Carberp was a banking bot that first came up on researchers’ radars in the last part of 2010. By the end of 2011 the bot had been spotted in the wild, testing with bootkit functionality. Come the end of 2012 the full kit, including the bootkit, were put on sale for a price of $40,000 on various crime forums.
Carberp uses the bootkit component W32/Rovnix, which has quite a history. Around 2011 the source code for Win32/Rovnix.B was sold on various forums for as little as $5,000. Rovnix was also seen being utilized by ZeroKit (according to ESET) another bot being sold on underground sites.
From what i can gather the source code has been sold in the past to a small number of groups, but this was before the inclusion of the bootkit and the source sale was very controlled. Towards the end of may, there was a lot of talk about the carberp source being sold, people claiming to have it, and large number of random people selling full bins for ridiculously low prices. At this point i was planning to write an article about the possible leak, but was unable to find enough proof before trusteer (and others) beat me to it. According to group-ib, according to random news sources, according to me: The carberp sale was due to a disagreement among the team after a member, batman, sold the source against the group’s will (I can’t confirm this is true, but it appears the source was stolen from an SVN).
The source first went on sale for around $50,000, which is a low price compared to the fact the full bot sold for $40,000. As more and more people got a hold of the source, it began to turn into a race for who could make the most sales before the code was leaked, before long there were people selling the full source code for as low as $2,000. Currently the leak is in what I like to think is the final stage: Many people have the source, people are passing the code around for free, screenshots are being posted on public boards, and people are teasing others with links to passworded rar files. The next thing to happen is of course a full scale leak like we saw with Zeus, Grum and countless other bots (this is likely to happen in the next few days).
The bootkit is of course the signature component of carberp. From the source we can confirm two main things: The bootkit was a 3rd part component (the coding style does not match that of the bot/plugins), and the source code is in fact that of W32/Rovnix. I don’t really have a lot to write about the source as this is a security blog, not a cybercrime How-To, but some things stood out to me: The bootloader appears to have been updated to work on windows 8, which according to just about everyone, it didn’t before. We can also see a component that appears not to have been talked about in any carberp analysis: A kernel mode socket layer that implements the TCP/IP and HTTP protocols, using NDIS hooks, in order to bypass firewalls.
As well as carberp based sources there are a few other interesting things in the archive. Firstly there is a lot of 3rd party sources: Zeus, Stoned bootkit and reverse-engineered Mebroot (Sinowal) by Peter Kleissner, RDP xTerm and hVNC. Also there appears to be a fair amount of sensitive information such as: conversation logs (one of them contracting a freelance coder), jabbers, screenshots, pc names, login details, and even a phone number.
Nothing good comes from leaks like this. AV companies get a massive surge of infected users and spin-off bots are usually created (Citadel, one of the most popular banking Trojans, was forged from the leaked Zeus source code). I guess we can only hope that major antivirus vendors are able to upgrade their software in order to deal with this threat, before more damage is done. Also, the first 5 people to ask me where to get the source will receive a virtual slap in the face (all expenses paid) and my everlasting disapproval. 😉
Carberp / Rovnix Analysis
(yes i am ESET fanboy)