Carberp malware source code offered for sale with $50,000 price tag

Includes Chinese-made rootkit module

The source code for the once-mighty Carberp bank Trojan is being offered for sale at an asking price of $50,000 (£33,000) on a criminal forum security firm Trusteer has reported.

Reports of malware source code being offered for sale are extremely rare if they happen at all but perhaps Carberp's star has fallen a little from the days when it was considered a state-of-the-game man-in-the-browser (MitB) menace, particularly for attacks on Facebook users.

According to Trusteer, a forum member named '=Sj=' has pitched its source code, complete with a newly-coded and harder-to-detect Chinese rootkit module, for the eminently reasonable rouble equivalent of half a ton.

If this sounds like a god deal, the firm believes that it might reflect the fact that other forums are offering the same source code for far less, making it a sort of malware fire sale. Russian security research firm Group-IB reports this as being as low as $5,000.

The seller was credible, offering considerable detail on the wares and its capabilities, the firm said. He or she also claims to have connection to Carberp's author.

"We have witnessed past occurrences in which a private group acquired malware source code (such as Citadel), enhanced it, sold variants and offered help and support," commented Trusteer' senior manager, Etay Maor.

"With the current feature set this malware offers, it can easily be configured to target a wide variety of businesses as well as be used for data theft and reconnaissance. It remains to be seen if we are witnessing an attempt to dilute this malware due to internal struggles within the Carberp or buyer groups," he said.

It was possible that the source code would be bought in order to form the core of a new malware family, he suggested.

If that happens, then the bootkit-rootkit functionality will be the major selling point. This claims the rootkit will load reliably the moment the OS starts, in other words before any security programmes fire up. This is not a new feature - all rootkits attempt it by their nature - but its claimed ability to pull off this feat across all versions of Windows, including 8, is sure to interest criminals.

Carberp's fate has been uncertain since the largest gang wielding it were busted in March 2012, resulting in the arrest of eight people accused of involvement. The gang's mistake was to target mostly Russian-speaking consumers, bringing it to the notice of the Russian authorities.

However, not long after Kaspersky Lab announced that the malware, while disrupted, was still being used by other affiliates. Despite that pessimistic news, its importance has faded compared to a growing number of malware competitors even if Group-IB believes that it remains in full development in the Ukrainian and Russian underground.

Join the CSO newsletter!

Error: Please check your email address.

Tags TrusteerGroup-IBPersonal Techsecurity

More about CitadelFacebookKasperskyKasperskyTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place