According to Russian firm Group-IB, the source code itself would typically go for between $50,000 and $70,000.
There’s no real indication of why the hacker is offering it at such a fire-sale price, but Andrey Komarov, Group-IB’s head of international projects, told PC World there is likely some dissent in the ranks among the estimated 12 members of the Carberp gang.
A hacker with the handle “madeinrm” said in his underground forum post advertising the sale that fellow gangster “batman” is already out there selling it, according to Komarov – meaning a price war is likely on.
Kamarov said that the kit is extensive:
“The archive file offered by madeinrm is 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that have been patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called “Web inject” scripts that allow the malware to interact with different online banking websites.”
The sale will inevitably lead to the development of Carberp variants. When the Zeus code went on sale in 2011, it was originally offered for $100,000 – a price tag that fell to $5,000 within a few weeks, before the entire code was found to be available for free online.
Since then, dozens of variants and ZBOTs have been identified, each getting smarter and better in their efforts to steal online banking credentials/information or other personally identifiable information (PII). Trend Micro found in May that variants surged in the beginning of February and continue to peak.
The release of the Carberp code to new developers may also let the bug make the leap to new markets. Though detected earlier, Carberp burst on the banking scene in a big way in early 2012, mainly targeting victims in and around Russia. Gaining more widespread infection now could wreak havoc: the trojan is an advanced financial malware containing features not found in Zeus and SpyEye. For instance, it can can persist undetected by anti-virus software on infected machines using advanced stealth, anti-debugging and rootkit techniques and is controlled from a central administrator control panel that allows the attacker to mine the stolen data.
The malware uses multiple layers of obfuscation and encryption to remain hidden and prevent analysis. Once embedded and decrypted, the infection begins with malicious file dropping and process injection steps that provide a backdoor to the host under attack.
Carberp can be part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.