered on a monthly subscription-based model with prices ranging between $2,000 and $10,000 depending on the number of additional modules included.

Komarov estimates that the source code itself would normally be worth between $50,000 and $70,000.

Carberp started out in 2010 as a private, not-for-sale, Trojan program developed and used by a single gang, but after a limited number of sales of the builder in 2011, the number of Carberp-powered fraud operations multiplied.

For a long time the Trojan program was almost exclusively used to target online banking users from Russia, Ukraine, Belarus, Kazakhstan, Moldova and other former Soviet Union states. However, variants and configuration scripts targeting U.S. and Australian banks were found this year.

Some individuals were arrested in the past for their involvement in Carberp operations, Komarov said. Right now there are approximately 12 active members within the Carberp gang, most of them from Ukraine and Russia, but some living in European Union countries, he said.

The group is also known to have hired outside developers to create additional modules for the malware. For example, Chinese hackers were hired to create a bootkit -- a boot-level rootkit -- component that can be used with the Trojan program.

Komarov believes that the sale offer for the source code is caused by a conflict within the Carberp group. The person offering the code for $5,000 uses the nickname madeinrm and claims that he'd love to sell it because another gang member known online as batman, who used to handle support operations for the gang's customers, already sold the source code to others, Komarov said.

The archive file offered by madeinrm is 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that have been patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called "Web inject" scripts that allow the malware to interact with different online banking websites.

Komarov expects the sale of Carberp source code to ultimately result in new banking malware based on it, similar to what happened in the case of the ZeuS banking Trojan, whose source code was leaked on file-sharing websites.

The seller likely intends to quit the team and move on to other projects, Komarov said. There are past examples of malware developers giving up on their creations and canceling their identities on cybercrime forums, he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags Group-IBsecurityspywarefraudmalware

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?