Banking malware Carberp - was $50,000, now free
The source code for Carberp – one of the most expensive and robust pieces of online banking malware created – is currently circulating online. Carberp is reputedly able to infect a hard drive's master boot record (MBR), allowing it to evade detection by anti-virus software. Initial analysis suggests that the nearly 2 GB of source code does indeed contain an MBR module.
At the end of last year, the author of what is probably the most powerful banking malware in circulation was asking $40,000 for full access to his creation. Alternatively, according to a blog post from RSA, customers could rent the malware for between $2,000 and $10,000 per month.
In early June, the source code was on offer for $50,000. A few days ago, that same source code became available to download from Russian underground forums for free. Consequently, the 1.88GB archive is now spreading across general hacking forums such as trojanforge.com and is also available on Mega, the download platform launched by Kim Dotcom.
One unusual feature of the malware, which has been in development since 2010, is the bootkit (W32/Rovnix), which also appears to be included in the archive now circulating. The bootkit infects the master boot record on Windows systems (Windows XP, Windows 7, Windows 8), thereby avoiding detection by common anti-virus programs. The bootkit is reported to insert an unsigned driver in the Windows boot process which apparently also works with 64-bit versions of the operating system as the driver is executed before Patch Guard itself – Patch Guard is designed to prevent execution of unsigned drivers. The bootkit reportedly uses an encrypted filesystem that is hidden in unallocated sectors of the hard drive. Analysis has also revealed that the archive includes source code for older malware and records of confidential IM conversations involving the author of the malware.
The unfettered dissemination of the source code is, according to malware experts, likely to result in something of a comeback for Carberp. The complete package, which includes a builder, means that even less technically adept – and indeed less well-off – online criminals can now join the party. This is exactly what happened two years ago, when the source code for popular banking malware ZeuS suddenly appeared on the web. One consequence of that leak was the still dangerous Citadel malware.
Update 26-05-13 11:21: The article has been modified from its original version to reflect that it has not been established conclusively whether the malware can actually survive a re-installation of Windows on an infected machine. Further details of the malware's functionality have also been added.
(Uli Ries / sno)