June 27, 2013

The source code for “Carberp” — a botnet creation kit coded by a team of at least two dozen hackers who used it to relieve banks of an estimated $250 million — has been posted online for anyone to download. The code leak offers security experts a fascinating and somewhat rare glimpse into the malcoding economy, but many also worry that its publication will spawn new hybrid strains of sophisticated banking malware.

Carberp admin panel. Source: Xylibox.blogspot.com

Carberp admin panel. Source: Xylibox.blogspot.com

The leak appears to have begun, as these things often do, with the sale of the source code in a semi-private cybercrime forum. On June 5, a member of the Lampeduza crime forum said he was selling the Carberp source to a single buyer, with a starting price of $25,000. The seller said he was helping out one of the developers of the code, who was short on cash.

By mid-June, links to download the entire Carberp archive were being posted on multiple forums, as first documented by Trusteer. Since then, experts from around the world have been tearing through the two-gigabyte archive to learn more about the code and its potential for future abuse in new and existing malware creations.

Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory,” wrote one Ukrainian tech blogger on Livejournal.

According to Peter Kruse, a specialist with the Copenhagen-based CSIS Security Group, the package includes the Carberp bootkit; this is a component that can subvert the Patchguard protection in Windows 7 x86 and 64-bit systems so that the malware loads itself at the most basic levels of the system (Kruse said the bootkit component is incomplete and does not work against Windows 8 PCs).

Also included are components of a Trojan known as UrSnif, as well as an extremely popular and prevalent rival botnet creation kit called Citadel.

“As with the leakage of the ZeuS source code, back in May 2011, this means that criminals have every chance to modify and even add new features to the kit,” Kruse wrote, noting that the Carberp archive also contains several text files that appear to be records of private chats and various usernames and passwords.

CHEEKY CODERS

Last year, Russian and Ukrainian authorities arrested a loosely-affiliated group of hackers accused of programming and using Carberp to rob millions from bank accounts of their countrymen. According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.

Some of the leaked Carberp source code archives.

Some of the leaked Carberp source code archives.

Members of the coding forum kernelmode.info have been poring over comments left in the code by the Carberp developers. One set of comments, translated from Russian by a KrebsOnSecurity reader, suggests the developer was frustrated by having to program within the confines of what he considered sloppy operating system or perhaps Web browser plugin code.

“I will rip off someone’s hands for this kind of code!” the unidentified developer noted in one section of the Carberp source. “This stupid thing does God-knows-what.”

Of another snippet: “[This] function is looking [at the] last callback procedure, I could not place it inside Java window — bitch did not work.”

On Microsoft Windows programmers: “Those dumb, moronic Indians from Microsoft; they do not understand that they are extremely stupid.”

In a phone interview, CSIS’s Kruse said while Carberp coders may have sold the source, he doubts the Carberp source was leaked by developers of the code.

“What is really interesting about it is that some of the stuff that’s revealed — ICQ numbers, Skype names, even addresses —  is correlating perfectly with investigations we’ve done previously,” Kruse said. “It’s more likely that someone stole this, because if they were sane the authors would never have leaked this themselves.”

CARBERP PROGENY?

As CSIS’s Kruse notes, the Carberp source leak harks backs to the release of the source code for the ZeuS Trojan in 2011. In late 2010, authorities in the United Kingdom and Ukraine arrested and detained several individuals for developing and profiting from custom versions of the ZeuS Trojan. By February 2011, the ZeuS source was spotted for-sale on several crime forums. Less than three months later, the entire ZeuS source code base was leaked online.

The ZeuS source code leak soon enough fueled the development of several rival botnet creation kits, including Ice9 and Citadel. The latter introduced several innovations. For example, the developers of Citadel provided licensed customers with a members-only Web forum where users could suggest and vote on new features in upcoming malware versions. The Citadel authors also developed a trouble-ticket system that paying customers could use to resolve compatibility problems.

For some perspective on the impact from Citadel, consider a recent action by Microsoft which launched a legal sneak attack against more than 1,400 distinct botnets that were all created with the Citadel kit. Microsoft is still crunching the numbers, but Richard Boscovich, senior attorney on Microsoft’s digital crimes unit, said that preliminary figures suggest that its action freed at least 1.25 million infected PCs from Citadel’s grip (I’ll have more on the progress of the Citadel takedown in a future post).

For more on the Carberp gang and the evolution of this remarkable (and now public) malware factory, check out this post from researchers at antivirus and security firm ESET.


