The source code for the Carberp Trojan, which typically sells for $40,000 on the underground, has been leaked and is now available to anyone who wants it. The leak has echoes of the release of the Zeus crimeware source code a couple of years ago and has security researchers concerned that it may lead to a similar crop of new Trojans and crimeware kits.
The Carberp source code appeared online last week, but researchers quickly discovered that the compressed archive containing the source code was password protected. But then on Monday the password was published as well, giving researchers–and anyone else who could find it–access to the source code. For much of its life, Carberp was a private crimeware kit used by a crew in Russia. Several members of the alleged crew were arrested in Russia in 2012 and several months later a commercial version of the Carberp Trojan appeared on the market,going for the lofty price of $40,000.
That high price may have kept some buyers away, restricting sales to the high end of the attacker pyramid. However, now that the source code is freely available, that may change quickly. Carberp is a powerful crimeware kit designed to give attackers the ability to steal large amounts of sensitive data from infected PCs. It has a set of plugins that can disable antimalware applications and also can find and kill other pieces of malware on a machine. Newer versions of the Carberp Trojan also include a bootkit, a set of functions that infect PCs at the lowest level and maintain persistence.
Security researchers who have seen the leaked source code for Carberp say that it includes the bootkit code, along with code for what appear to be several other well-known pieces of malware.
“The package also include the Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc. The package is currently undergoing deeper analysis. We also found several text files containing apparently private chats and various usernames and passwords for several FTP servers. This also needs to be investigated further,” Peter Kruse of CSIS Security in Denmark wrote in an analysis of the source code leak.
“As with the leakage of the ZeuS source code, back in May 2011, this means that it-criminals have every chance to modify and even add new features to the kit. The very same thing we predicted in 2011 and which fueled new commercial crimekits still being used in attacks today such as IceIX and Citadel.”
Whether the same kind of phenomenon occurs in the wake of the Carberp cource code leak remains to be seen, but its release is not good news for consumers. It potentially puts the crimeware in the hands of a much larger group of attackers, putting more users at risk. However, it also enables security researchers to take a deep look at the malware and its inner workings, which will help them get a handle on how to defend against it.
Kruse said via email that as best he ca tell, the Carberp source code that’s been posted is the genuine article, but he hasn’t had a chance to dig through every bit of it yet.
“It looks like the complete source code but there is no way to tell if there is a newer version or if it has been backdoored. It takes time to go through all this code. However the code we have tested compiles fine and works but due to the size and complexity it takes time – even for a skilled code reviewer – to go through all this source code,” he said.
Image from Flickr photos of Britrob.