The source code for “Carberp” — a botnet creation kit coded by a team of at least two dozen hackers who used it to relieve banks of an estimated $250 million — has been posted online for anyone to download. The code leak offers security experts a fascinating and somewhat rare glimpse into the malcoding economy, but many also worry that its publication will spawn new hybrid strains of sophisticated banking malware.
The leak appears to have begun, as these things often do, with the sale of the source code in a semi-private cybercrime forum. On June 5, a member of the Lampeduza crime forum said he was selling the Carberp source to a single buyer, with a starting price of $25,000. The seller said he was helping out one of the developers of the code, who was short on cash.
By mid-June, links to download the entire Carberp archive were being posted on multiple forums, as first documented by Trusteer. Since then, experts from around the world have been tearing through the two-gigabyte archive to learn more about the code and its potential for future abuse in new and existing malware creations.
“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory,” wrote one Ukrainian tech blogger on Livejournal.
According to Peter Kruse, a specialist with the Copenhagen-based CSIS Security Group, the package includes the Carberp bootkit; this is a component that can subvert the Patchguard protection in Windows 7 x86 and 64-bit systems so that the malware loads itself at the most basic levels of the system (Kruse said the bootkit component is incomplete and does not work against Windows 8 PCs).
Also included are components of a Trojan known as UrSnif, as well as an extremely popular and prevalent rival botnet creation kit called Citadel.
“As with the leakage of the ZeuS source code, back in May 2011, this means that criminals have every chance to modify and even add new features to the kit,” Kruse wrote, noting that the Carberp archive also contains several text files that appear to be records of private chats and various usernames and passwords.
Last year, Russian and Ukrainian authorities arrested a loosely-affiliated group of hackers accused of programming and using Carberp to rob millions from bank accounts of their countrymen. According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.
Members of the coding forum kernelmode.info have been poring over comments left in the code by the Carberp developers. One set of comments, translated from Russian by a KrebsOnSecurity reader, suggests the developer was frustrated by having to program within the confines of what he considered sloppy operating system or perhaps Web browser plugin code.
“I will rip off someone’s hands for this kind of code!” the unidentified developer noted in one section of the Carberp source. “This stupid thing does God-knows-what.”
Of another snippet: “[This] function is looking [at the] last callback procedure, I could not place it inside Java window — bitch did not work.”
On Microsoft Windows programmers: “Those dumb, moronic Indians from Microsoft; they do not understand that they are extremely stupid.”
In a phone interview, CSIS’s Kruse said while Carberp coders may have sold the source, he doubts the Carberp source was leaked by developers of the code.
“What is really interesting about it is that some of the stuff that’s revealed — ICQ numbers, Skype names, even addresses — is correlating perfectly with investigations we’ve done previously,” Kruse said. “It’s more likely that someone stole this, because if they were sane the authors would never have leaked this themselves.”
As CSIS’s Kruse notes, the Carberp source leak harks backs to the release of the source code for the ZeuS Trojan in 2011. In late 2010, authorities in the United Kingdom and Ukraine arrested and detained several individuals for developing and profiting from custom versions of the ZeuS Trojan. By February 2011, the ZeuS source was spotted for-sale on several crime forums. Less than three months later, the entire ZeuS source code base was leaked online.
The ZeuS source code leak soon enough fueled the development of several rival botnet creation kits, including Ice9 and Citadel. The latter introduced several innovations. For example, the developers of Citadel provided licensed customers with a members-only Web forum where users could suggest and vote on new features in upcoming malware versions. The Citadel authors also developed a trouble-ticket system that paying customers could use to resolve compatibility problems.
For some perspective on the impact from Citadel, consider a recent action by Microsoft which launched a legal sneak attack against more than 1,400 distinct botnets that were all created with the Citadel kit. Microsoft is still crunching the numbers, but Richard Boscovich, senior attorney on Microsoft’s digital crimes unit, said that preliminary figures suggest that its action freed at least 1.25 million infected PCs from Citadel’s grip (I’ll have more on the progress of the Citadel takedown in a future post).
For more on the Carberp gang and the evolution of this remarkable (and now public) malware factory, check out this post from researchers at antivirus and security firm ESET.
Tags: botnet creation kit, Carberp, Carberp bootkit, Carberp source code leak, Citadel, CSIS, ESET, Ice9, kernelmode.info, Kommersant, Lampeduza, Peter Kruse, Richard Boscovich, Trusteer, UrSnif, ZeuS Trojan