The Carberp Code Leak

By Christopher Elisan, Prinicipal Malware Scientist, RSA FirstWatch

The source code for Carberp, reportedly selling for $40,000 a pop, is now out. A report of its leak started spreading a week ago and RSA FirstWatch were able to confirm through our own digging and research that the code is really available online.  As days gone by, the link where to access the source code has been spreading like wildfire. As a result, someone who knows his or her way around search engines and different hacker forums will be able to find a copy of the password-protected compressed source code files and the password to decompress it. In short, it does not take a genius to get a copy of the leaked source code, which makes this whole thing dangerous. Any script kiddie, who probably does not understand the technology, can use this which may result in dire consequences. It’s like handing a bazooka to a child. As you can see in Figure 1, the poster even mentions that this is not for newbies.

Figure 1: One of the many hacker forums where Carberp leak info can be found

What is Carberp anyway? Carberp is a notorious information-stealing malware targeting banks. The fun part about this malware, unlike most malware, it does not need admin privileges to get installed, therefore, no UAC (User Access Control) warning will appear, effectively bypassing that security feature of Windows. Once installed on the system it captures banking credentials resulting in bank account takeovers that lead to fraudulent money transfer activities.

The leaked source code is 1.88GB in size compressed. On disk, it is 2.02GB compressed and 5.51GB decompressed. Everything is there, including source code from other infamous malware kits and exploitation goodies. This will keep the whole security industry and us busy for a long time.


Figure 2: Some of the black arts goodies found in the leaked Carberp

As a researcher, this is juicy stuff because it gives me and the rest of RSA FirstWatch the chance to unravel Carberp and the other badness that are included. There’s no better insight into a malware compared to having access to its source code. But a leaked malware source code is always a double-edged sword. Although it helps the white hat community, it also helps the black hat community. An attacker can simply modify the source code and create a modified version of Carberp. The modification can be an improvement to the existing source code or it can be combined with other malware source code to create a more potent attack tool. The next few days, weeks, and even months will be interesting as we at RSA FirstWatch, get ready for Episode 2 of the Carberp saga and expect more attacks from its clones.

No Comments