Security Experts:

Source Code for Carberp Trojan for Sale in Cybercrime Underground

Researchers have found the source code for the Carberp Trojan on sale in underground forums.

A person using the name "madeinrm" announced that the Carberp source code was available for sale, Group-IB researchers told SecurityWeek.

The archive allegedly includes the full source code of Carberp with comments, Web injects, all the modules used by Carberp, the source code of RDPxTerm and Gazavar (the worm module), the admin panel for the command-and-control server, the bootkit module, among others, Andrey Komarov, head of international projects of CERT-GIB at Group-IB, told SecurityWeek.

The bootkit is designed to significantly improve the infection rate and load a specifically compiled driver when the computer loads the operating system, according to the translated advertisement.

The price, at $5,000, is "democratic," said Komarov.

The archive, which is about 5 GB in size, also has all available versions of the Carberp builder and two exploits (CVE-2012-1864 and CVE-2012-0217), Komarov said. CVE-2012-1864, patched by Microsoft in June 2012, is a an escalation of privileges vulnerability in how win32k.sys kernel-mode drivers in Microsoft Windows XP, Windows Server 2003, Vista, Windows Server 2008, and Windows 7 handle user-mode input. CVE-2012-0217 is a vulnerability in Xen 4.1.2 and earlier as used in various versions of Citrix XenServer, Oracle Solaris 11, illumos, Joyent SmartOS, FreeBSD, Microsoft Windows Server 2008, and Windows 7.

It's not clear if the seller is the original developer, or someone who acquired the code and is trying to profit by distributing it further. The seller claimed to be working with "Batman," the person who originally managed all the sales and technical support of Carberp, Komarov said. The seller also said all potential customers would need to be verified to ensure the source code doesn't get distributed into the wrong hands, according to Komarov.

Interestingly, Trusteer researchers came across what appears to be a different seller offering Carberp source code, but with a hefty $50,000 price tag. The seller, "=Sj=" said the code was being sold "in coordination with the Carberp author and that it will only be sold to a trustworthy member," Trusteer's Etay Maor wrote on the company blog.

This suggests that other people are attempting to sell the source code at a significantly lower price, Maor said, and the advertisement Group-IB found appears to confirm that is the case.

It's possible that a "breach of contract by a Carberp seller caused a buyer to take revenge and sell the source code," Maor said.

The advertisement found by Trusteer researchers included additional details about the components for sale, such as form grabbers for major browsers and Russian and Ukranian-language form grabbers to specifically target applications in those languages. FTP, email, and certificate grabbers were also listed, according to Trusteer.

It is generally rare to see source code for malware being sold, even on underground criminal forums. It was unusual when a version of Zeus appeared on the forums a few years ago, and the fact that Carberp is now being offered for sale is unexpected.

It's very likely that once the code is sold, the new buyers would add on new features and distribute those variants to create newer versions of sophisticated malware. Citadel is an example of how the new buyers enhanced and sold new versions of the malware, noted Maor.

Carberp Source Code

Carberp can "easily be configured" to target a variety of businesses and to be used for reconnaissance and information theft, Maor said. Or it could be "an attempt to dilute this malware due to internal struggles within the Carberp or buyer groups," he said.

Earlier this year, Russian authorities claimed to have captured the mastermind behind the Carberp banking Trojan and other members of the criminal gang.

The cybercrime ring, led by a 28-year old Russian national, allegedly has been in operation since 2009 and has stolen approximately $250 million from Ukrainian and Russian banks, according to an April 2013 report from Kommersant Ukraine, a national publication.

In March 2012, authorities arrested and broke up a gang that used Carberp to steal $2 million from over 90 individual bank accounts. That cybercrime gang used the malware and was not responsible for developing the Trojan.

* 06/19 Updated with additional commentary from Group-IB

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.