36 thoughts on “Carberp Code Leak Stokes Copycat Fears

  1. Peter

    So 1 of the programmers was selling the source code for $25,000 as he was short of cash. The tool has netted over $250,000,000.

    Either he needs to take a serious look at his outgoings or he is being taken for a ride.

    1. BrianKrebs Post author

      Well, my understanding is that the coders were paid a fairly paltry sum each month, and that most of the proceeds of the crimes committed with the code went to a different group. Someone please correct me if I’m wrong. It’s been a while since I read the old stories of the arrests.

      1. Aleksey

        Some of the chats in the leaked archive suggest that coders were paid pennies (sums like $1.5k per month were discussed). Most likely a bulk of $250m went to the organizers who were different from the developers.

        1. Peter

          Lol maybe they should join a union.

          But on a serious note I bet the person who caused the leak is going to be in some serious trouble with the organisers.

          Those who didn’t leak are probably trying to distance themselves from it right now.

  2. meh

    The microsoft quote is full of win, best thing I’ve read all day.

  3. TomU @c_APT_ure

    The post on kernelmode also suggests some “Vundo related” stuff in the dump, although I haven’t been able to confirm this yet.

    http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2793&sid=33efdb10208fc9de459705df22fa36fd&start=10#p19792

    Vundo is one (of many) alias for Ponmocup and this botnet was really big (several million bots, large org’s and companies infected) over 2 years ago. Now it seems to have gone under the radar again, just as before the sinkholing then.

    http://www.abuse.ch/?p=3294
    http://c-apt-ure.blogspot.com/search/label/ponmocup

    Seems no one is really tracking or talking about this malware / botnet. Maybe it’s not so sexy because it’s under the radar and not detected well enough?

    @c_APT_ure

  4. Haggis

    I would quite like to download this to have a look, i am assuming i cant infect myself accidentally on linux lol

    then again i might just use a VM

  5. rfg

    Gee. It was leaked in exchange for cash.

    What is the world coming to? There is just no honor among thieves anymore.

  6. The Utah Data Center/N.S.A./ Area 51/Room 641A/PRISM/Tempora

    The first thing I thought was why hasn’t Microsoft patched Windows 7 (32/64 bit) kernels from being susceptible to the Carberp malware?

    1. Touch

      What is there to patch? Carberp modifies the IPL in order to patch out signature verification of the bootloader components & drivers. It doesn’t abuse any bugs in the kernel, it only modifies windows components and their integrity checks, thus nothing to patch.

      In order to prevent such malware you need to verify the integrity of every single component from the boot firmware to the kernel (which requires hardware modifications). This is exactly what UEFI Secure Boot implements.

      TL;DR: Don’t want bootkits? Get hardware that supports UEFI then install Windows fisher-price edition, and enable secure boot.

      1. Nigel

        Of course, even with UEFI you will still have any built in backdoors. Not that the NSA & Microsoft would ever dream of such a thing, right?

  7. HUNTER

    in Odessa, Ukraine land for pro coding and cybercrime in face whitehat security ,lulz

    “BlackHat in face WhiteHat and security company”

    1. CooloutAC

      I just learned about administrative shares last night.

  8. nospam

    WTF? $1.5k per month for code? crime does not pay.

  9. johnyinc

    Now indeed the Carberp source code leak will lead to development of several private and public botnet projects, like Citadel. Gotta wait and see

  10. uyjulian

    Prepare for more malware.
    I see a lot of junk in the leaked code, lol

  11. JohnMacaffee

    I agree the Microsoft quote about the moronic indians was hilarious. As for the coders getting peanuts that makes quite a bit of sense as I have read that some programmers work for the mafia and therefore aren’t in direct control of how much money they make.

    1. JCitizen

      I like to think of Steve Ballmer as the Moron in chief! >:(

    1. BrianKrebs Post author

      Hi there, thanks for stopping by. I’ve corrected the copy above to reflect that.

  12. CooloutAC

    I wonder if I’m part of a botnet, because if I leave my pc on over night with utorrents on from piratebay. I see 1000s of outgoing attempts by the system process on port 137 to all peers from the torrents…lol

    I mean as it is i have to block programs for using anything other then specified ports and ips, especially utorrent and some games I play. The browsers go without saying. Especially when programs start broadcasting to my networks, and especially ones that dont’ even need to go online.

    They always say only shady software has backdoors. IMO, every piece of software and hardware does. Everything. We really can’t blame users for anything anymore its out of control.

