The source code for the once-mighty Carberp bank Trojan is being offered for sale at an asking price of $50,000 (£33,000) on a criminal forum security firm Trusteer has reported.
Reports of malware source code being offered for sale are extremely rare if they happen at all but perhaps Carberp's star has fallen a little from the days when it was considered a state-of-the-game man-in-the-browser (MitB) menace, particularly for attacks on Facebook users.
According to Trusteer, a forum member named '=Sj=' has pitched its source code, complete with a newly-coded and harder-to-detect Chinese rootkit module, for the eminently reasonable rouble equivalent of half a ton.
If this sounds like a god deal, the firm believes that it might reflect the fact that other forums are offering the same source code for far less, making it a sort of malware fire sale. Russian security research firm Group-IB reports this as being as low as $5,000.
The seller was credible, offering considerable detail on the wares and its capabilities, the firm said. He or she also claims to have connection to Carberp's author.
“We have witnessed past occurrences in which a private group acquired malware source code (such as Citadel), enhanced it, sold variants and offered help and support,” commented Trusteer' senior manager, Etay Maor.
“With the current feature set this malware offers, it can easily be configured to target a wide variety of businesses as well as be used for data theft and reconnaissance. It remains to be seen if we are witnessing an attempt to dilute this malware due to internal struggles within the Carberp or buyer groups,” he said.
It was possible that the source code would be bought in order to form the core of a new malware family, he suggested.
If that happens, then the bootkit-rootkit functionality will be the major selling point. This claims the rootkit will load reliably the moment the OS starts, in other words before any security programmes fire up. This is not a new feature – all rootkits attempt it by their nature – but its claimed ability to pull off this feat across all versions of Windows, including 8, is sure to interest criminals.
Carberp's fate has been uncertain since the largest gang wielding it were busted in March 2012, resulting in the arrest of eight people accused of involvement. The gang's mistake was to target mostly Russian-speaking consumers, bringing it to the notice of the Russian authorities.
However, not long after Kaspersky Lab announced that the malware, while disrupted, was still being used by other affiliates. Despite that pessimistic news, its importance has faded compared to a growing number of malware competitors even if Group-IB believes that it remains in full development in the Ukrainian and Russian underground.