With Carberp source code's release, security pros expect the worst

With the previously $40,000 Carberp Trojan's source code now freely available, experts expect exceptionally destructive variants of the malware to flow onto the Internet.

Carberp-based malware is expected to take advantage of the bootkit module packaged with the code, making the variants unusually difficult to remove. When an infected computer is turned on, the bootkit driver is the first to load, giving the criminals behind the malware control over any other software.

"The bootkit gives a significant improvement to the malware," Etay Maor, manager of Trusteer's fraud prevention solutions, told CSO on Wednesday. "It helps it stay covert on the computer and it helps it stay persistent. It's really hard to get rid of it."

Researchers discovered this week an online forum that had a link to a hosting site where an archive file containing the source code and bootkit could be downloaded. Security experts who follow the Carberp gang, most from Ukraine and Russia, believe infighting led to the code release.

Introduced in 2010, Carberp was mostly used to steal online banking credentials from people in Russia and other former Soviet Union states. Variants targeting customers of U.S. and Australian banks were found this year.

Before the code release, the builder application to generate customized copies of Carberp sold for $40,000. The creators were able to demand the high price because of the bootkit and the overall quality of the code.

"It's a very potent malware," Maor said. "We've looked into the source code and it's well written."

[Also see: Researchers warn of increased Zeus malware activity in 2013]

Removing the malware will require a thorough reformatting of the hard drive. Anything less, and Carberp will come back, Maor said.

Cybercriminals worldwide are expected to customize Carberp for purposes other than stealing online banking credentials, such as swiping sensitive documents from companies.

"This incident should serve as another reason to go over your company's most valuable assets and put in extra effort to secure them," said Roel Schouwenberg, a senior researcher at Kaspersky Lab. "It's also a good reason to make sure that the machine responsible for payroll is not also being used for other activities, such as checking emails."

This leak is considered more dangerous than the infamous release in 2011 of the Zeus source code, experts say, because while Zeus was effective at stealing online banking credentials, it did not have a bootkit associated with it.

That came after criminals started building on top of the code. Their work eventually led to Citadel, "which was a significant improvement both in capabilities and in the way that it was delivered to customers and the customer support they offered," Maor said.

The same pattern of continuous improvement is expected with Carberp.

"The real smart techie guys will pick it up," Maor said. "They just got the blueprints to serious malware. It's a present. Why not use it?"

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwarelegalsoftwareCarberp Trojandata protectionbreached source codeCarberp malwarecybercrimeTrusteer

More about CitadelCSOKasperskyKasperskyTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place