The Carberp Trojan is now selling on the open malware market for $40,000.
The new version of the banking malware comes with beefed up data-stealing capabilities and the addition of the Rovnix bootkit and builder kit. For fees ranging between $2,000 and $10,000, customers can buy the kit as a service, without the builder and bootkit.
The addition of Rovnix allows its user to infect a computer’s volume boot record, giving it ring0 privileges and making not only difficult to detect, but clean up, said Limor Kessem, communications specialist and team leader for RSA Security’s FraudAction team.
“This is more sophisticated and costly than other malware; we’ve seen no one charge $40,000 for malware. They don’t feel it’s an exaggerated price,” Kessem said. “We haven’t seen who’s buying it, but they believe there will be demand. You have to have resources and know-how to operate the malware. Malware doesn’t come with an install wizard. You have to have knowledge about systems and Windows internals; it’s not simple to do. Whoever buys this will have to know what they’re doing.”
Carberp started out as straightforward data-stealing banking malware, but quickly evolved with plug-ins that removed antimalware software or detected and killed other malware on an infected PC.
Communication to and from the malware and command and control servers also ends up encrypted using a randomly generated RC4 key that is sent with a HTTP request.