Boston-based Trusteer is reporting that it has found multiple instances of sellers operating in Russian underground criminal forums offering what they claim is the source code for Carberp, the Trojan software used to target financial institution accounts.
Some sellers, said Etay Maor, a Trusteer executive, are offering what they claim is the Carberp source code for $5,000.
Another seller, believed to be credible within the Russian malware community, is offering his version of the source code for $50,000.
Carberp, which has been in circulation for about three years, has been described as “ingenious” in its approach to hiding itself on infected computers.
Experts said the situation on the Russian message boards is volatile and could track what happened a few years ago when at the end the Zeus source code was simply leaked. The same could happen with Carberp.
Theories abound about why the source code is for sale. Some say that because Carberp has variants that prey on Russian and Ukrainian banks – unlike many other Eastern European malware strains which typically follow a no local crime policy – its authors may suddenly be feeling very high heat from local law enforcement and/or banking interests.
At Trusteer, Maor said he was inclined to believe the sale was triggered by internal bad blood among criminals and a deal gone bad. “There is no honor among these thieves,” he said.
Potential buyers need a high level of computing skills in order to monetize this purchase, stressed Maor, who added that whoever buys it “intends to make money. They are not buying Carberp to put it in a museum.”
They are not buying Carberp to put it in a museum."
Perhaps more worrisome is that many experts believe that Carberp is for sale because the criminals behind it have something better in the works so, in effect, they are selling off distressed merchandise.
The other worry is that as versions of Carberp proliferate, this likely will trigger development of more kits to attack more financial institutions.