Researchers are still analyzing the code, but they've confirmed that it's genuine

Jun 26, 2013 06:55 GMT  ·  By

Last week, researchers revealed that the source code of the notorious baking malware Carberp was being sold on various hacker forums. Some of the sellers made the code available, but it was inside a password-protected archive.

Now, the password has been published and several researchers have already confirmed that the source code is genuine and it even contains the Carberp bootkit.

“The package also include the Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc. The package is currently undergoing deeper analysis. We also found several text files containing apparently private chats and various usernames and passwords for several FTP servers,” Peter Kruse of CSIS wrote in a blog post.

When the source code for ZeuS was leaked a few years ago, several cybercriminal groups started modifying it to add new features. Experts believe that this will happen with Carberp as well.

The source code is still being analyzed, but Kruse has told ThreatPost that it looks like the complete source code. However, the expert highlights that it’s difficult to tell if there is a newer version of the malware, or if it has been backdoored.

“It takes time to go through all this code. However the code we have tested compiles fine and works but due to the size and complexity it takes time – even for a skilled code reviewer – to go through all this source code,” Kruse told ThreatPost.

In the meantime, researchers from Russian cybercrime investigations company Group-IB have also analyzed the code. They’ve confirmed for Computerworld that the leak is real.

They say that while the Carberp source code is complete, the source code of the bootkit module is only partial.