    1. Andrew

      137 is for NetBios, which is the Chattiest of Kathys. Since you are connected to those addresses with your peer to peer service what you’re observing isn’t surprising. That isn’t to say of course that the traffic is benign, but it also isn’t unexpected. When monitoring networks you will see machines reaching out to devices they have no reason to with NetBios

      If you suspect your computer is communicating with a malicious server the first thing to turn off your peer to peer service (utorrent). (Using that service in and of itself is not a thing I suggest doing if you have any concerns of the sort mentioned by the way – do that on a machine or VM dedicated only to that purpose). Turn off all the services you can and start from there using WireShark to see what traffic is passing from your computer. Best would be to put a computer with wireshark between yourself and your internet router or if you have a managed switch do a SPAN/monitor to your wireshark box. If there is nothing suspicious going on in a 24 hour period then you can start re-enabling services and watch for anything other than expected

      1. Haggistech

        The reason for this is the way MS DNS resolver attempts to perform reverse host name resolution. It will first attempt to use the DNS and if the IP is not resolved it will query the host directly for its NetBIOS name using UDP/137.

        1. CooloutAC

          what I did was block access to tcp/udp ports 137-139, 135 and 445 at the router. I don’t know why that would be going out to public, and in fact my router should automatically block that imo. I use torrents all the time and will see utorrent trying to use other ports then the ones specified, which i block in my pc firewall, but which i consider normal behavior for torrent clients for w/e reason.(i close the specified port at router when done and that usually stops things) But never have I seen system on port 137, even when closing utorrent. I do see programs broadcasting to multicast addresses all the time though Andrew, which always had me wondering but I guess thats normal.(can’t imagine why though) I guess its worse then I thought when it comes to torrents, I guess most pcs using torrents are infected now and part of huge botnets. including me.

          I’ve cleaned out some win.trojans including in explorer.exe, windows media player and winamp today and some downloads Only found when scanning windows partition from linux. so far they haven’t come back, i used torrents the other day and didnt’ see the same behavior. I believe it was cause i left the pc on overnight. It almost didn’t kick into gear and got so bogged down after I woke the monitor up I thought it was gonna crash, then i saw the system process flashing across the screen from one of my firewall popups.

        2. CooloutAC

          and you can get alot more info then just hostname from those probes.

          1. Haggis

            If your router is allowing it automatically you might find the UPNP is enabled

            1. CooloutAC

              I actually have to go to a secret page manually just to shut it off on my router. I’ve complained to them about this a couple times. Verizon permanently disables the WPS button for security reasons which is a good idea, and they dont’ have UPNP on public interface, but they took away the option to turn upnp or igmp proxy totally off in the router? I don’t understand it.

              1. Andrew

                Cuts down on support costs 😀 UPnP = more convenience. And we know what more convenience =’s

  13. smoke screen

    Brian are you on holidays or something ?? 2 weeks and not a single post from you .I wonder how do you make 100k a year from this blog .let as know please .

    1. JCitizen

      Check your spam filter, mine keeps blocking KOS even though I have it set t0 a trusted source.

  14. trolololo

    well. that’s not the most advanced pony that exists today. 2 yrs ago i saw results of one. it was very impressive comparing to Zeus and its modifications. it was highly flexible, fast support, good spreading worm, working in intranets. I was surprised when found that some % of US posterms operating with unencrypted pin traffic.

    ps. US dollar system fails anyway. Jesus works on it 😉

  15. wuij

    5 Gio of data… it will take some time to be cloned.

  16. Sherry T. Dyer

    “The package also include the Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc. The package is currently undergoing deeper analysis. We also found several text files containing apparently private chats and various usernames and passwords for several FTP servers,” Peter Kruse of CSIS wrote in a blog post. When the source code for ZeuS was leaked a few years ago, several cybercriminal groups started modifying it to add new features. Experts believe that this will happen with Carberp as well. The source code is still being analyzed, but Kruse has told ThreatPost that it looks like the complete source code. However, the expert highlights that it’s difficult to tell if there is a newer version of the malware, or if it has been backdoored. “It takes time to go through all this code. However the code we have tested compiles fine and works but due to the size and complexity it takes time – even for a skilled code reviewer – to go through all this source code,” Kruse told ThreatPost . In the meantime, researchers from Russian cybercrime investigations company Group-IB have also analyzed the code. They’ve confirmed for Computerworld that the leak is real. They say that while the Carberp source code is complete, the source code of the bootkit module is only partial.

Comments are closed.