Posts Tagged: Carberp


27
Aug 13

Who Wrote the Pincer Android Trojan?

Stories in this blog’s Breadcrumbs series have sought to comb through clues that point to the possible location and identities of malware authors and purveyors.  But from time to time those clues lead definitively back to an individual. In today’s post, we’ll talk with the author of  the Pincer Trojan for Android — a 32-year-old programmer at a mobile app development firm in Russia.

bwshadowIn April, Finnish security firm F-Secure  first warned about Trojan:Android/Pincer.A, which comes disguised as a security certificate and is designed to surreptitiously intercept and forward text messages. As F-Secure notes, previous malicious mobile apps pretending to be certificates have been mobile components of banking Trojans aimed at defeating two-factor authentication.

F-Secure researchers observed that Pincer used the IMEI of the victim’s phone as an identifier, and that the Trojan would call home to a control server and report the device’s phone and serial numbers, phone model, carrier and OS version. They also found that Pincer checks to see if it’s being run in a virtual environment, which is a common trick designed to frustrate malware analysis tools used by security researchers.

Interestingly, F-Secure noted that the code within the trojan includes a class called “USSDDumbExtendedNetworkService” — a component that was assigned a seemingly arbitrary variable that F-Secure researchers said was probably either associated with a French Canadian concrete company or the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.

I followed up with F-Secure about this post, and learned that the redacted portion of that post — the variable included in that first variant of the Pincer Trojan — was “senneco.com” (Virustotal’s analysis lists it as “com.senneco”). A quick search on Google turns up Twitter and Google+ accounts by this name belonging to a Yuri Shmakov from Novosibirsk, Russia. Shmakov’s Google+ page says he is a developer at Arello-Mobile, a mobile app development firm also in Novosibirsk.

Text string "senneco" inside of the Pincer Android Trojan.

Text string “senneco” inside an early sample of he Pincer Android Trojan. Source: F-Secure.

A scan of Shmakov’s accounts turned up the email address senneco@gmail.com. I sent an email to that address, explaining F-Secure’s findings and asking whether the recipient had anything to do with the Pincer Trojan. To my surprise, Shmakov promptly replied that, why yes he had indeed created it as a freelance project.

Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.

Continue reading →


27
Jun 13

Carberp Code Leak Stokes Copycat Fears

The source code for “Carberp” — a botnet creation kit coded by a team of at least two dozen hackers who used it to relieve banks of an estimated $250 million — has been posted online for anyone to download. The code leak offers security experts a fascinating and somewhat rare glimpse into the malcoding economy, but many also worry that its publication will spawn new hybrid strains of sophisticated banking malware.

Carberp admin panel. Source: Xylibox.blogspot.com

Carberp admin panel. Source: Xylibox.blogspot.com

The leak appears to have begun, as these things often do, with the sale of the source code in a semi-private cybercrime forum. On June 5, a member of the Lampeduza crime forum said he was selling the Carberp source to a single buyer, with a starting price of $25,000. The seller said he was helping out one of the developers of the code, who was short on cash.

By mid-June, links to download the entire Carberp archive were being posted on multiple forums, as first documented by Trusteer. Since then, experts from around the world have been tearing through the two-gigabyte archive to learn more about the code and its potential for future abuse in new and existing malware creations.

Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory,” wrote one Ukrainian tech blogger on Livejournal.

According to Peter Kruse, a specialist with the Copenhagen-based CSIS Security Group, the package includes the Carberp bootkit; this is a component that can subvert the Patchguard protection in Windows 7 x86 and 64-bit systems so that the malware loads itself at the most basic levels of the system (Kruse said the bootkit component is incomplete and does not work against Windows 8 PCs).

Also included are components of a Trojan known as UrSnif, as well as an extremely popular and prevalent rival botnet creation kit called Citadel.

“As with the leakage of the ZeuS source code, back in May 2011, this means that criminals have every chance to modify and even add new features to the kit,” Kruse wrote, noting that the Carberp archive also contains several text files that appear to be records of private chats and various usernames and passwords.

