- News & Events
June 20, 2013
In the Old West a bank robbery toolkit was a six-gun and fast getaway horse.
Jump ahead to John Dillinger’s day and technology upgraded the stallion to a Ford V8 and the Colt Peacemaker to a Tommy gun.
Today, according to theregister.co.uk, a Carberp bank robbery toolkit consists of “the full source code of Carberp, including: comments; Web-injects; all the Carberp modules; source code of Gazavar (the worm module); the admin panel for the command and control servers; Windows exploits related to vulnerabilities patched last year (specifically CVE-2012-1864 and CVE-2012-0217); a bootkit module, and many other components. The complete archive weighs in at 5GB.”
Andrey Komarov of the Russian security firm Group-IB told El Reg, a British technology news and opinion Website, that selling the building blocks of the banking Trojan toolkit is a sign of “conflict within the (Carberp Gang.) Some of the members would love to destroy the project and move onto another business or new product.”
John Leyden reports in theregister.co.uk that an individual going by the moniker Madeinrm (though not identified as a member of the Carberp Gang) said in an underground forum that “he is offering the source code for sale because someone else using the nickname ‘batman’ had already passed on the source code to a third party…. Madeinrm said he intends to screen potential customers but is nonetheless looking to sell the hitherto secret code powering the malware to a large number of people, rather than selling it at a higher price through an exclusive deal.”
Carberp first came on the cybercrime scene about three years ago in competition with financial malware platforms Zeus and SpyEye.
Despite Russian police arresting a number of cyberbank robbers, the principals who developed the malware, soldier on even sub-contracting out some of the code creation. “Previously, Group-IB took part in the arrest of some members of Carberp (Gang), which is…international…,” Komarov explained. “For example, this team hired Chinese hackers for bootkit module developing, before starting the Carberp 2 project.”
The story on theregister.co.uk goes on to say Group-IB believes that there are twelve active Carberp gang members. Most are reportedly from the Ukraine or Russia with some possibly from the EU.
Komarov sees the actions of Carberp Gang members as a case of déjà vu. Two years ago, someone tried to sell Group-IB the Zeus Trojan source code only to have somebody else publish the code on a file sharing network — for free.
The register.co.uk story suggests that “the most likely outcome of the rift with the Carberp group is a split, with elements going off to work on other malware-based projects, which might include even more powerful banking Trojan malware.”
The bottom line is there’s just no honor among thieves.
ThreatMetrix is the fastest-growing provider of integrated web fraud and cybersecurity solutions. The TrustDefender™ Cybercrime Protection Platform helps companies prevent unauthorized access to web and mobile applications, protect sensitive data, and secure transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. ThreatMetrix protects more than 1,500 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.
Posted by Dan Rampe
Tags: Account Takeover, Bank Fraud, Carberp, Cookieless Device Identification, Cyber attacks, Device Detection, Device Fingerprint, Device Fingerprinting, Device ID, Device Identification, Fraud Prevention, Identity theft, Malware, Malware Protection, Online Fraud, ThreatMetrix, ThreatMetrix Global Trust Intelligence Network, TrustDefender Cybercrime Protection Platform, Web Fraud