You can say one thing for the underground malware distribution market, there’s certainly never a lack of drama. Weeks after the banning of Aquabox, the keeper of the Citadel banking Trojan, from an underground forum, another player has popped up to fill the market gap, this time with a new version of the Carberp Trojan.
This is a first for the Carberp gang, which until now had never sold its malware in the open, said Limor Kessem, communications specialist and team leader for RSA Security’s FraudAction team. The new version of the banking malware comes with beefed up data-stealing capabilities and the addition of the Rovnix bootkit and builder kit for a hefty $40,000 price tag. For fees ranging between $2,000 and $10,000, customers can buy the kit as a service, sans the builder and bootkit.
The addition of Rovnix, Kessem said, is an especially interesting twist in that it infects a computer’s volume boot record, giving it ring0 privileges and making not only difficult to detect, but clean up.
“This is more sophisticated and costly than other malware; we’ve seen no one charge $40,000 for malware. They don’t feel it’s an exaggerated price,” Kessem said. “We haven’t seen who’s buying it, but they believe there will be demand. You have to have resources and know-how to operate the malware. Malware doesn’t come with an install wizard. You have to have knowledge about systems and Windows internals; it’s not simple to do. Whoever buys this will have to know what they’re doing.”
The high price tag, Kessem said, is a deterrent to anyone buying the kit as a whole, customizing it and selling off variants. After some members of the Carberp gang were arrested earlier this year in Russia, the gang pulled back its efforts.
“They’re willing to sell some, but for the most part they want to be private and careful,” Kessem said. Buyers of the $10,000 monthly service subscription have to have extensive knowledge of how to operate the malware, she said, but the lower end subscriptions are likely for beginners and won’t have access to the malware itself.
Citadel’s Aquabox, meanwhile, shifted his strategy during the summer when he decided he would sell only to people he knew or were vouched for by current customers. When Citadel was updated in October, he pulled back support as well for new customers and that led to a dispute from one botnet operator that led to Aquabox’s ultimate dismissal from the trading forum.
Carberp started out as straightforward data-stealing banking malware, but quickly evolved with plug-ins that removed antimalware software or detected and killed other malware on an infected PC. Communication to and from the malware and command and control servers is also encrypted using a randomly generated RC4 key that is sent with a HTTP request.
Today, Kaspersky Lab researcher Denis Maslennikov wrote a report on a Carberp conducting man in the mobile attacks, that similar to Zitmo and SpitMo, intercept transaction authorization numbers (TANs) sent via SMS to a user to authenticate transactions.
Carberp in the mobile behaves similarly to Zitmo (Zeus in the mobile) or SpitMo (SpyEye in the mobile) in that it attacks Android devices and intercepts the SMS messages containing the TANs and redirects them to the attacker, who can then carry out transactions as if they were the victim.
Carberp in the mobile alters the victim’s online banking page on the fly, asking them to install an update that is required for log in. The user would be required to enter their mobile number and receive a link to the phony update via SMS message or QR code. The user would be instructed to download the update on their PC and mobile device, infecting both.
Maslennikov said one of Russia’s most popular banks Sberbank is under attack, and a QR code was leading users to the SberSafe application, the alleged security upgrade that has been in Google Play since Nov. 30. He said the app has been downloaded at least 100 times, as have other similar malicious apps.