F R A U D R E P O R T

THE CARBERP TROJAN CODE IS RELEASED #INTH3WILD – WHAT’S NEXT?

July 2013

Be it internal disagreements within the Carberp team, or law enforcement pressure

following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving

their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the

ZeuS Trojan’s source code leak, we can expect a few things to happen following the

incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

ZEUS SOURCE CODE LEAK

An attempt to sell the ZeuS source code in an underground forum for – according to some

estimates – as high as $100,000 started in early 2011. Following the failed sale, Slavik,

the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious

SpyEye developer. The underground, abuzz with the news, keenly awaited the release of

a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was

leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS

v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most

considerably – Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap

forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS,

but deployed clever security measures to protect the malware and its infrastructure, as

well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a

Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial

operation, offering its “customers” a CRM, paid tech support and constant version

updates. In fact, Citadel was so successful that botmasters started replacing/upgrading

existing bots with the malware.

page 2

But as with many great empires of the past, soon they will fall. Starting in mid-2012, RSA

researchers began noticing the slow demise of commercial Trojan offerings. In April, the

Ice IX business shut down with the disappearance of its developer; SpyEye then made its

exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was

banned from the only forum he was selling on (following a quarrel over customer

support).

A NEW GENERATION OF MALWARE – WHAT’S NEXT?

So, if history repeats itself, what are we to expect? With the above in mind, the following

may transpire:

– We’ll see a proliferation of Carberp-based attacks. While this is likely less probable,

the leak could spawn an entire business of low-level developers recompiling Carberp

and offering it for sale “as is,” with no further feature developments or bug fixes. To

demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily

available for as low as $11 in the underground. In terms of Trojan operation and

feature set, Carberp is far more complex than ZeuS and less organized for the untrained

cybercriminal, making it less appealing for would-be botmasters (or script kiddies).

Not to mention the major weaknesses reported in the Carberp server-side, that make

it “easier to hack than SpyEye” according to one security researcher. With the

abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud

Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks –

and at very cheap prices, it would be surprising to see Carberp make a big impact

in this strong market segment.

– The Carberp code spawns a commercial offspring and/or offerings. This scenario is

more likely. As mentioned previously, Carberp is an extremely sophisticated piece of

malware, boasting bootkit functionality. As a result, it is more likely that the code will

be picked up by a cybercrime gang looking to develop the next big thing in malware.

With the trend towards privatizing malware development operations, the underground

is currently lacking a (true) commercial Trojan; this vacuum may provide the right time

and place for such an offering. Development may continue in closed, private groups,

which develop the software for their own criminal purposes.

CONCLUSION

There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to

that fire. The complexity of Carberp makes it less appearling as an “as-is” offering, but

organized professional cybercrime teams may see the opportunity to be the first to finally

offer a new, commercial Trojan based on the Carberp code, in the now very privatized

underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will

publish its findings as those are made.

page 3

Phishing Attacks per Month

RSA identified 35,831 phishing attacks

launched worldwide in June, marking a

3% drop in attack volume from May, and a

31% decline year-over-year in comparison

to June 2012.

0

10000

20000

30000

40000

50000

60000

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

51906

59406

49488

3544033768

41834

29581 3015127463

2434726902

36966 35831

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

Jun 13

US Bank Types Attacked

Nationwide banks remained the most

targeted by phishing in June, with 76% of

phishing volume directed at them. Regional

banks saw a 6% decrease in volume while

credit unions witnessed a 3% increase.

0

20

40

60

80

100

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15% 8% 11%

12% 15%

15%

14%14%

9%15%

15% 23%

23%

12% 19% 13%

78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73% 76%

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

Jun 13

page 4

Top Countries by Attack Volume

The U.S. remained the country enduring

the highest volume (55%) of phishing

attacks in June – a 5% increase from May.

The UK was the second most targeted at

10% of volume, followed by Canada, South

Africa, India, and the Netherlands.

UKGermanyChinaCanadaSouth KoreaAustraliaa

United Kingdom 10% U.S. 55%

India 3%

South Africa 5%

Canada 7%

Netherlands 3%

49 Other Countries 17%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUS

Top Countries by Attacked Brands

U.S. brands remained the most targeted by

phishing at 25% of volume, followed by

the UK and India. Other countries’ brands

that were targeted heavily by phishing in

June include Australia, Italy, China, Canada

and France.

Top Hosting Countries

The U.S. remained the top hosting country

in June, having hosted 45% of global

phishing attacks, followed by Canada

which hosted 9% of attacks. Chile and

Turkey were both introduced as top hosts

for phishing, each hosting 3% of phishing

attacks for the month.

U.S. 45%

54 Other Countries 23%

Canada 9%

Netherlands 4%

Chile 3%

France 3%

Turkey 3%

Germany 5%

United Kingdom 5%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

United Kingdom 10%

50 Other Countries 35%

U.S. 25%

China 4%

Canada 4%

France 4%

Australia 5%

India 8%

Italy 5%

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your security challenges, contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. JUL RPT 0713