You can say one thing for the underground malware distribution market, there’s certainly never a lack of drama. Weeks after the banning of Aquabox, the keeper of the Citadel banking Trojan, from an underground forum, another player has popped up to fill the market gap, this time with a new version of the Carberp Trojan.

This is a first for the Carberp gang, which until now had never sold its malware in the open, said Limor Kessem, communications specialist and team leader for RSA Security’s FraudAction team. The new version of the banking malware comes with beefed up data-stealing capabilities and the addition of the Rovnix bootkit and builder kit for a hefty $40,000 price tag. For fees ranging between $2,000 and $10,000, customers can buy the kit as a service, sans the builder and bootkit.

The addition of Rovnix, Kessem said, is an especially interesting twist in that it infects a computer’s volume boot record, giving it ring0 privileges and making not only difficult to detect, but clean up.

“This is more sophisticated and costly than other malware; we’ve seen no one charge $40,000 for malware. They don’t feel it’s an exaggerated price,” Kessem said. “We haven’t seen who’s buying it, but they believe there will be demand. You have to have resources and know-how to operate the malware. Malware doesn’t come with an install wizard. You have to have knowledge about systems and Windows internals; it’s not simple to do. Whoever buys this will have to know what they’re doing.”

The high price tag, Kessem said, is a deterrent to anyone buying the kit as a whole, customizing it and selling off variants. After some members of the Carberp gang were arrested earlier this year in Russia, the gang pulled back its efforts.

“They’re willing to sell some, but for the most part they want to be private and careful,” Kessem said. Buyers of the $10,000 monthly service subscription have to have extensive knowledge of how to operate the malware, she said, but the lower end subscriptions are likely for beginners and won’t have access to the malware itself.

Citadel’s Aquabox, meanwhile, shifted his strategy during the summer when he decided he would sell only to people he knew or were vouched for by current customers. When Citadel was updated in October, he pulled back support as well for new customers and that led to a dispute from one botnet operator that led to Aquabox’s ultimate dismissal from the trading forum.

Carberp started out as straightforward data-stealing banking malware, but quickly evolved with plug-ins that removed antimalware software or detected and killed other malware on an infected PC. Communication to and from the malware and command and control servers is also encrypted using a randomly generated RC4 key that is sent with a HTTP request.

Today, Kaspersky Lab researcher Denis Maslennikov wrote a report on a Carberp conducting man in the mobile attacks, that similar to Zitmo and SpitMo, intercept transaction authorization numbers (TANs) sent via SMS to a user to authenticate transactions.

Carberp in the mobile behaves similarly to Zitmo (Zeus in the mobile) or SpitMo (SpyEye in the mobile) in that it attacks Android devices and intercepts the SMS messages containing the TANs and redirects them to the attacker, who can then carry out transactions as if they were the victim.

Carberp in the mobile alters the victim’s online banking page on the fly, asking them to install an update that is required for log in. The user would be required to enter their mobile number and receive a link to the phony update via SMS message or QR code. The user would be instructed to download the update on their PC and mobile device, infecting both.

Maslennikov said one of Russia’s most popular banks Sberbank is under attack, and a QR code was leading users to the SberSafe application, the alleged security upgrade that has been in Google Play since Nov. 30. He said the app has been downloaded at least 100 times, as have other similar malicious apps.

Categories: Malware

Comments (4)

  1. Http://

    Undeniably believe that which you stated. Your favorite reason
    seemed to be on the internet the easiest factor to understand of.
    I say to you, I definitely get annoyed while other people think about issues that they plainly
    don’t recognize about. You controlled to hit the nail upon the highest and defined out the whole thing without having side effect , folks could take a signal. Will probably be again to get more. Thank you

  2. hamster porn

    I believe everything published was actually very logical.
    But, what about this? what if you composed a catchier post title?
    I am not saying your information is not solid, but suppose you added a
    post title to possibly grab a person’s attention? I mean Carberp Banking Trojan Goes Commercial; Adds Bootkit and $40K Price Tag | threatpost is a little vanilla. You ought to glance at Yahoo’s home page and
    watch how they create post headlines to get viewers interested.
    You might add a related video or a picture or two to grab readers interested about everything’ve got to say. In my opinion, it could make your posts a little livelier.

  3. Cher

    All of the info is valuable as more ecclectic threats emerge from even more areas. I am immediately trying to respond to the ABOUT:BLANK virus that is affecting my xp pro deskstop. (my two vista pcs are suffering from HO ailments at present and I cant afford to upgrade the xp pro so pleases don’t suggest it as a soln)
    The about virus has been reinfecting my system for several months yet kaspersky says they know nothing about it. How can thihs be? Its not new? its all over thenet at least I found it all over the net, and with many suggested solutins that doi NOT work. All solutions might work for about 24 hours or less, and thenn it reinfects. It appears as ABOUT:BLANK imni nthe space bar, and does not let you access youro homepage basically. I need info on how to get rid or it butt better yet, why doesnt Kaspersky inform users of this possibility? I find it on no oness techie newsletters either. Thanks for any help Chet

Comments are closed.