10:27 AM
Connect Directly

Alleged Carberp Botnet Ringleader Busted

Joint Ukrainian and Russian operation busts alleged Carberp boss and about 20 developers of malware-driven botnet that stole millions of dollars.

Ukrainian and Russian police Thursday announced the arrest of the alleged ringleader of the Carberp (aka Syscron) botnet in the Ukraine.

The unnamed man, a 28-year-old Russian national, was arrested in the Ukraine -- along about 20 alleged Carberp developers -- in a joint operation involving the Security Service of Ukraine (also known as the SBU) and the Russian Federal Security Service, reported Ukrainian newspaper Kommersant Ukraine. This week's arrests follow the March 2012 arrests of eight alleged members of the Carberp gang by Russian police.

Police said that in the past few years, the Carberp botnet gang used their malware to steal $250 million from Russia and the Ukraine alone. Carberp was also used as part of the Eurograbber malware attack campaign that as of December 2012 netted attackers an estimated $47 million.

[ New U.S. cybersecurity framework is likely to borrow from existing standards. Read more at No Bold Moves On U.S. Cybersecurity Framework. ]

The alleged Carberp ringleader and developers arrested this week remain under house arrest while the SBU investigates equipment seized during the raids. According to a police official, under the country's criminal code, they could each face up to five years in prison if found guilty of the economic crime statutes that may be used to charge them.

Most of the arrested developers worked remotely. "Generally, they do not know each other; everyone is responsible for their part of the software development unit," a Ukrainian police official told Kommersant Ukraine. "Then the data is passed to the main server in Odessa, where [the ringleader] worked as the chief organizer."

Relatively speaking, the Ukraine, which counts 46 million people as residents, is a hotbed of computer crime. A February 2013 report from Germany's Deutsche Telekom telephone carrier, which tracks online attacks, said that the majority of the world's cyber attacks are launched from Russia, followed by Taiwan, Germany and the Ukraine. More than half of all malware distributed worldwide is also generated by servers located in the Ukraine.

The financial malware developed by the Carberp gang targets people's personal financial website login details -- primarily at Russian banks -- which the malware would steal and relay to the botnet's controllers. Typically, the gang would initiate remote connections to the infected PCs, access financial accounts and initiate transfers to corporate accounts that served as a front for attackers. The gang would then use money mules to withdraw transferred money from Moscow-area ATMs.

As with many other forms of banking malware, Carberp -- which infects Windows systems – is able to block antivirus updates on infected PCs and to remove other types of competing malware that might be installed, such as Adrenalin, Barracuda, BlackEnergy, Limbo, MyLoader, SpyEye and Zeus, according to a MalwareIntelligence blog post. Carberp can also intercept encrypted communications between a banking website and an infected PC's browser -- including one-time codes generated by banks -- and can disguise its behavior via stealth and rootkit techniques and steal usernames and passwords from numerous types of software, including remote-access tools.

The malware has evolved significantly over the past few years. The first group behind the Carberp malware started operations in 2009, although their resulting malware wasn't seen by security experts until May 2010, when it existed as a relatively simple malware download.

Unlike Zeus, SpyEye or Citadel, Carberp's creators initially appeared to keep their operation relatively small, and at times completely private. In theory, that approach would minimize the malware developers' profile and make them less of a target for law enforcement agencies.

In February 2011, however, the Carberp gang made a splash when they began advertising their malware to any buyer for $10,000 per toolkit, although they stopped selling the software just one month later and also ceased customer support.

By the end of 2011, a different group of developers had transformed the malware into a full-fledged banking Trojan that could modify the Java code in a tool used by 800 Russian banks, according to a blog post from Aleksandr Matrosov, security intelligence team lead at security firm ESET. At that point, the attackers were also using the malware to target at least three large well-known banks in the United States, typically infecting people via drive-by downloads from compromised websites, or via spam emails with malicious PDF, Excel or other types of files attached. Finally, as an apparent side business, the Carberp botnet was also being used to launch distributed denial of service (DDoS) attacks, as well as to redirect infected computers to Blackhole toolkit infections.

Come early 2012, the developers behind Carberp retooled the malware to also target Facebook users with a man-in-the-browser (MitB) attack that attempted to trick them into divulging e-cash vouchers.

The 2012 arrests of eight alleged Carberp operators -- including two brothers who allegedly ran the Carberp gang -- quieted down related botnet activity. But according to a blog post from Limor Kessem, a cyber-intelligence analyst at security firm RSA, at the end of last year, a new version of Carberp appeared that rented for $2,000 to $10,000 per month, or up to $40,000 per month for the full-featured version.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.