Rumors of its availability began to circulate last week, but could not be confirmed. The suspect code is contained in a password protected zip file that researchers could not access. But now the password has also been published – and security researcher Peter Kruse of CSIS has confirmed that the leak is genuine. “CSIS have been investigating this further and now confirms that we have the complete source code for Carberp and that the code compiles and works just as [described] in the associated text files included in the package.”
The package apparently also contains the Carberp bootkit, the Stone bootkit, Citadel, Ursnif and more – including “text files containing apparently private chats and various usernames and passwords for several FTP servers.”
The latter might provide clues for law enforcement agencies to seek out cyber criminals. But the free availability of Carberp source code is likely to lead to a surge in new variants. “As with the leakage of the ZeuS source code, back in May 2011, this means that IT-criminals have every chance to modify and even add new features to the kit.”
David Harley, a senior research fellow at ESET, agrees. “The availability of source code for sophisticated malware is never good news,” he told Infosecurity. “We can probably assume that there'll be an upsurge in bottom feeders taking the opportunity to create new variants, and in the short term that will test and stretch the heuristic capabilities of security software.”
Carberp is a data-stealing trojan that has primarily been used in the past for stealing banking information. It’s ability to be controlled and updated remotely make it suitable for both botnet and targeted use. It is believed that an internal conflict in the gang behind the trojan led to the initial offer to sell the code for $5000, but that the conflict has since escalated resulting in one member leaking the complete code.
“Anything which makes it easier for cybercriminals to ‘roll their own’ malware has to be bad news for the entire online community,” security researcher Graham Cluley told Infosecurity. “It wouldn't be a surprise to see the malware split into different strains, as different hackers adapt the code to their own malicious ends.” Both he and Harley struggle to see anything good in the news.
“The only possible silver lining to the cloud,” said Cluley, “is that those responsible for the Carberp code may now find it harder to monetize their creation, as if the code becomes widespread there will be little incentive for other online criminals to cough up cash to take advantage of it.”
“On the other hand,” added Harley, “it will also give labs that haven't spent as much time dissecting it as my Russian colleagues a chance to catch up a bit. I'm hopeful that in the long term it will actually weaken the impact of the code, compared to the damage it did before law enforcement started to reel in the Carberp botnet organizers.”
In the meantime, the anti-virus industry will be bracing itself for a potential onslaught of new Carberp variants.