CHEEKY CODERS

Last year, Russian and Ukrainian authorities arrested a loosely-affiliated group of hackers accused of programming and using Carberp to rob millions from bank accounts of their countrymen. According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.

Some of the leaked Carberp source code archives.

Some of the leaked Carberp source code archives.

Members of the coding forum kernelmode.info have been poring over comments left in the code by the Carberp developers. One set of comments, translated from Russian by a KrebsOnSecurity reader, suggests the developer was frustrated by having to program within the confines of what he considered sloppy operating system or perhaps Web browser plugin code.

“I will rip off someone’s hands for this kind of code!” the unidentified developer noted in one section of the Carberp source. “This stupid thing does God-knows-what.”

Continue reading →


26
Mar 12

A Busy Week for Cybercrime Justice

Last week was a bad one to be a cybercrook. Authorities in Russia arrested several men thought to be behind the Carberp banking Trojan, and obtained a guilty verdict against the infamous spammer Leo Kuvayev. In the United States, a jury returned a 33-month jail sentence against a Belarusian who ran a call service for cyber thieves. At the same time, U.S. prosecutors secured a guilty plea against a Russian man who was part of a gang that stole more than $3 million from U.S. businesses fleeced with the help of the ZeuS Trojan.

Kuvayev in Thailand, 2001

In August 2010, KrebsOnSecurity broke the news that spam king Leonid “Leo” Aleksandorovich Kuvayev, was being held in a Russian prison awaiting multiple child molestation charges.  Late Friday, a Moscow City court judge rendered a guilty verdict against Kuvayev for crimes against the sexual integrity of minors, according to Russian news agency Lenta.ru.

In 2005, the attorney general of Massachusetts successfully sued Kuvayev for violations of the CAN-SPAM Act, a law that prohibits the sending of e-mail that includes false or misleading information about the origins of the message, among other restrictions. Armed with a massive trove of spam evidence gathered largely by lawyers and security experts at Microsoft Corp., the state showed that Kuvayev’s operation, an affiliate program known as BadCow, was responsible for blasting tens of millions of junk e-mails peddling everything from pirated software to counterfeit pharmaceuticals and porn.

In an apparent bid to sidestep those charges, Kuvayev fled the United States for Russia. A Massachusetts judge later convicted Kuvayev of CAN-SPAM violations, and ordered him to pay $37 million in civil penalties. FBI officials say that at the time, BadCow was raking in more than $30 million each year.

Russian prosecutors said Kuvayev sexually abused at least 11 girls aged 13 to 18 years, many of them suffering from mental and psychological problems and pupils of orphanages and boarding schools nearby Kuvayev’s business and residence in Moscow.

According to information obtained by KrebsOnSecurity, Russian prosecutors had help from Kuvayev’s old nemesis Microsoft, which had hired a local forensics company in 2010 to keep tabs on his activities. Microsoft’s Samantha Doerr confirmed that Microsoft Russia consulted with Moscow-based cyber forensics firm Group-IB, but said the nature of the investigation was related to Kuvayev’s spamming activities. Lenta.ru reports that it’s not clear when Kuvayev may be sentenced, but that the most serious offense he faces carries a penalty of 20 years in prison.

Group-IB also assisted in another investigation that bore fruit last week: The arrest of eight men — including two ringleaders from Moscow — alleged to have been responsible for seeding computers worldwide Carberp and RDPdor, powerful banking Trojans. Russian authorities say the crime gang used the malware to raid at least 130 million rubles (~$4.43 million USD) from more than 100 banks around the world, and from businesses in Russia, Germany and the Netherlands. Russian police released a video showing one of the suspects loudly weeping in the moments following a morning raid on his home.

The arrests help explain why the makers of Carberp abruptly stopped selling the Trojan late last year. Until recently, Carberp was sold on shadowy underground forums for more than $9,000 per license. In the screen shot below, a lead coder for the Carberp Trojan can be seen announcing on Nov. 1, 2011 that he will be immediately suspending new sales of the malware, and will not be reachable going forward. Continue reading →