Carberp-based malware is expected to take advantage of the bootkit module packaged with the code, making the variants unusually difficult to remove. When an infected computer is turned on, the bootkit driver is the first to load, giving the criminals behind the malware control over any other software.
“The bootkit gives a significant improvement to the malware,” Etay Maor, manager of Trusteer’s fraud prevention solutions, told CSO on Wednesday. “It helps it stay covert on the computer and it helps it stay persistent. It’s really hard to get rid of it.”
Researchers discovered this week an online forum that had a link to a hosting site where an archive file containing the source code and bootkit could be downloaded. Security experts who follow the Carberp gang, most from Ukraine and Russia, believe infighting led to the code release.
Introduced in 2010, Carberp was mostly used to steal online banking credentials from people in Russia and other former Soviet Union states. Variants targeting customers of US and Australian banks were found this year.
Before the code release, the builder application to generate customised copies of Carberp sold for $40,000. The creators were able to demand the high price because of the bootkit and the overall quality of the code.
“It’s a very potent malware,” Maor said. “We’ve looked into the source code and it’s well written.”
Removing the malware will require a thorough reformatting of the hard drive. Anything less, and Carberp will come back, Maor said.
Cyber-criminals worldwide are expected to customise Carberp for purposes other than stealing online banking credentials, such as swiping sensitive documents from companies.
“This incident should serve as another reason to go over your company’s most valuable assets and put in extra effort to secure them,” said Roel Schouwenberg, a senior researcher at Kaspersky Lab. “It’s also a good reason to make sure that the machine responsible for payroll is not also being used for other activities, such as checking emails.”
This leak is considered more dangerous than the infamous release in 2011 of the Zeus source code, experts say, because while Zeus was effective at stealing online banking credentials, it did not have a bootkit associated with it.
That came after criminals started building on top of the code. Their work eventually led to Citadel, “which was a significant improvement both in capabilities and in the way that it was delivered to customers and the customer support they offered,” Maor said.
The same pattern of continuous improvement is expected with Carberp.
“The real smart techie guys will pick it up,” Maor said. “They just got the blueprints to serious malware. It’s a present. Why not use it?”