The source code for the Carberp Trojan, which typically sells for $40,000 on the underground, has been leaked and is now available to anyone who wants it. The leak has echoes of the release of the Zeus crimeware source code a couple of years ago and has security researchers concerned that it may lead to a similar crop of new Trojans and crimeware kits.

The Carberp source code appeared online last week, but researchers quickly discovered that the compressed archive containing the source code was password protected. But then on Monday the password was published as well, giving researchers–and anyone else who could find it–access to the source code. For much of its life, Carberp was a private crimeware kit used by a crew in Russia. Several members of the alleged crew were arrested in Russia in 2012 and several months later a commercial version of the Carberp Trojan appeared on the market,going for the lofty price of $40,000.

That high price may have kept some buyers away, restricting sales to the high end of the attacker pyramid. However, now that the source code is freely available, that may change quickly. Carberp is a powerful crimeware kit designed to give attackers the ability to steal large amounts of sensitive data from infected PCs. It has a set of plugins that can disable antimalware applications and also can find and kill other pieces of malware on a machine. Newer versions of the Carberp Trojan also include a bootkit, a set of functions that infect PCs at the lowest level and maintain persistence.

Security researchers who have seen the leaked source code for Carberp say that it includes the bootkit code, along with code for what appear to be several other well-known pieces of malware.

“The package also include the Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc. The package is currently undergoing deeper analysis. We also found several text files containing apparently private chats and various usernames and passwords for several FTP servers. This also needs to be investigated further,” Peter Kruse of CSIS Security in Denmark wrote in an analysis of the source code leak.

“As with the leakage of the ZeuS source code, back in May 2011, this means that it-criminals have every chance to modify and even add new features to the kit. The very same thing we predicted in 2011 and which fueled new commercial crimekits still being used in attacks today such as IceIX and Citadel.”

Whether the same kind of phenomenon occurs in the wake of the Carberp cource code leak remains to be seen, but its release is not good news for consumers. It potentially puts the crimeware in the hands of a much larger group of attackers, putting more users at risk. However, it also enables security researchers to take a deep look at the malware and its inner workings, which will help them get a handle on how to defend against it.

Kruse said via email that as best he ca tell, the Carberp source code that’s been posted is the genuine article, but he hasn’t had a chance to dig through every bit of it yet.

“It looks like the complete source code but there is no way to tell if there is a newer version or if it has been backdoored. It takes time to go through all this code. However the code we have tested compiles fine and works but due to the size and complexity it takes time – even for a skilled code reviewer – to go through all this source code,” he said.

 Image from Flickr photos of Britrob

Categories: Malware, Web Security

Comments (21)

  1. Ralph

    This sounds like top quality intrusion code including a lot of powerful techniques. I would think security software organizations could do a thorough analysis of this kit and use the knowledge gained to protect machines against a wide range of threats. Yet the botnets seem to live on, no matter what the experts learn. Why is that?

    • bad_idea

      The good guys are always playing catch-up. Its all reactive and will be for the foreseeable future

    • Athox

      @Ralph: People who use the computers will still be stupid and click anything. That’s why the botnets and viruses live on despite the 1% of computer users being cautious about everything.

      • Ralph Dratman

        I see your point. Thanks for clarifying that.

        If that is the heart of the problem, then it seems to me to stop it we would need detection and interception to be part of the network. In other words, right now we have a dumb network. We would need a smart network, something like having a traffic cop on every corner to pull over reckless drivers. I believe this would require additional hardware to be installed, hardware dedicated only to security. Add-on security software in routers and computers is not going to do the trick. But then who would be in control of the smart network? That entity would automatically have too much power.

    • Tom

      Probably because it’s easier to find a problem with an existing system than to fix a mistake before you know it’s even there, and then make sure everybody gets the update.

    • Eric

      Black Hats are always a step ahead. You can’t patch something that’s not broken yet.

    • Nope

      Can’t protect a user that doesn’t take steps to protect themselves.

      Why do Nigerian email scams still exist?

    • John

      It’s because the hackers/crackers are the attackers. All the security software is made in response to old threats. They also try to make something for anything new that might come out, but they can only do so much. These hackers/crackers have ways of obtaining the source code from for these anti-malware software, and can make new code that is not limited by the security software. They are the ones acting, all we can do is react.

    • Dash Winterson

      Because it’s how organizations who design it can control it. Human beings designed computers and so computers, although deeply logical, are bound by those constraints, corruption included.

  2. bad_idea

    The good guys are always playing catch-up. Its all reactive and will be for the foreseeable future

  3. ww

    Unfortunately most AV analysts are already experts in reverse engineering, so anyone who’s already properly investigated Carberp should not find anything groundbreaking from these sources.

  4. Seph

    Ralph: Because new techniques and technologies are being developped all the time, by both the security experts AND the malware programmers. Computer technology and software IS NOT static and unchanging, but dynamic and always being developped. You can only protect yourself proper against what you know exist, but the malware programmers are always making new trojans, viruses and what have you.

  5. Robert

    Just another way for crooks to turn a buck in the cyber world. With the source code being released I’m sure will see some more purveyors cropping up in the underwebz, where people without the knowledge can “rent” the use of the system. I just posted a topic relating to how DDoS attacks are sold under the guise of stress-testing. New day, same story. But yes, job security for the security professionals.

  6. dad

    1. “maintain persistence”?
    2. you have the source, now you know the app, and much about the developer and their design.
    3. if the community can code and maintain an OS kernel and all the layers above it, then between them, the brilliant hobbyists, CERT, and the commercial analysts, analyzing this will be a piece of cake.

  7. CrazyTalk

    I read years ago from a hacking book it was a sort of a divine mission for hacker\cracker to be in the top of the food chain. Yeah, some of them fail, we can see in the news “bla,bla..hacker caught..bla,bla,bla,…we’r winning the cyber warfare” ,They forget, the great always wins, the greatest never get caught

Comments are closed.