Only trusted members of the forum can buy the source code

Jun 19, 2013 08:00 GMT  ·  By

It’s not often that malware developers offer to sell the source code of a notorious Trojan. Tusteer security researchers have identified a member of a Russian hacker forum who is offering the source code of the Carberp Trojan for $50,000 (€37,000).

According to experts, the seller, who uses the moniker “=Sj=,” provides a detailed description of the malware’s new capabilities and developments. One of them is a newly designed bootkit that’s advertised as being capable of significantly improving infection rates.

$50,000 (€37,000) might not seem much, considering that cybercriminals can earn millions with the aid of such a Trojan. However, not anyone can buy it.

The seller claims the sale is done in coordination with the malware’s author and that only trustworthy members of the forum can buy it.

However, Trusteer has identified other forums where the source code is being sold for a significantly lower price. They believe this might indicate the fact that a different Carberp buyer might be selling the source code in response to a breach of contract.

“We have witnessed past occurrences in which a private group acquired malware source code (Citadel), enhanced it, sold variants and offered help and support. With the current feature set this malware offers, it can easily be configured to target a wide variety of businesses as well as be used for data theft and reconnaissance,” Trusteer’s Etay Maor noted.

“It remains to be seen if we are witnessing an attempt to dilute this malware due to internal struggles within the Carberp or buyer groups. Another possibility is that the source code will be acquired and enhanced to create a new malware product that will then be sold to the underground fraud community.”

A complete English translation of the ad posted on the Russian forum is available on Trusteer’s blog.